The notorious North Korean hacking group Lazarus has been conducting a new social engineering campaign where the hackers impersonate Coinbase to target employees in the fintech industry. Potential victims of Lazarus are often targeted through LinkedIn where the threat actors present a job offer and hold a preliminary discussion. Recently, the group has been pretending to be from Coinbase and are targeting candidates suitable for the role of Engineering Manager or Product Security. Victims are asked to download a file named “Coinbase_online_careers_2022_07.exe,” which displays a decoy PDF about the fake job position while also loading a malicious DLL. Once executed, the malware will use GitHub as a Command-and-Control (C2) server to receive commands to perform on the infected device. Lazarus has conducted similar campaigns in the past using fake jobs for General Dynamics and Lockheed Martin.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in