Lazarus Group Deploys RAT via Fake Developer Job Offers

Executive Summary

A new social engineering campaign attributed to the North Korean threat actor, Lazarus Group, is actively targeting JavaScript and Python developers. This operation, designated Graphalgo, has been ongoing since at least May 2025. The adversary leverages fake job recruiter profiles and bogus company personas on platforms like LinkedIn, Facebook, and Reddit to lure developers into a multi-stage infection process. The initial vector involves a purported coding challenge hosted on GitHub. Execution of the project code triggers the installation of malicious dependencies from public repositories, ultimately deploying a Remote Access Trojan (RAT) on the victim's system.

Key Findings

Threat Actor Attribution

Analysis attributes the Graphalgo campaign to the Lazarus Group with medium-to-high confidence. This assessment is based on tactical overlaps with previous Lazarus operations, including the use of coding tests as an infection vector, a distinct focus on cryptocurrency theft, delayed payload activation, and Git commits originating from the GMT +9 timezone, which corresponds to North Korea.

Infection Vector & Staging

The threat actor establishes a pretext by creating fake companies in the blockchain and crypto-trading sectors and posting job openings. Developers who apply are tasked with a skills assessment requiring them to run, debug, or improve a project from a GitHub repository. The GitHub repositories themselves appear clean; however, they are configured to pull malicious dependencies from legitimate package managers like npm and PyPi. These dependencies serve as the primary infection mechanism.

Malicious Packages & Evasion

Researchers identified 192 malicious packages associated with this campaign. Initially, package names contained "graph" to impersonate legitimate libraries like graphlib. From December 2025, the actor shifted to using "big" in package names, such as bigmathutils. In one instance, the bigmathutils package was benign until version 1.1.0 introduced the malicious payload, after which it was deprecated by the actor to conceal activity. This supply chain attack leverages the trust developers place in public code registries.

Payload & Impact

The ultimate payload is a multi-variant Remote Access Trojan (RAT) written in JavaScript, Python, and VBS. Once installed, the RAT provides the adversary with significant control over the compromised host. Its documented capabilities include:

• Listing running processes.
• Executing arbitrary commands received from the Command-and-Control (C2) server.
• Exfiltrating files.
• Dropping additional payloads.

Critically, the RAT actively checks for the presence of the MetaMask cryptocurrency browser extension, indicating a primary objective of financial theft. C2 communications are token-protected, a tactic consistent with Lazarus Group operations to hinder analysis.

Mitigation & Recommendations

• System Remediation: Developers who may have interacted with suspicious job offers and downloaded related projects should immediately rotate all access tokens, credentials, and API keys. A full operating system reinstall is strongly advised to ensure complete removal of the persistence mechanisms.
• Supply Chain Scrutiny: Exercise extreme caution when installing dependencies. Thoroughly vet all third-party packages, even those part of a seemingly legitimate project. Pin dependency versions and review code changes between updates.
• Vetting Recruiters: Treat unsolicited job offers with skepticism. Verify the legitimacy of companies and recruiter profiles through independent channels before engaging or downloading any materials.