Full Report
A new variation of the fake recruiter campaign from North Korean threat actors is targeting JavaScript and Python developers with cryptocurrency-related tasks. [...]
Analysis Summary
# Threat Actor: Lazarus Group (attributed)
## Attribution & Identity
* **Actor Identification:** North Korean (DPRK) state-sponsored threat actors.
* **Aliases/Associated Groups:** Lazarus Group.
* **Attribution Confidence:** Medium-to-high (based on infrastructure, TTPs, and time zone analysis).
* **Identity Indicators:** Git commits associated with the campaign utilize the GMT +9 time zone, consistent with North Korea.
## Activity Summary
* **Campaign Name:** Graphalgo (named by ReversingLabs).
* **Timeline:** Active since at least May 2025, with a significant shift in naming conventions (from "graph" to "big" prefixes) observed in December 2025.
* **Description:** The threat actor creates fake companies in the blockchain and crypto-trading sectors. They post fraudulent job offerings on LinkedIn, Facebook, and Reddit. Applicants are invited to perform "coding challenges" or debug projects hosted on GitHub. These projects contain malicious dependencies hosted on legitimate registries (npm and PyPi) that install a Remote Access Trojan (RAT).
## Tactics, Techniques & Procedures
* **Social Engineering:** Creation of fake corporate identities and recruitment profiles on professional and social media platforms.
* **Supply Chain Poisoning:** Publishing malicious packages to npm and PyPi. Over 190 malicious packages have been identified.
* **Version Masking:** Using "benign-to-malicious" updates (e.g., version 1.1.0 of 'bigmathutils' introduced the payload after previous versions were clean).
* **Execution via Development Tasks:** Tricking victims into running, debugging, or improving code that silently pulls malicious dependencies.
* **Token-Protected C2:** Command-and-control communication is protected by tokens to prevent analysis by security researchers.
* **Modularity:** Use of multiple scripting languages (JavaScript, Python, VBS) to ensure cross-platform compatibility.
* **Persistence/Evasion:** Marking malicious packages as "deprecated" shortly after infection to hide traces.
## Targeting
* **Sectors:** Blockchain, Cryptocurrency, and Crypto-trading.
* **Geography:** Global (targeting users of international platforms like LinkedIn and Reddit).
* **Victims:** JavaScript and Python developers applying for remote software engineering roles.
## Tools & Infrastructure
* **Malware:**
* **Graphalgo RAT:** A modular trojan capable of process listing, arbitrary command execution, file exfiltration, and dropping additional payloads.
* **Info-stealing:** Specific functionality to check for the **MetaMask** browser extension.
* **Malicious Packages (Defanged Examples):**
* `bigmathutils`
* Packages impersonating `graphlib`
* **Infrastructure:**
* GitHub Organizations (used for hosting "clean" project frontends).
* Public Registries: npm, PyPi.
## Implications
This campaign demonstrates the high level of patience and sophistication characteristic of DPRK actors. By leveraging the inherent trust in "technical interviews" and legitimate package managers, the actors bypass traditional perimeter defenses. The focus on MetaMask suggests a direct objective of financial theft or cryptocurrency draining from developer environments, which often contain high-value keys or access tokens.
## Mitigations
* **For Developers:**
* Exercise extreme caution when asked to run code for a recruitment process from unverified sources.
* Inspect `package.json` or `requirements.txt` for unfamiliar or recently published dependencies before running `npm install` or `pip install`.
* Utilize sandboxed environments or disposable virtual machines for performing any "coding tests."
* **For Organizations:**
* Implement software composition analysis (SCA) to detect known malicious packages.
* Monitor for unauthorized C2 traffic and unusual process execution (e.g., Python/Node.js spawning unexpected shells).
* **Incident Response:** If infected, rotate all secrets, credentials, and private keys immediately, and perform a full OS reinstallation.