Malicious Campaign Targeting Python Developers Linked to North Korea’s Lazarus Group

In an alarming development, a new cyber campaign known as VMConnect, suspected to be linked to North Korea’s Lazarus Group, has been targeting Python developers through fake job interviews and coding tests. The malicious actors have been posing as recruiters from reputable financial services firms, such as Capital One, to lure unsuspecting developers into downloading and executing malware.

The attackers have been using GitHub repositories and open-source containers to host their malicious code, often disguised as coding skills tests or password manager applications. The malware is hidden within altered pyperclip and pyrebase module files, making it challenging to detect. Once executed, the malware makes HTTP POST requests to a command and control server to carry out malicious activities.

One developer who fell victim to the campaign was contacted by a fake recruiter on LinkedIn and provided with a link to a GitHub repository as a homework task. Unaware of the malware hidden within the code, the developer completed the task and shared screenshots as instructed. Security researchers were able to trace the developer’s identity through the repository logs, confirming the infection.

Despite efforts to report and terminate suspicious GitHub accounts associated with the campaign, researchers believe the threat is ongoing. They discovered a newly published repository matching previous incidents, indicating continued malicious activity. The researchers suspect that the infected developer may have ties to the campaign, raising concerns about the extent of the operation’s reach.

As the VMConnect campaign continues to evolve, developers are urged to remain vigilant and verify the authenticity of job offers and coding tests to avoid falling victim to such sophisticated cyber attacks.