<— Back

Lazarus targets freelance developers with DeceptiveDevelopment

Lazarus is one of the most active APT groups and has a long history of innovation in the field of cyberthreats, always looking for new ways to achieve its goals. Aside from politically and strategically motivated activities such as espionage, Lazarus has also been known to focus on financial gain. It started by stealing money from banks and financial institutions in some of the largest known cyberheists, but nowadays has reoriented towards cryptocurrency theft, targeting cryptocurrency exchanges and other related entities.

Lazarus’s DeceptiveDevelopment operation, also known as ContagiousInterview, has been going on since 2023 and shares some notable similarities with previous Lazarus campaigns, namely the use of social engineering, faux recruiter profiles on social media, and delivering malware disguised as job offers or job challenges. What makes DeceptiveDevelopment unique is its targeting of individual freelance developers throughout the entire world, primarily those associated with cryptocurrency projects. The intention behind this is twofold – theft of the cryptocurrency wallets belonging to these individuals and gaining access to larger projects and institutions these developers may be a part of, for potential further intrusion.

In this presentation, we focus on the origin of the DeceptiveDevelopment campaign and its progression over time. We also provide insight into the infrastructure used, including an overview of new, recently discovered malware versions. With the permission of the victims, we present actual conversations between the attackers and their targets; these provide useful insight into how the actor operates. We aim to “connect the dots” and provide a comprehensive overview of this operation, providing a basis for further threat research and hunting.