- North Korean hackers are using LinkedIn to scam jobseekers
- The fake job offers often promise well-paid remote work
- But the victims are eventually infected with malware
A long-running campaign by notorious North Korean hacking group Lazarus has seen job hopefuls scammed in many different ways, including downloading malware disguised as interview software, fake coding tests, infostealers, and some companies have even accidentally hired North Korean hackers as remote IT workers.
Now, a new facet of the ‘Contagious Interview’ campaign has arisen, and this time, hackers are using LinkedIn to scam victims, research from Bitdefender warns.
LinkedIn can be a fantastic tool for professionals to network, and many businesses use the app to recruit new employees, and now, it turns out, so are the Lazarus group.
Malicious offers
The fake recruitment scams ultimately result in the victim being infected with malware, and the hackers tend to target jobseekers in high profile industries, like defense, aerospace, or engineering – looking to exfiltrate classified or sensitive information, or even corporate credentials.
The fake jobs researchers observed in these scams were often remote work, flexible and well paid, sometimes involving cryptocurrencies as payment. These are designed to be enticing offers, so be wary of anything that looks a little too good to be true.
Scammers will message a victim via LinkedIn, then requesting a CV or personal GitHub repository link (which could be used to harvest personal information). From there, the ‘recruiter’ shares a ‘feedback’ document, which infects the victim with malware.
There are some warning signs to look out for, like vague job descriptions, poor communications, and users without popper documentations. Make sure to vet any job offers, applications, and interview offers thoroughly – and don’t click any links from unknown sources.
In February 2025, Apple delivered a new patch on Xprotect, its on-device malware removal tool to block variants of the macOS ‘FerretFamily’ – which had been found disguised as Chrome or Zoom installers targeting applicants.
