North Korean hacker group Lazarus targeting Mac users with fake job ads

The hackers previously spread ransomware and stole millions in cryptocurrency from a ‘play-to-earn’ game’s blockchain

Graig Graziosi
Friday 19 August 2022 20:01 BST
Apple to increase ads on iPhones

Support truly
independent journalism

Our mission is to deliver unbiased, fact-based reporting that holds power to account and exposes the truth.

Whether $5 or $50, every contribution counts.

Support us to deliver journalism without an agenda.

Louise Thomas

Louise Thomas


A nefarious North Korean hacking group called Lazarus is reportedly targetting Apple users through fake job offers.

Security researchers at ESET reported Tuesday that the group's latest efforts involve fake phone calls advertising Coinbase Inc developer jobs. Coinbase is a cryptocurrency exchange used by most crypto traders.

The fake job offers include an attachment with malware files that can affect Intel and Apple's Mac computers.

According to a report on Silicon Angle, the malware in the messages uses three files to compromise computers — a decoy PDF to make users think they've downloaded a legitimate attachment, a fake "font updater" app and a downloader labeled "safarifontagent”.

The files are timestamped 21 July, suggesting the attacks are new and not a continuation of a previous Lazarus attack.

Lazarus has been blamed for spreading the WannaCry ransomware attack in 2017, but has been active in other campaign since then.

In December, the group targetted Linux systems, and was linked to a theft of $615m in cryptocurrency through the hack of the Ronin Network, which is the blockchain underlying the "Axie Infinity" "play-to-earn" crypto game.

Kevin Bocek, the vice president of security strategy and threat intelligence at Venafi Inc, spoke to Silicone Angle about the recent attacks.

“This attack targeting developers with signed executables has the potential to inflict huge damage on North Korea’s rivals,” he said. “A key component of the attack is the use of a signed executable disguised as a job description. Code signing certificates have become the modus operandi for many North Korean APT groups, as these digital certificates are the keys to the castle, securing communication between machines of all kinds, from servers to applications, Kubernetes clusters and microservices.”

Best practices to avoid being a victim of a phishing attack is to double check any messages asking you to click on something and ensuring they're actually coming from legitimate sources. Criminals looking to exploit users using phishing attempts will often make emails look exactly like the organisation they claim to represent, so users should be sure to examine the actual email address sending the message and cross-check it using a search engine with the organisation's actual email addresses.

The news of the Lazarus campaign comes at the same time as an Apple disclosure that its products are currently suffering from a serious security vulnerability. The flaw affects iPhones, iPads, Mac computers and can potentially allow criminals to take control of a user's computer.

Security experts have encouraged users of the affected devices to update to the latest versions to protect themselves from the exploit.

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in