North Korea's Lazarus Group shares its malware with IT work scammers

North Korean-linked crews connected to the pervasive IT worker scams have upped their malware game, using more advanced tools, including a backdoor that has much of the same code as Pyongyang's infamous Lazarus Group deploys.

In a white paper [PDF] presented at Virus Bulletin 2025, ESET researchers Peter Kálnai and Matěj Havránek identified new links between DeceptiveDevelopment's malware and the Lazarus Group's PostNapTea RAT.

DeceptiveDevelopment, a North Korea-aligned group that has been active since at least 2023, overlaps with the Contagious Interview and WageMole campaigns, plus a gang that CrowdStrike tracks as Famous Chollima. Its members pose as recruiters, posting fake profiles on social media along the lines of Lazarus' Operation Dream Job, which tricked job seekers into clicking on malicious links. But in this case, the cybercriminals primarily reach out to software developers and typically those involved in cryptocurrency projects.

DeceptiveDevelopment also uses other social engineering ...