DPRK Fake-Recruiter Malware: The Pattern Targeting Engineers in 2026

Threat Intelligence

North Korean threat actors run convincing fake-recruiter campaigns targeting engineers, especially in crypto and Web3. The interview comes with a coding test. The coding test runs malware. Five patterns and the company-side defences.

By Arjun Raghavan, Security & Systems Lead, BIPI · January 30, 2026 · 7 min read

North Korean state-aligned threat actors (Lazarus, BlueNoroff, and adjacent clusters) have run a fake-recruiter campaign continuously since 2022 with consistent infrastructure and an evolving payload. The pattern targets engineers — particularly in cryptocurrency, Web3, and increasingly mainstream SaaS. The lure is a job interview. The bait is a coding test. The payload is malware that gives the attacker access to the engineer's laptop and through it, the company.

We have read the IR reports on a half-dozen incidents that started this way through 2025. The pattern is so consistent that the indicators are nearly fingerprintable. Below: the five patterns, what they look like to the engineer, and the company-side defences.

Pattern 1: LinkedIn outreach with too-good details

A recruiter from a real-sounding company (often a name very similar to a real firm) reaches out via LinkedIn with a specific role at a specific salary that is 30 to 50 percent above market. The recruiter profile is detailed but recent. The mutual-connections list is sparse or contains other engineers who themselves were targets.

The first signal: salary that is 30 percent above the local benchmark for a remote role with no specific tech-stack requirement. Real recruiters rarely lead with the number; this campaign always does because the number is the hook.

Pattern 2: the early request to move off LinkedIn

Within two messages the 'recruiter' suggests moving the conversation to a chat platform — Telegram, Discord, sometimes a custom app the engineer is asked to download. The reason given is 'easier to schedule' or 'company policy'. The real reason is that LinkedIn's abuse team takes down the recruiter accounts within days; the chat channel is a more permanent foothold.

Pattern 3: the coding test that runs the malware

Once trust is built, the 'recruiter' sends a coding test. Variants we have seen: 'fix the bug in this open-source repo we're considering using' (the repo is the attacker's, contains a subtle backdoor in the build script), 'pair with our engineer on this task' (the engineer pastes attacker-provided code into their terminal during a screen share), 'run our take-home; here's the boilerplate' (the boilerplate's npm install runs a malicious postinstall).

The npm-install vector is the one we see most. The package.json includes a dependency that resolves to an attacker-controlled package on a public registry. The first time the engineer runs npm install, the postinstall script harvests SSH keys, AWS credentials, browser cookies, and 1Password vault data. By the time the engineer realises something is off, the attacker is already in.

Pattern 4: pivot from engineer's machine to company

Once the malware is running on the engineer's laptop, it harvests credentials. AWS API keys in ~/.aws. SSH keys to production. Browser cookies for SaaS tools the engineer is logged into. Slack auth tokens. Within hours the attacker has access to the company's environment via the engineer's identity.

From there the attacker pursues the actual goal — usually crypto theft (for crypto/Web3 targets) or longer-term espionage (for mainstream SaaS targets). The engineer is the entry point, not the target.

Pattern 5: domain reuse and cryptostealer modules

DPRK groups reuse infrastructure surprisingly often. The C2 domains follow naming patterns. The malware modules are largely shared across cluster (BeaverTail, InvisibleFerret, OtterCookie are the named families that have appeared in 2024 and 2025). If you spot one indicator, the broader cluster is detectable.

Company-side defences

1. Engineering-team policy: no running npm install / pip install / cargo install on personal machines for work. Use ephemeral CI sandboxes for anything from external sources.
2. Mandatory --ignore-scripts on every internal CI npm install, with explicit allowlist for legitimate packages.
3. Browser policy: separate browser profile for SaaS work tools. Personal browsing and 'recruiter chat' happens in a different profile that does not share cookies.
4. DLP and egress monitoring for the engineering laptop fleet. Outbound to known DPRK C2 domains, or unusual exfil-pattern traffic, is a P1 alert.
5. Education for engineering hiring managers and engineers themselves. Real recruiters do not send coding tests that require running unfamiliar code on your personal laptop. The campaign relies on the engineer normalising 'oh sure, I'll npm install this'. Make that not normal.

Closing

The DPRK fake-recruiter campaign is one of the most consistent, longest-running threats targeting engineers in 2026. It is also, paradoxically, one of the most defendable — the pattern is repetitive, the IOCs are publicly tracked, and the entry vector is fixable with a small number of policy changes around how engineers run untrusted code. The companies that have been hit usually had no policy at all. The companies that have not are the ones where 'I will run your install script on my laptop' was already abnormal.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.