Posted in

Lazarus Uses AI Coding Tests to Target Developers

by Rakesh0

A highly targeted cyber campaign linked to the North Korean Lazarus ecosystem is exploiting something developers trust the most:

Job interviews and coding challenges

Tracked as HexagonalRodent (Expel-TA-0001) by security researchers at Expel, this operation is tricking software engineers into executing malware disguised as legitimate take-home assignments.

Even more concerning, attackers are now using AI tools to scale deception, generate code, and build fake companies at speed.

In this article, you’ll learn:

  • How the AI-assisted Lazarus campaign works
  • Why developers are being heavily targeted
  • The infection chain hidden inside coding challenges
  • Real-world crypto theft impact
  • Defensive strategies for developers and security teams

Who Is Behind the Attack?

The campaign is attributed to a subgroup within the broader Lazarus Group ecosystem.

Key traits:

  • State-sponsored North Korean actor
  • Financially motivated (crypto theft)
  • Highly adaptive and technically evolving
  • Focus on developers and Web3 ecosystem

Why Developers Are the Primary Target

Attackers are no longer going after only exchanges.

They are targeting:

  • Web3 developers
  • Blockchain engineers
  • Freelance coders
  • Crypto startup contributors

Why?

Because developers often control:

  • Wallet access keys
  • Smart contract deployments
  • Private repositories
  • Cloud credentials

The AI-Powered Social Engineering Trap

Step 1: Fake Recruiter Contact

Attackers approach victims via:

  • LinkedIn messages
  • Fake job portals
  • Freelance hiring platforms

Step 2: Coding Assessment Delivery

Victims receive a “take-home assignment” that appears legitimate.

But inside:

  • Hidden malware
  • Manipulated project files
  • Pre-configured execution triggers

Step 3: AI-Generated Deception

Attackers use AI tools like:

  • ChatGPT
  • Cursor

To generate:

  • Fake company websites
  • Job descriptions
  • Technical assignments
  • Leadership personas

This makes the entire recruitment flow look real.

Infection Chain: How the Malware Executes

1. VSCode Abuse via tasks.json

The attack leverages Visual Studio Code automation features.

Inside the project:

  • A malicious tasks.json file is embedded
  • It contains runOn: folderOpen trigger
  • Code executes immediately when folder is opened

2. Hidden Execution in Source Code

Even outside VSCode:

  • Malicious functions exist in code files
  • Execution triggers during normal runtime

Key Insight

Opening the project is enough to trigger infection—no manual execution required.

Malware Components and Capabilities

Once inside the system, multiple payloads activate:

BeaverTail (Credential Stealer)

Steals:

  • Browser credentials
  • Password managers (1Password, etc.)
  • macOS Keychain
  • Linux Keyring

OtterCookie (Remote Access Tool)

Functions as:

  • Reverse shell
  • Persistent remote access channel
  • Command execution interface

InvisibleFerret (Python Backdoor)

Adds:

  • Additional remote control layer
  • Backup communication channel

Scale of the Attack

This campaign is not small.

Reported Impact:

  • 26,584 crypto wallets compromised
  • 2,726 developer systems infected
  • Up to $12 million exposed per wallet cluster

Supply Chain Expansion

Researchers discovered a major escalation:

  • A compromised VSCode extension (“fast-draft”)
  • Used to distribute OtterCookie malware
  • First confirmed supply chain attack by this subgroup

Why This Campaign Is So Dangerous

1. Trust Exploitation

Developers trust:

  • Recruiters
  • Coding assignments
  • GitHub-style projects

Attackers weaponize that trust.

2. AI-Scaled Operations

AI enables:

  • Faster fake job creation
  • Realistic company impersonation
  • Automated malware development

3. Developer Environment Abuse

Attackers target tools like:

  • Code editors
  • Build systems
  • Project configs

Common Misconceptions

“Only Executing Code is Dangerous”

Reality:
Simply opening a project in VSCode can trigger infection.

“Job Interviews Are Safe Zones”

Reality:
They are now a primary attack vector.

“Security Tools Will Catch It”

Reality:
Malware blends into legitimate developer workflows.

Best Practices for Developers

1. Never Run Untrusted Projects Blindly

Before opening:

  • Review all files
  • Inspect hidden configs
  • Check build scripts

2. Disable Automatic Task Execution

In Visual Studio Code:

  • Turn off auto-run tasks
  • Review workspace settings carefully

3. Audit Code with Security Tools

Use:

  • Static analysis tools
  • AI-based code scanners
  • Dependency checkers

4. Verify Recruiters Independently

Always:

  • Check official company websites
  • Validate email domains
  • Cross-check LinkedIn identities

5. Secure Crypto Assets

Use:

  • Hardware wallets
  • Multi-factor authentication
  • Cold storage solutions

6. Monitor System Behavior

Watch for:

  • Unexpected NodeJS processes
  • Python scripts with outbound connections
  • Persistent TCP activity

Expert Insight: The Bigger Shift

1. Recruitment Is the New Attack Surface

Job pipelines are now:

  • Phishing channels
  • Malware delivery systems

2. AI Has Scaled Social Engineering

Attackers can now:

  • Generate fake companies instantly
  • Build convincing technical tasks
  • Automate entire fraud ecosystems

3. Developer Machines Are High-Value Targets

Because they contain:

  • Credentials
  • Keys
  • Wallet access
  • Production access tokens

Risk Impact Analysis

Severity: Critical (Developer Targeted APT)

  • Full system compromise
  • Crypto theft
  • Persistent backdoor access

Affected Groups

  • Web3 developers
  • Freelancers
  • Startup engineers
  • Blockchain teams

FAQs

1. What is the Lazarus AI coding attack?

A campaign using fake job interviews to deliver malware to developers.

2. How does the infection start?

Opening a malicious coding assessment project in VSCode.

3. What is BeaverTail malware?

A credential-stealing component targeting browsers and wallets.

4. Can AI be used in cyberattacks?

Yes, attackers use AI to scale phishing and generate fake environments.

5. How are crypto wallets stolen?

Through credential theft and session hijacking.

6. How can developers stay safe?

By verifying recruiters and never running untrusted code blindly.

Conclusion

This Lazarus-linked campaign shows a clear evolution in cyber threats:

Developers are now the entry point to high-value financial assets.

By combining AI, social engineering, and developer tooling abuse, attackers have built a highly scalable and dangerous infection model.

Key Takeaways:

  • Coding interviews are now attack vectors
  • VSCode project files can trigger malware
  • AI is accelerating social engineering
  • Developers must adopt strict verification habits

Final Thought:
In modern cybersecurity, the weakest link is no longer the system—it’s the workflow we trust without question.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *