North Korea’s Lazarus threat group has launched a new wave of attacks targeting software developers, utilizing recruitment tactics on job-hiring platforms. This time, the group is employing job postings on LinkedIn to lure freelance developers into downloading malicious Git repositories; these contain malware for stealing source code, cryptocurrency, and other sensitive data.

The SecurityScorecard STRIKE team discovered the ongoing attack, dubbed Operation 99, in which attackers pose as recruiters to entice developers with project tests or code reviews, as revealed in a report published today.

The report highlights the evolving tactics, techniques, and procedures (TTPs) of the Lazarus group, which have become increasingly sophisticated through the use of AI and advanced social engineering.

**Job Seekers, Exercise Caution**

Indeed, as these campaigns become more sophisticated, it’s becoming “easier for attackers to gain the confidence of their targets, demonstrating a significant evolution in the level of precision and realism in their campaigns,” according to Sherstobitoff.

For this reason, mitigation strategies “should fundamentally center around reinforcing social engineering awareness and adhering to the basics of cybersecurity for everyday employees,” he says. As a general rule, if a job offer or opportunity seems too good to be true, it likely is, and “should be approached with skepticism,” Sherstobitoff says.

“Employees also should exercise extreme caution when interacting with recruiters, particularly if asked to download files, clone repositories, or engage with unfamiliar software,” especially over platforms like LinkedIn or email, he says. “These channels can be easily manipulated by attackers posing as legitimate entities.”