North Korea Hackers Spotted Targeting Job Seekers with macOS Malware

Products You May Like

The North Korea-backed Lazarus Group has been observed targeting job seekers with malware capable of executing on Apple Macs with Intel and M1 chipsets.

Slovak cybersecurity firm ESET linked it to a campaign dubbed “Operation In(ter)ception” that was first disclosed in June 2020 and involved using social engineering tactics to trick employees working in the aerospace and military sectors into opening decoy job offer documents.

The latest attack is no different in that a job description for the Coinbase cryptocurrency exchange platform was used as a launchpad to drop a signed Mach-O executable. ESET’s analysis comes from a sample of the binary that was uploaded to VirusTotal from Brazil on August 11, 2022.


“Malware is compiled for both Intel and Apple Silicon,” the company said in a series of tweets. “It drops three files: a decoy PDF document ‘Coinbase_online_careers_2022_07.pdf‘, a bundle ‘,’ and a downloader ‘safarifontagent.'”

macOS Malware

The decoy file, while sporting the .PDF extension, is in reality a Mach-O executable that functions as a dropper to launch FinderFontsUpdater, which, in turn, executes safarifontsagent, a downloader designed to retrieve next-stage payloads from a remote server.

macOS Malware

ESET stated that the lure was signed on July 21 using a certificate issued in February 2022 to a developer named Shankey Nohria. Apple has since moved to revoke the certificate on August 12.

It’s worth noting the malware is cross-platform, as a Windows equivalent of the same PDF document was used to drop an .EXE file named “Coinbase_online_careers_2022_07.exe” earlier this month, as revealed by Malwarebytes researcher Hossein Jazi.


The Lazarus Group has emerged an expert of sorts when it comes to posing as HR representatives on social media platforms like LinkedIn to target companies that are of strategic interest.

Last month, it came to light that the $620 million Axie Infinity hack attributed to the collective was the result of one of its former employees getting duped by a fraudulent job offer on LinkedIn.

Cyber Security

Products You May Like

Articles You May Like

Call of Duty: Modern Warfare 2, Overwatch 2, More: October Games on PC, PS4, PS5, Xbox One, Xbox Series S/X
Meta Disrupts Chinese Propaganda Operation Across Facebook, Instagram Ahead of US Midterm Elections
Intel’s self-driving car division Mobileye files for IPO
Elon Musk Seeks to End Pre-Approval of His Tweets, Calls SEC Mandate “Government-Imposed Muzzle”
Sony Bravia XR-55A80K Ultra-HD OLED Android TV Review: Effortlessly Good

Leave a Reply

Your email address will not be published.