{"id":59410,"date":"2025-09-25T19:59:08","date_gmt":"2025-09-25T19:59:08","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\/"},"modified":"2025-09-25T19:59:08","modified_gmt":"2025-09-25T19:59:08","slug":"north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\/","title":{"rendered":"North Korea&#8217;s Lazarus Group shares its malware with IT work scammers"},"content":{"rendered":"<p>North Korean-linked crews connected to the pervasive IT worker scams have upped their malware game, using more advanced tools, including a backdoor that has much of the same code as Pyongyang&#8217;s infamous Lazarus Group deploys.<\/p>\n<p>In a <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.virusbulletin.com\/uploads\/pdf\/conference\/vb2025\/papers\/DeceptiveDevelopment-and-North-Korean-IT-workers-from-primitive-crypto-theft-to-sophisticated-AI-based-deception.pdf\">white paper<\/a> [PDF] presented at Virus Bulletin 2025, ESET researchers Peter K\u00e1lnai and Mat\u011bj Havr\u00e1nek identified new links between DeceptiveDevelopment&#8217;s malware and the <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2025\/08\/04\/infosec_in_brief\/\">Lazarus Group<\/a>&#8216;s PostNapTea RAT.<\/p>\n<p>DeceptiveDevelopment, a North Korea-aligned group that has been active since at least&nbsp;2023, overlaps with the <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2023\/11\/23\/north_korea_attacks_job_market\/\">Contagious Interview and WageMole campaigns<\/a>, plus a gang that CrowdStrike tracks as Famous Chollima. Its members pose as recruiters, posting fake profiles on social media along the lines of Lazarus&#8217; <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2022\/04\/15\/lazarus_chemical_korea\/\">Operation Dream Job<\/a>, which tricked job seekers into clicking on malicious links. But in this case, the cybercriminals primarily reach out to software developers and typically those involved in cryptocurrency projects.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,dmpu,\" data-sm=\",fluid,mpu,dmpu,\" data-md=\",fluid,mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aNYJbuna6a-t6uTcsb273wAAAQg&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aNYJbuna6a-t6uTcsb273wAAAQg&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>DeceptiveDevelopment also uses other social engineering techniques, including <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2025\/09\/16\/filefix_attacks_facebook_security_alert\/\">ClickFix<\/a>, which tricks users into following bogus prompts such as fake CAPTCHAs, and then infects victims&#8217; computers with trojanized codebases during the fake interview process. And then they pass information, identities, and other data stolen during this process to the <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2025\/07\/13\/fake_it_worker_problem\/\">North Korean IT workers<\/a> seeking jobs with Western companies so they can use interview answers to help them get hired. After they&#8217;re employed by Western firms, IT workers <a href=\"https:\/\/www.theregister.com\/2024\/12\/13\/doj_dpkr_fake_tech_worker_indictment\/\">funnel their salary money back to Pyongyang<\/a>.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44aNYJbuna6a-t6uTcsb273wAAAQg&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44aNYJbuna6a-t6uTcsb273wAAAQg&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33aNYJbuna6a-t6uTcsb273wAAAQg&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33aNYJbuna6a-t6uTcsb273wAAAQg&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>In some cases, the fraudsters use their insider access to steal proprietary source code, and then extort their employers with threats to leak corporate data if not <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2024\/10\/18\/ransom_fake_it_worker_scam\/\">paid a ransom demand<\/a>.<\/p>\n<h3 class=\"crosshead\">From Beavers and Ferrets\u2026<\/h3>\n<p>DeceptiveDevelopment&#8217;s usual payloads include BeaverTail and InvisibleFerret, both of which are fairly simple but obfuscated scripts.&nbsp;<\/p>\n<p>BeaverTail is an infostealer and downloader that collects data from cryptocurrency wallets, keychains, and saved browser logins. &#8220;We have observed variants of this malware written in JavaScript, hidden in fake job challenges, and also in C++ using the Qt framework, disguised as conferencing software,&#8221; the researchers wrote.<\/p>\n<p>InvisibleFerret is a Python-based modular malware with information-stealing capabilities. It also provides remote control to attackers.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,dmpu,\" data-sm=\",fluid,mpu,dmpu,\" data-md=\",fluid,mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44aNYJbuna6a-t6uTcsb273wAAAQg&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44aNYJbuna6a-t6uTcsb273wAAAQg&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>At the end of 2024, a BeaverTail-like stealer named OtterCookie appeared, believed to be an evolution used by some DeceptiveDevelopment teams.<\/p>\n<p>Plus, according to the researchers, this toolset contains &#8220;notable overlap with a certain piece of Lazarus malware.&#8221;<\/p>\n<p>Earlier this year, AhnLab malware hunters <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/asec.ahnlab.com\/en\/87299\/\">documented<\/a> BeaverTail downloading a new backdoor named Tropidoor. And after doing their own analysis on the previously unknown payload, the ESET duo noted that Tropidoor shares large portions of code with PostNapTea, which <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.virusbulletin.com\/uploads\/pdf\/conference\/vb2023\/papers\/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf\">Lazarus deployed against South Korean<\/a> targets in 2022.<\/p>\n<h3 class=\"crosshead\">To Tropidoor and TsunamiKit<\/h3>\n<p>Tropidoor code supports several Windows commands including schtasks (task schedulers), ping (test whether a computer can reach another network device), reg (interact with the Windows Registry), net (manage network resources and user accounts), nslookup (retrieve DNS information), and wmic process (retrieve info about running processes on a Windows system).<\/p>\n<p>&#8220;Tropidoor is the most sophisticated payload linked with the DeceptiveDevelopment group thus far, likely because it is based on malware developed by the more technically advanced threat actors under the Lazarus umbrella,&#8221; K\u00e1lnai and Havr\u00e1nek wrote.