Beware of Phony Job Offers on LinkedIn That May Result in Malware


(Image credit: 13_Phunkod /

North Korean Hackers Use Fake LinkedIn Job Offers to Spread Malware

A new malware campaign that uses fake job offers on LinkedIn to lure victims is believed to be the work of a North Korean hacking group. The group is posting fake job offers in the media, tech, and defense industries under the guise of legitimate recruiters, even impersonating the New York Times in one ad.

Threat intelligence firm Mandiant discovered the campaign has been ongoing since June 2022. It believes it is related to another malware campaign originating from North Korea, conducted by the infamous Lazarus group, known as “Operation Dream Job” which breaches systems belonging to crypto users.

Phishing for Victims

Mandiant believes the new campaign is from a separate group to Lazarus, and is unique in that the TouchMove, SideShow, and TouchShift malware used in the attacks have never been seen before.

After a user responds to the LinkedIn job offer, the hackers continue the process on WhatsApp, where they share a Word document containing dangerous macros, which install trojans from WordPress sites that the hackers have cracked and use as their control center.

This trojan, based on TightVNC and known as LidShift, in turn uploads a malicious Notepad++ plugin that downloads malware known as LidShot, that then deploys the final payload on the device: the PlankWalk backdoor.

After this, the hackers then use a malware dropper called TouchShift, concealed in a Windows binary file. This loads a plethora of additional malicious content, including TouchShot and TouchKey, a screenshot utility and keylogger respectively, as well as a loader call TouchMove.

It also loads another backdoor called SideShow, which allows for high-level control over the host’s system, such as the ability to edit the registry, change firewall settings, and execute additional payloads.

The hackers also used the CloudBurst malware on companies that didn’t use a VPN, by abusing the endpoint management service Microsoft Intune.

  • Here are the best job sites out there right now

Sign up to the Tech Leaks newsletter to get all the top news, opinion, features, and guidance your business needs to succeed!

Lewis Maddison is a Graduate Junior Writer at Tech Leaks. His coverage ranges from online security to the usage habits of technology in both personal and professional settings.

His main areas of interest lie in technology as it relates to social and cultural issues around the world and revels in uncovering stories that might not otherwise see the light of day.

He has a BA in Philosophy from the University of London, with a year spent studying abroad in the sunny climes of Malta.

Leave A Reply

Your email address will not be published. Required fields are marked *

Related Posts