North Korea’s Lazarus advanced persistent threat (APT) group has launched a sophisticated campaign, “Operation 99,” targeting freelance software developers. Disguising themselves as recruiters on LinkedIn, the attackers lure developers into downloading malicious Git repositories that embed malware into projects, stealing source code, cryptocurrency, and other sensitive data.
According to a report by SecurityScorecard, attackers trick victims into cloning repositories linked to a command-and-control (C2) server, initiating malware delivery. The layered malware system, which works across Windows, macOS, and Linux, includes components such as Main99 and Payload 99/73 for data exfiltration. These tools execute tasks like keylogging, clipboard monitoring, and file and credential theft. Cryptocurrency wallet keys and mnemonics are also targeted, facilitating direct financial theft to fund North Korea’s regime.
Evolved Tactics and AI-Enhanced Profiles
While the US Department of Justice did May disrupt North Korea’s large and growing IT freelance operation and even indicted a number of US actors who were helping state-sponsored actors establish fake freelancer identities and evade sanctions, it does appear that Lazarus has come back and continues to operate.
This campaign builds on previous Lazarus operations like 2021’s “Operation Dream Job” and “DEV#POPPER,” which similarly exploited job market platforms to deceive developers. However, researchers note a higher level of sophistication in Operation 99. AI-generated recruiter profiles and compromised LinkedIn accounts make these scams appear highly credible. “By presenting complete and convincing profiles, attackers offer what seem to be genuine job opportunities,” said Ryan Sherstobitoff, SecurityScorecard’s senior VP of threat research.
Additionally, Lazarus employs advanced obfuscation and encryption techniques, making their activities harder to detect and analyze. These evolving tactics highlight the group’s continued focus on targeting individuals and the projects they contribute to, creating risks for both personal and organizational security.
Caution for Job Seekers
Experts emphasize that developers and job seekers must remain vigilant against such threats. Suspicious job offers, especially those requesting repository cloning or software downloads, should be treated with skepticism. “If a job opportunity seems too good to be true, it likely is,” warned Sherstobitoff. Employees should reinforce social engineering awareness and adhere to cybersecurity best practices to mitigate risks.
Lazarus’ ongoing campaigns demonstrate the growing precision of threat actors leveraging advanced social engineering and AI-driven techniques. Organizations and individuals must stay alert to protect sensitive assets from these evolving threats.