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33aNYJbuna6a-t6uTcsb273wAAAQg&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33aNYJbuna6a-t6uTcsb273wAAAQg&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>Additionally, in November 2024, DeceptiveDevelopment began using a new version of InvisibleFerret that has a modified browser-data stealer module. This module contains a completely new toolkit named TsunamiKit by ESET, based on the developer&#8217;s use of &#8220;Tsunami&#8221; in the names of all of its components. It&#8217;s also designed to steal information and cryptocurrency, and its execution chain includes multiple stages of droppers and installers written in Python and .NET, plus a Tor network proxy, coinminers, and the final .NET spyware payload.<\/p>\n<p>After the researchers submitted their paper to the Virus Bulletin conference, they discovered TsunamiKit samples uploaded to VirusTotal back in December 2021, indicating the toolkit has been around since at least then, according to a subsequent <a target=\"_blank\" rel=\"nofollow\" href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception\/\">blog<\/a>.<\/p>\n<p>&#8220;We conclude that TsunamiKit is likely a modification of a dark web project rather than a new creation by the attackers, based on TsunamiKit largely predating the approximate start of DeceptiveDevelopment activity in 2023, similar TsunamiKit payloads without any signs of BeaverTail having been observed in ESET telemetry, and cryptocurrency mining being a core feature of TsunamiKit,&#8221; the two researchers wrote in a Thursday post.<\/p>\n<p>Both in the blog and Virus Bulletin paper, the malware analysts note the increasingly &#8220;blurred lines between targeted APT activity and cybercrime, particularly in the overlap between malware campaigns by DeceptiveDevelopment and the operations of North Korean IT workers.&#8221;<\/p>\n<p>While North Korea&#8217;s dual-use tactics typically combine cybertheft and cyberespionage with non-cyberspace employment-fraud schemes, other government-backed goons from Russia, China, and Iran are also <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2025\/02\/12\/ransomware_nation_state_groups\/\">moving into the ransomware biz<\/a>.<\/p>\n<p>And all of this, as K\u00e1lnai and Havr\u00e1nek point out, underscores &#8220;the need for defenders to consider broader threat ecosystems rather than isolated campaigns.&#8221; \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2025\/09\/25\/lazarus_group_shares_malware_with_it_scammers\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Keeping Pyongyang&#8217;s coffers full North Korean-linked crews connected to the pervasive IT worker scams have upped their malware game, using more advanced tools, including a backdoor that has much of the same code as Pyongyang&#8217;s infamous Lazarus Group deploys.\u2026 READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-59410","post","type-post","status-publish","format-standard","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>North Korea&#039;s Lazarus Group shares its malware with IT work scammers 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"North Korea&#039;s Lazarus Group shares its malware with IT work scammers 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2025-09-25T19:59:08+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aNYJbuna6a-t6uTcsb273wAAAQg&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"North Korea&#8217;s Lazarus Group shares its malware with IT work scammers\",\"datePublished\":\"2025-09-25T19:59:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\\\/\"},\"wordCount\":812,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aNYJbuna6a-t6uTcsb273wAAAQg&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\\\/\",\"name\":\"North Korea's Lazarus Group shares its malware with IT work scammers 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aNYJbuna6a-t6uTcsb273wAAAQg&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2025-09-25T19:59:08+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aNYJbuna6a-t6uTcsb273wAAAQg&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aNYJbuna6a-t6uTcsb273wAAAQg&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"North Korea&#8217;s Lazarus Group shares its malware with IT work scammers\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"North Korea's Lazarus Group shares its malware with IT work scammers 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\/","og_locale":"en_US","og_type":"article","og_title":"North Korea's Lazarus Group shares its malware with IT work scammers 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2025-09-25T19:59:08+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aNYJbuna6a-t6uTcsb273wAAAQg&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"North Korea&#8217;s Lazarus Group shares its malware with IT work scammers","datePublished":"2025-09-25T19:59:08+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\/"},"wordCount":812,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aNYJbuna6a-t6uTcsb273wAAAQg&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\/","url":"https:\/\/www.threatshub.org\/blog\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\/","name":"North Korea's Lazarus Group shares its malware with IT work scammers 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aNYJbuna6a-t6uTcsb273wAAAQg&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2025-09-25T19:59:08+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aNYJbuna6a-t6uTcsb273wAAAQg&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/cybercrime&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2aNYJbuna6a-t6uTcsb273wAAAQg&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/north-koreas-lazarus-group-shares-its-malware-with-it-work-scammers\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"North Korea&#8217;s Lazarus Group shares its malware with IT work scammers"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/59410","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=59410"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/59410\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=59410"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=59410"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=59410"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}