North Korean hackers posed as Meta recruiter on LinkedIn | CyberScoop<\/title> <meta name=\"description\" content=\"Targets of the operation were given phony coding challenges that delivered a range of malware, including a previously-unseen backdoor.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/north-korea-meta-linkedin\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"North Korean hackers posed as Meta recruiter on LinkedIn\"> <meta property=\"og:description\" content=\"Targets of the operation were given phony coding challenges that delivered a range of malware, including a previously-unseen backdoor.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/north-korea-meta-linkedin\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2023-09-29T09:30:00+00:00\"> <meta property=\"article:modified_time\" content=\"2023-09-28T19:41:25+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/north-korean-hackers-posed-as-meta-recruiter-on-linkedin-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1080\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"AJ Vicens\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@AJVicens\">  <link rel=\"dns-prefetch\" href=\"\/\/cdn.parsely.com\">\n<link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-0\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1695397585g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-4\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1695745539g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1695741454g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=7af46db108fbc62fdcc9\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/77398\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.3.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=77398\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fnorth-korea-meta-linkedin%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fnorth-korea-meta-linkedin%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-77398 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/north-korea-meta-linkedin\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.854037267081\">\n<div class=\"single-article__header-content\" readability=\"30.179487179487\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/geopolitics\/\"> <span>Geopolitics<\/span> <\/a> <\/li>\n<\/ul>\n<p> Targets of the operation were given phony coding challenges that delivered a range of malware including a previously-unseen backdoor. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"360\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/north-korean-hackers-posed-as-meta-recruiter-on-linkedin.jpg?resize=640%2C360&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/north-korean-hackers-posed-as-meta-recruiter-on-linkedin-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/north-korean-hackers-posed-as-meta-recruiter-on-linkedin-2.jpg?resize=300,168 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/north-korean-hackers-posed-as-meta-recruiter-on-linkedin-2.jpg?resize=768,432 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/north-korean-hackers-posed-as-meta-recruiter-on-linkedin-2.jpg?resize=1024,576 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/north-korean-hackers-posed-as-meta-recruiter-on-linkedin-2.jpg?resize=1536,864 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/north-korean-hackers-posed-as-meta-recruiter-on-linkedin-2.jpg?resize=600,337 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/north-korean-hackers-posed-as-meta-recruiter-on-linkedin-2.jpg?resize=1200,675 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/north-korean-hackers-posed-as-meta-recruiter-on-linkedin-2.jpg?resize=1500,843 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> Flag of the Democratic People’s Republic of Korea. (Manuel Augusto Moreno\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"22.527357651246\"><body readability=\"45.768963807635\"><\/p>\n<p>A North Korean cyberespionage operation targeted employees of an aerospace company in Spain using a previously unreported backdoor and a creative phishing campaign featuring a phony Silicon Valley recruiter, demonstrating a \u201csignificant advancement in malicious capabilities,\u201d <a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company\/\">researchers with the cybersecurity firm ESET said Friday<\/a>. <\/p>\n<p>Hackers linked with North Korea\u2019s Lazarus Group \u2014 <a href=\"https:\/\/www.mandiant.com\/resources\/blog\/mapping-dprk-groups-to-government\">an umbrella term<\/a> for a collection of North Korean cyber units \u2014 posed as a recruiter for Meta and contacted employees of the unnamed company via LinkedIn and sent two coding challenges supposedly part of the hiring process but which were in fact laced with malware, Peter K\u00e1lnai, an ESET researcher, wrote in a report published Friday. <\/p>\n<figure class=\"wp-block-image aligncenter size-full\"><img data-recalc-dims=\"1\" decoding=\"async\" width=\"417\" height=\"455\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/north-korean-hackers-posed-as-meta-recruiter-on-linkedin.png?resize=417%2C455&ssl=1\" alt class=\"wp-image-77402\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/north-korean-hackers-posed-as-meta-recruiter-on-linkedin.png 417w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/north-korean-hackers-posed-as-meta-recruiter-on-linkedin.png?resize=275,300 275w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/north-korean-hackers-posed-as-meta-recruiter-on-linkedin.png?resize=154,168 154w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/north-korean-hackers-posed-as-meta-recruiter-on-linkedin.png?resize=309,337 309w\" sizes=\"(max-width: 417px) 100vw, 417px\"><figcaption class=\"wp-element-caption\">Initial contact from an attacker posing as a Meta recruiter (ESET Research).<\/figcaption><\/figure>\n<p>The operation, carried out some time last year, is just the latest example of North Korean-linked cyber operations <a href=\"https:\/\/cyberscoop.com\/north-korea-hackers-google-dream-job\/\">using phony job opportunities to target various professionals<\/a>, including journalists, security researchers and software developers, among others. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The ostensible coding challenges were contained in malicious files named \u201cQuiz1.exe\u201d and \u201cQuiz2.exe\u201d and when downloaded and executed on a company device delivered a remote access trojan ESET dubbed \u201cLightlessCan.\u201d<\/p>\n<p>The malware mimicked a \u201cwide range of native Windows commands,\u201d K\u00e1lnai said, and enabled \u201cdiscreet execution within the RAT itself instead of noisy console executions.\u201d<\/p>\n<p>The \u201cstrategic shift enhances stealth, making detecting and analyzing the attacker\u2019s motives more challenging,\u201d he said. The malware was also set to decrypt only on an intended target\u2019s machine, \u201ceffectively preventing decryption on unintended machines, such as those of security researchers.\u201d<\/p>\n<p>LightlessCan has support for up to 68 distinct commands, he added, but only 43 are implemented in the current version of the malware with some functionality, suggesting the potential for ongoing development and refinement.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.1869565217391\">\n<div class=\"author-card\" readability=\"8\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/09\/north-korean-hackers-posed-as-meta-recruiter-on-linkedin-1.jpg?w=640&ssl=1\" alt=\"AJ Vicens\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by AJ Vicens<\/h4>\n<p> AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal\/WhatsApp: (810-206-9411). <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/north-korea-meta-linkedin\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>North Korean hackers posed as Meta recruiter on LinkedIn |<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1009,302,1010,168,647,1011],"tags":[1012,306,242,169,240,1013],"class_list":["post-1796","post","type-post","status-publish","format-standard","hentry","category-eset","category-geopolitics","category-lazarus-group","category-malware","category-north-korea","category-spearphishing","tag-eset","tag-geopolitics","tag-lazarus-group","tag-malware","tag-north-korea","tag-spearphishing"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/eset\/\" rel=\"category tag\">ESET<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/geopolitics\/\" rel=\"category tag\">Geopolitics<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/lazarus-group\/\" rel=\"category tag\">Lazarus Group<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/malware\/\" rel=\"category tag\">Malware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/north-korea\/\" rel=\"category tag\">North Korea<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/spearphishing\/\" rel=\"category tag\">spearphishing<\/a>","tag_info":"spearphishing","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1796","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=1796"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1796\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=1796"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=1796"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=1796"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":1796,"date":"2023-09-29T09:30:00","date_gmt":"2023-09-29T09:30:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=77398"},"modified":"2023-09-29T09:30:00","modified_gmt":"2023-09-29T09:30:00","slug":"north-korean-hackers-posed-as-meta-recruiter-on-linkedin","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2023\/09\/29\/north-korean-hackers-posed-as-meta-recruiter-on-linkedin\/","title":{"rendered":"North Korean hackers posed as Meta recruiter on LinkedIn"},"content":{"rendered":"