As part of a long-running campaign known as Operation Dream Job, the Lazarus Group which has ties to North Korea and is also known as Hidden Cobra or TEMP. Hermit has been seen employing trojanized versions of Virtual Network Computing (VNC) software as lures to target individuals working in the nuclear engineering and defence industries.

According to Kaspersky’s research on APT trends for the third quarter of 2023, “the threat actor tricks job seekers on social media into opening malicious apps for fake job interviews.”

“To avoid detection by behaviour-based security solutions, this backdoored application operates discreetly, only activating when the user selects a server from the drop-down menu of the Trojanized VNC client.”

When the victim launches the fake application, it is programmed to retrieve additional payloads, one of which is a well-known piece of malware developed by the Lazarus Group and given the name LPEClient. This malware is equipped with the capability to profile compromised computers.

[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing

An updated version of COPPERHEDGE, which is a backdoor that is known for running arbitrary commands, doing system reconnaissance, and exfiltrating data, was also deployed by the adversary. Additionally, the adversary distributed a bespoke piece of malware that was designed expressly for the purpose of transferring files of interest to a remote server.

Companies that are directly involved in the production of defence goods, such as radar systems, unmanned aerial vehicles (UAVs), military vehicles, ships, armament, and marine companies, are the focus of the most recent campaign.

Operation Dream Job is the name given to a series of cyberattacks that were carried out by a North Korean hacking group. These cyberattacks consisted of contacting potential targets through questionable accounts on various platforms like LinkedIn, Telegram, and WhatsApp with the pretext of offering them lucrative job opportunities in order to trick them into downloading malware.

Lazarus Group

ESET disclosed the specifics of an attack carried out by the Lazarus Group against an undisclosed aerospace company in Spain at the tail end of the previous month. The attack involved the threat actor posing as a recruiter for Meta on LinkedIn and requesting that employees of the targeted company deliver an implant known as LightlessCan.

Lazarus Group is just one of the many malicious programs that have been traced back to North Korea. These programs have been connected to acts of cyber espionage as well as thefts that were motivated by financial gain.

As opposed to other threat activity clusters, such as APT43, Kimsuky, and Lazarus Group (and its sub-groups Andariel and BlueNoroff), which are linked with the Reconnaissance General Bureau (RGB), APT37 (aka ScarCruft) is a prominent hacking crew that is a part of the Ministry of State Security. This is in contrast to other threat activity clusters.

“While different threat groups share tooling and code, North Korean threat activity continues to adapt and change to build tailored malware for different platforms, including Linux and macOS,” Google-owned Mandiant disclosed earlier this month, highlighting the progression of these threats in terms of their ability to adapt to new environments and their increasing level of complexity.

According to Kaspersky, the cyberattacker group ScarCruft went after a trading organization with ties to both Russia and North Korea by employing an innovative phishing attack chain that resulted in the transmission of the RokRAT (also known as BlueLight) malware. This highlights the hermit kingdom’s continued efforts to target Russia.

Additionally, another obvious trend is the infrastructure, technology, and targeting parallels across several North Korean hacker outfits, including Andariel, APT38, Lazarus Group, and APT43. These overlaps make it more difficult to attribute attacks and indicate a streamlining of antagonistic activities.

In addition to this, “increased interest in the development of macOS malware to backdoor platforms of high-value targets within the cryptocurrency and blockchain industries,” according to Mandiant, has followed this trend.


Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center