In a sophisticated cyber offensive, a subgroup of the infamous North Korean hacking organization Lazarus has established multiple shell companies — including two based in the United States — to lure unsuspecting developers through fake job interviews and embed malware into open-source software repositories.

This new tactic marks a significant escalation in Lazarus' ongoing campaign to infiltrate and exploit the global crypto and Web3 sectors.

Fake U.S. Companies as Attack Fronts

Security researchers at Silent Push uncovered that North Korean cyber operatives, linked to the notorious Lazarus Group, had set up at least two shell companies — Blocknovas LLC in New Mexico and Softglide LLC in New York — using fabricated identities and addresses.

These firms posed as legitimate crypto consultancies, posting job openings on platforms like LinkedIn, Upwork, and CryptoJobsList to attract developers.

The hackers also used AI generated images to create profiles of employees for the three front crypto companies and stealing images of real people.

"There are numerous fake employees and stolen images from real people being used across this network. We've documented some of the obvious fakes and stolen images, but it's very important to appreciate that the impersonation efforts from this campaign are different."

During the interview process, attackers would prompt candidates to download files or click on links, which in reality delivered malware designed to steal credentials, crypto wallet keys, and sensitive data.

As part of the ruse, an error message would appear when a candidate attempted to record an introductory video. The "solution" offered involved copying and pasting a code snippet — a trick that ultimately led to the installation of malware if completed.

According to cybersecurity firm Silent Push, three distinct malware strains — BeaverTail, InvisibleFerret, and Otter Cookie — are currently being actively deployed as part of this campaign.

Blocknovas was the most active of the fake companies, and the FBI has since seized its domain after confirming it was being used to distribute malware under the guise of job recruitment.

This operation, dubbed “Contagious Interview,” is a subset of Lazarus’ broader efforts to penetrate and exploit the crypto sector. To enhance credibility, the attackers used AI-generated employee profiles and fabricated business infrastructures.

The malware compromised not only individual wallets but also enabled follow-up attacks on companies by harvesting passwords and sensitive credentials.

Supply Chain Attacks via GitHub and NPM

Beyond social engineering tactics, Lazarus has intensified its efforts by targeting software supply chains, injecting malicious JavaScript into GitHub repositories and NPM packages — essential tools widely used by crypto and Web3 developers.

One particular malware variant, Marstech1, was engineered with sophisticated obfuscation and anti-analysis techniques to evade detection.

Once installed, it scans for popular wallets such as MetaMask, Exodus, and Atomic, extracting private keys and modifying browser settings to intercept cryptocurrency transactions.

SecurityScorecard confirmed at least 233 victims globally, warning that the risk could extend to millions if the malware is incorporated into widely used software projects.

The FBI has taken action to disrupt these operations, seizing domains like Blocknovas and issuing warnings about the persistent and evolving threat posed by North Korean cyber actors.

Experts emphasize that these campaigns not only fund Pyongyang’s regime but also pose a significant and growing risk to the security and stability of the global crypto ecosystem.