Fake Jobs, Real Malware. Uncovering How Cybercriminals are Exploiting the Employment Market
2025-10-21 , Europe

This session dives into a sophisticated recruitment scam run by the notorious Lazarus Group on LinkedIn and other job-related platforms. As revealed by Bitdefender Labs, we will uncover how the threat actors use complex methods to deliver malware into what looks like a coding assessment for a job offer. Using advanced social engineering, this scam campaign shows why it's important to stay alert and aware when using any digital service.

During this talk, we will follow the whole infection process, starting with the Javascript Loader & Infostealer, moving to Python scripts that ramp up the damage, and ending with a final payload that doubles down on data theft and connects to the Command and Control (C2) server via The Onion Router (Tor). Attendees will gain a comprehensive understanding of the tactics used by cybercriminals, the potential risks to your organization's security, and strategies to protect against similar attacks.


In this session, we will take a deep dive into a sophisticated recruitment scam run by the well-known Lazarus Group on LinkedIn and other job-related platforms. We will start by analyzing the interaction between a Bitdefender employee and a fake recruiter on LinkedIn, while also explaining what the so-called recruiter is after and what are the known tactics that are used in these kinds of scenarios.
Given the fact that the scam is enabled by job-seeking developers that set out to finish the coding assessment given by the fake recruiter, we will continue with a bird’s eye view on the received code repositories. Among thousands of lines of code, stolen from public repositories, the threat actors hide an obfuscated Javascript snippet that begins the malware infection chain.

Moving forward, the complexity of the infection chain increases. A comprehensive breakdown of each step involved will be provided, with insights about malware analysis and the necessary protective measures to prevent infection:

  • Downloading more malicious, self-unpacking Python scripts
  • Using public services to store information (e.g: pastebin)
  • Downloading a malicious binary that doubles down the infostealing efforts, while also exfiltrating data through TOR

The presentation will end with conclusions and take aways, while also leaving plenty of time for Q&A.