EXECUTIVE SUMMARY:
A targeted campaign has been uncovered that leverages fraudulent recruitment tactics to compromise developers working in JavaScript and Python, specifically those focused on cryptocurrency and blockchain technologies. Actors behind this operation fabricate a seemingly legitimate company and engage potential victims through widely used social and professional platforms, including LinkedIn, Facebook, and various forums. Under the guise of offering coding interview tasks, the campaign delivers malicious software designed to covertly grant unauthorized access to compromised systems and monitor for cryptocurrency-related artifacts and software.
The operation centers on a modular framework in which fake company profiles and GitHub repositories serve as initial contact points. These repositories appear to contain standard development tasks but embed dependencies that reference malicious packages hosted on legitimate public repositories such as npm and PyPI. Once a targeted developer forks or installs these dependencies, hidden downloader components are executed. These launch a secondary payload a remote-access trojan (RAT) that contacts a remote command-and-control (C2) server. The RAT supports typical commands for file transfer, process execution, and arbitrary command execution, and includes routines to verify the presence of cryptocurrency wallet extensions on the victims machine. The C2 communication is token-protected, a characteristic observed in advanced threat operations, and several variants of the RAT have been identified across scripting languages including JavaScript, Python, and VBScript. Notably, threat actors have adopted a strategy of releasing innocuous package versions first to garner trust and downloads before later publishing malicious revisions.
It exemplifies a supply chain attack that exploits trust in the software development recruitment process and open-source ecosystems. By combining social engineering, deceptive branding, and abuse of legitimate hosting services, the threat actors maintain persistence even when individual components are exposed. Developers and security teams should exercise heightened vigilance when responding to unsolicited job opportunities or installing unfamiliar packages, especially those involving dependencies from public repositories. Monitoring for signs of unauthorized connections, unusual process activity, and scanning package metadata for inconsistencies can help detect and mitigate these threats before systems are fully compromised.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| T1566.002 | Phishing | Spearphishing Link | |
| T1566.001 | Spearphishing Attachment | ||
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| T1059.006 | Python | ||
| T1204.002 | User Execution | Malicious File | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1027.006 | Obfuscated Files or Information | HTML Smuggling |
| T1036.005 | Masquerading | Match Legitimate Resource Name or Location | |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Discovery | T1083 | File and Directory Discovery | - |
| T1518.001 | Software Discovery | Security Software Discovery | |
| Collection | T1005 | Data from Local System | - |
| T1114.001 | Email Collection | Local Email Collection | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1105 | Ingress Tool Transfer | - | |
| T1573.002 | Encrypted Channel | Asymmetric Cryptography | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/lazarus-groups-graphalgo-fake-recruiter-campaign/
https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs