Through a malevolent operation known as "graphalgo," the North Korean state-sponsored hacker collective Lazarus Group has initiated a sophisticated phony recruitment campaign aimed at cryptocurrency developers. This coordinated attack, which has been going on since May 2025, distributes remote access trojans to unwary developers working with blockchain and cryptocurrency technologies through phony job offers. The campaign converts valid development workflows into infection vectors by taking advantage of well-known open-source package repositories like GitHub, npm, and PyPI.

Potential victims are approached by attackers via job postings on developer forums like Reddit or professional networking sites like Facebook and LinkedIn.

The social engineering scam centers on job openings at fictitious blockchain and cryptocurrency exchange businesses, most notably "Veltrix Capital." Victims are given coding test assignments that look authentic, but when they are executed, they reveal malicious dependencies that compromise their systems. Overview of the campaign (Source: ReversingLabs) This campaign is especially risky because of its modular design, which enables threat actors to continue operations even after parts of it are made public.

Researchers from ReversingLabs have identified this new branch of the fake recruiter campaign and named it after the first malicious package found in the npm repository. According to their analysis, the npm package "bigmathutils" had more than 10,000 downloads prior to the release of a weaponized version, exhibiting the patience typical of state-sponsored operations.

Mechanism of Infection and Delivery of Multi-Stage Payload When developers receive tasks related to job interviews via GitHub repositories under the control of the fraudulent companies, the infection process starts. Coding assignments for DevOps or blockchain roles can be found in these repositories. Nevertheless, dependencies pointing to compromised packages hosted on the npm and PyPI repositories are embedded in project files.

One of the job tasks involves malicious dependency (Source: ReversingLabs). Package managers install these malicious dependencies automatically when victims run or debug the interview code. The packages download second-stage malware from command-and-control servers using encrypted payloads and multiple obfuscation layers.

Direct communication combined with active recruiting (Source: ReversingLabs) A fully functional RAT that can execute arbitrary commands, upload files, list processes, and check for the MetaMask browser extension—a sign of interest in stealing cryptocurrency funds—is the final payload. There are three known versions of the RAT, which are written in Visual Basic Script, Python, and JavaScript. Security researchers are unable to examine server responses because the malware uses token-protected authentication to communicate with C2 servers.

Attribution to Lazarus Group is strengthened by the observation of this token mechanism in other North Korean campaigns. Cryptocurrency-focused social engineering and GMT+9 timezone timestamps in git commits are consistent with known North Korean threat actor patterns. Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.