Lazarus, the infamous threat group from North Korea, is active again with a new social engineering campaign. This time it is impersonating Coinbase to target employees in fintech firms via fake job offers.

Attack tactics

The threat group approaches targets over LinkedIn to offer a job and then hold a preliminary discussion as part of their social engineering scheme.
  • Since February, the attackers are believed to be looking for candidates for the role of Engineering Manager, Product Security.
  • If a person is fooled and downloads a PDF for details about the job position, they download a malicious executable (Coinbase_online_careers_2022_07[.]exe) which is using a PDF icon. 
  • Subsequently, the file displays a decoy PDF document when executed while loading a malicious DLL.
  • Once DLL is executed, the malware uses GitHub as a C2 server to receive commands on infected devices.

This attack chain is similar to one observed by Malwarebytes at the start of this year.

Recent attacks 

The Lazarus group is known for launching financially motivated attacks against crypto exchanges:
  • In April, the FBI associated stolen cryptocurrency from the game Axie Infinity with Lazarus. In that attack, around $617 million worth of Ethereum and USDC tokens were stolen.
  • Earlier this year, intelligence services in the U.S. warned against Lazarus spreading trojanized investment and cryptocurrency wallets apps to steal people's private keys and their holdings.


Lazarus is a financial motivated group that continuously updates its tactics to fulfill its goals. Organizations can consider leveraging threat intelligence services/platforms to stay updated with similar emerging threats in real-time and also learn about mitigation strategies.
Cyware Publisher