Threat Research

Fake recruiter campaign targets crypto devs

Reversinglabs
Fake recruiter campaign targets crypto devs

ReversingLabs uncovered a modular software‑supply‑chain campaign called graphalgo, attributed to North Korea’s Lazarus Group, that targets JavaScript and Python developers via fake recruiter job tasks and malicious packages on npm and PyPI. The operation uses fake company personas (e.g., Veltrix Capital), social outreach (LinkedIn, Facebook, Reddit), dependency-based infection (packages such as bigmathutils and graphnetworkx), and multistage downloaders that deploy a token‑protected RAT communicating with codepool[.]cloud. #LazarusGroup #graphalgo

Keypoints

  • ReversingLabs identified the graphalgo campaign active since May 2025 and attributed it to the Lazarus Group based on technique similarities to prior NK campaigns.
  • The campaign uses a fake company persona (“Veltrix Capital”) and recruiter outreach on LinkedIn, Facebook and Reddit to lure developers into running coding interview tasks.
  • Malicious functionality is delivered indirectly through dependencies hosted on public package repositories (npm and PyPI), including impersonations like graph* and big* packages.
  • The package bigmathutils accumulated >10K downloads in a benign version before a malicious 1.1.0 release deployed the same payload seen across the campaign.
  • Second‑stage payloads are downloaders that fetch a token‑protected remote access trojan (RAT) supporting file upload/download, process listing, and running arbitrary commands; one RAT variant checks for the Metamask extension.
  • Three language variants of the RAT (Python, JavaScript, VBS) were observed, all communicating with infrastructure such as codepool[.]cloud, indicating multiple frontends and an ongoing, modular operation.

MITRE Techniques

  • [T1195 ] Supply Chain Compromise – The actor used public package repositories to deliver malicious downloaders and abuse dependencies: (‘uses public package repositories like GitHub, npm and PyPI to host malicious downloaders.’)
  • [T1566.003 ] Phishing: Spearphishing via Service – Targets were contacted through social platforms and forums to recruit developers: (‘Developers are approached via social platforms like LinkedIn and Facebook, or through job offerings on forums like Reddit.’)
  • [T1204 ] User Execution – Victims executed malicious dependencies when running provided job tasks: (‘at that moment, the malicious dependency is installed and executed on the victim’s machine.’)
  • [T1105 ] Ingress Tool Transfer – Second‑stage downloaders fetch and install the final RAT payloads from attacker infrastructure: (‘second-stage payloads RL observed acted as downloaders for the final payload, a remote-access trojan (RAT) that periodically fetches and executes commands from the command and control server.’)
  • [T1059 ] Command and Scripting Interpreter – The RAT executes arbitrary commands on compromised hosts: (‘it supports typical commands like file download/upload, process listing and running of arbitrary commands.’)
  • [T1071 ] Application Layer Protocol – The campaign uses token‑protected C2 communications and web infrastructure (codepool[.]cloud) for command-and-control: (‘communication with the C2 server is token-protected.’)

Indicators of Compromise

  • [Domain ] C2 and infrastructure – codepool[.]cloud, aurevian[.]cloud
  • [Domain ] Fake company website / campaign landing – www[.]veltrixcap[.]org
  • [File hash (SHA1) ] Final RAT payload examples – e5af589fcd2bfb7093dd10274161a3c0de42057f (JavaScript), dbb4031e9bb8f8821a5758a6c308932b88599f18 (VBS), and 1 more SHA1
  • [Package name ] Malicious open-source packages used as delivery – bigmathutils, graphalgo, and dozens of other graph*/big* packages on npm and PyPI
  • [Repository / GitHub organization ] Frontend job task repositories and organization names – veltrix-capital (GitHub repos such as test-devops-monitoring) used to host interview tasks

Read more: https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs