North Korean Hackers Spread Malware via Fake Crypto Firms and Job Interview Lures

Key Takeaways

The following key points summarize the most important findings and recommendations from this report:

• North Korean APTs (including Lazarus, BlueNoroff, and CL-STA-0240) are targeting tech job seekers and crypto firms with advanced social engineering and malware
• Fake recruiters and job interview lures are used to deliver cross-platform malware such as BeaverTail, InvisibleFerret, and TraderTraitor
• Malware is distributed via fake video call apps, trojanized ISO/IMG files, and malicious cryptocurrency trading platforms
• Attackers aim to steal credentials, browser passwords, and cryptocurrency wallets on both Windows and macOS
• Campaigns are financially motivated and support North Korea’s regime
• Actionable security recommendations are provided for individuals and organizations

Campaign Overview

North Korean cyber operations targeting job seekers and cryptocurrency organizations have been documented by major security research teams since 2023. Research by Palo Alto Networks Unit 42, Google Cloud Threat Intelligence, and CISA first confirmed a surge in these campaigns, which use sophisticated social engineering—often posing as recruiters on LinkedIn or WhatsApp—to lure victims into fake job interviews or to download malicious applications. ¹, ², ³

In 2025, Silent Push Threat Analysts revealed a major evolution in these campaigns, uncovering the use of three cryptocurrency consulting companies as fronts for North Korean APT operations. This new research documents the deployment of advanced malware and infrastructure through these newly established companies, marking a significant escalation in threat actor tactics. ⁴

2025 Campaign Developments: New Front Companies and Infrastructure

According to Silent Push Threat Analysts, a major new campaign in 2025 involves three cryptocurrency consulting companies that are actually fronts for North Korean APT group "Contagious Interview" (a Lazarus subgroup): BlockNovas LLC, Angeloper Agency, and SoftGlide LLC. These fronts are used to distribute malware to job applicants via fake interview lures. ⁴

Key details from the 2025 campaign:

• Malware strains: BeaverTail, InvisibleFerret, and OtterCookie are confirmed as active payloads distributed through these fronts.
• AI-generated personas: The threat actors use AI-generated images (including from Remaker AI) to create fake employee profiles for these companies.
• Technical infrastructure: BlockNovas[.]com and its subdomains (bookings, chat, gitlab, mail, apply) are used for staging, command-and-control, and malware delivery. The mail subdomain hosts a dashboard monitoring related sites and has exposed the use of Hashtopolis, an open-source password cracking utility.
• Kryptoneer and Sui blockchain targeting: A new tool, Kryptoneer, was found on attisscmo[.]com, offering wallet connection features and referencing the Sui blockchain. Silent Push analysts believe this may represent new targeting of Sui-based wallets and projects.
• Fake business details: BlockNovas LLC was registered in New Mexico but uses a South Carolina address that is an abandoned lot; listed company principals are likely fake personas.
• Cross-linking infrastructure: GitHub accounts and LinkedIn personas tie together BlockNovas, Angeloper, and SoftGlide, with evidence of real and fake contributors.

These findings are based on the 2025 research and infrastructure mapping by Silent Push. ⁴

Social Engineering and Infection Chain

The following infection chain details are drawn from the cited research and advisories, which document how North Korean actors use social engineering and technical subterfuge to compromise job seekers and crypto sector targets. ¹, ², ³

• Attackers contact victims via LinkedIn, WhatsApp, or email, posing as recruiters for tech or crypto companies
• Victims are invited to participate in interviews or assessments, during which they are tricked into downloading malware disguised as legitimate tools (e.g., video call apps, PuTTY, crypto trading apps)
• Malware is delivered in formats such as .dmg/.msi installers, ISO/IMG archives, or Electron-based cross-platform apps
• Initial payloads (e.g., BeaverTail, TraderTraitor) steal credentials and browser data, then download advanced backdoors (e.g., InvisibleFerret, AIRDRY.V2)

Technical Details: Malware Families

The following technical details about malware families and attack tools are based on the analysis in the referenced Unit 42, Google, and CISA reports. ¹, ², ³

BeaverTail & InvisibleFerret (Unit 42 CL-STA-0240)s

Key characteristics of the BeaverTail downloader and InvisibleFerret backdoor include:

• Delivered via fake video call/conference apps (e.g., MiroTalk)
• Compiled with Qt for cross-platform (Windows/macOS) support
• Steals browser passwords and cryptocurrency wallets (targets 13 wallet extensions)
• Downloads Python to execute the InvisibleFerret Python backdoor, enabling persistent access and data exfiltration

TraderTraitor (CISA/Lazarus)

The TraderTraitor malware family exhibits the following behaviors:

• Distributed as trojanized cryptocurrency trading apps (Electron/Node.js)
• Uses spearphishing and fake job offers to lure targets
• Capable of downloading and executing additional payloads, stealing private keys, and enabling fraudulent blockchain transactions

Trojanized PuTTY & AIRDRY.V2 (Google/Mandiant UNC4034)

Notable features of the trojanized PuTTY and AIRDRY.V2 backdoor campaign include:

• Delivered via phishing lures themed as job assessments (e.g., "amazon_assessment.iso")
• Malicious PuTTY executable drops a backdoor DLL (AIRDRY.V2) on the system
• Establishes persistence and enables remote access

Timeline of Activity

Below is a timeline of notable activity and developments related to North Korean cyber operations targeting job seekers and the crypto sector:

• November 2023: Unit 42 reports initial CL-STA-0240 "Contagious Interview" campaign
• July 2024: New Qt-based BeaverTail and updated InvisibleFerret variants observed in the wild
• 2024: Google/Mandiant and CISA report continued phishing and malware campaigns targeting crypto sector and job seekers
• April 2025: Silent Push uncovers three North Korean front companies—BlockNovas LLC, Angeloper Agency, and SoftGlide LLC—used to distribute BeaverTail, InvisibleFerret, and OtterCookie malware via fake interviews. ⁴

Impact and Attribution

The following points outline the impact and attribution of these campaigns:

• Campaigns attributed to North Korean APTs: Lazarus, BlueNoroff, and related clusters
• Financially motivated: theft of cryptocurrency, credentials, and sensitive data
• Risks extend to both individuals and organizations (potential for company infiltration via infected endpoints)

Defense and Mitigation Recommendations

To reduce risk and defend against these threats, consider the following recommendations:

• Train staff and job seekers to recognize social engineering and recruiter-themed phishing
• Never download or run job assessment tools or apps from unverified sources
• Use endpoint protection with behavioral detection for cross-platform malware
• Patch operating systems and applications promptly
• Use MFA and strong, unique passwords for all accounts
• Monitor for suspicious network connections and persistence mechanisms
• For crypto firms: enforce least privilege, monitor for unusual withdrawals, and secure wallet keys offline

Final Thoughts

North Korean threat actors continue to innovate, blending social engineering with technically advanced malware to target both individuals and organizations in the cryptocurrency sector. Vigilance, layered defenses, and user education remain critical to reducing risk.

Related Articles

• XORDDoS Trojan: 2023–2025 Global Linux DDoS Campaigns, Evolving Infrastructure, and U.S. Targeting
• Critical Microsoft Zero-Day Vulnerability CVE-2025-29824: What You Need to Know