By rssfeeds-admin 
These operations, linked to groups like Lazarus, combine social engineering with malware to bypass hiring checks and access sensitive networks. Recent reports show they earned millions through freelance gigs while planting backdoors in victim systems.
In 2025, GitLab banned 131 accounts tied to these actors, exposing detailed schemes on their platform.
Hackers created fake GitLab profiles mimicking developers from the US, Europe, and Asia, often using Gmail or custom domains.
They targeted the crypto, finance, AI, and real estate sectors, luring job seekers with “technical interviews” that deployed JavaScript malware such as BeaverTail and Ottercookie.
Campaign Tactics and Evolution
Threat actors run two main prongs: “Contagious Interview” and direct IT worker infiltration. In Contagious Interview, fake recruiters on LinkedIn or freelancing sites send coding tests that execute loaders from Vercel or custom domains when run in browsers or VS Code.
These loaders fetch payloads via base64-encoded URLs in .env files, using error handlers to evade audits malware then steals credentials for crypto theft or lateral movement.
For IT worker schemes, North Koreans build synthetic identities using AI headshots, deepfakes, and stolen data.
One GitLab case revealed a cell led by Kil-Nam Kang in Beijing, tracking $1.64 million in earnings from 2022-2025 via spreadsheets on web/mobile dev contracts.
Another operator controlled 21 personas across five countries, doctoring US IDs with their photos via Photoshop; a third, from Moscow, sought full-time US/UK jobs, recruiting locals to host laptops for remote access.
GitLab’s report details automation: one team scraped images, swapped faces on faceswapper.ai, forged passports via VerifTools, and scripted LinkedIn outreach for 135+ personas.
They mirrored 48 private repos and exfiltrated code. IPs like 111.197.183.74 (Kang’s) and VPNs masked origins; malicious NPM packages like passport-google-auth-token aided delivery.
| Key Indicators of Compromise | Type | Notes |
|---|---|---|
| aleks.moleskimail.io | Malware distribution | |
| httpsapi-server-mocha.vercel.appapiipcheck-encrypted823 | URL | JS malware dropper |
| passport-google-auth-token | NPM pkg | Malicious dependency |
| 111.197.183.74 | IP | IT cell manager |
These schemes fund weapons through sanctions evasion, with cells hitting quarterly targets despite declining 2025 earnings due to awareness. Victims include Fortune 500 firms; Amazon blocked 1,800 suspect apps. Once inside, actors access codebases, Slack, and crypto wallets.
Firms should verify hires via video (live questions beat deepfakes), geolock IPs, and scan for IOCs, Job seeker audit code before running, report fakes.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post North Korean Hackers Use Fake IT Worker Scheme To Infiltrate Firms appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.