Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
T3MP3ST Security Framework Uses AI to Automate 0-Day Vulnerability Discovery
July 5, 2026
Flipper Zero Firmware Updates Enhance Security, Introduce Community Guidelines
July 5, 2026
Mythos Ransomware Returns, Kali Linux 2024.2 Released, WhatsApp Vulnerability
July 5, 2026
Home/Threats/Lazarus Group Uses AI to Target Developers With Backdoored Coding Challenges
Threats

Lazarus Group Uses AI to Target Developers With Backdoored Coding Challenges

Key Takeaways A North Korean state-sponsored group, HexagonalRodent (a Lazarus subgroup), is targeting software developers, particularly in Web3, with sophisticated malware delivered via fake job...

Sarah simpson
Sarah simpson
April 23, 2026 4 Min Read
49 0

Key Takeaways

  • A North Korean state-sponsored group, HexagonalRodent (a Lazarus subgroup), is targeting software developers, particularly in Web3, with sophisticated malware delivered via fake job interviews and coding challenges.
  • The attackers extensively use generative AI tools like ChatGPT and Cursor to craft convincing fake identities, company websites, and even malicious code, demonstrating a new level of industrialization in their operations.
  • The primary infection vector involves booby-trapped VSCode projects that automatically execute malware upon opening, leading to credential theft (BeaverTail) and remote access (OtterCookie, InvisibleFerret).
  • The group successfully exfiltrated 26,584 cryptocurrency wallets from 2,726 infected systems in three months, exposing public keys for assets valued at up to $12 million.

A North Korean state-sponsored cyber espionage group is employing advanced tactics, including the widespread use of artificial intelligence, to ensnare software developers with malicious code disguised as legitimate coding challenges. This campaign, spearheaded by a subgroup of the infamous Lazarus Group, aims to compromise developer systems and exfiltrate cryptocurrency and other valuable assets.

Table Of Content

  • Key Takeaways
  • AI-Powered Recruitment Scams
  • Targeting Web3 Developers and Supply Chain Compromises
  • Inside the Infection Mechanism
  • What You Should Do

Cybersecurity firm Expel has identified and tracked this specific threat actor as HexagonalRodent (also referred to as Expel-TA-0001). Researchers believe it operates as a specialized division within the broader Lazarus ecosystem, which is directly linked to North Korea’s intelligence operations.

AI-Powered Recruitment Scams

The campaign operates on a straightforward yet highly effective premise: threat actors impersonate tech recruiters and engage developers, often through professional networking sites like LinkedIn or by posting fraudulent job listings on popular career portals. Once a developer expresses interest, they are presented with a “take-home coding assessment” – a project designed to appear authentic but secretly embedded with malware.

A distinctive feature of this operation is its heavy reliance on generative AI. The attackers have leveraged tools such as ChatGPT and Cursor to generate malicious code, construct elaborate fake company websites, and even invent entire fictional leadership teams to bolster the credibility of their fraudulent recruitment efforts.

Expel analysts uncovered the breadth of this campaign after investigating a BeaverTail malware incident on a client’s network in October 2025. This investigation led to the discovery of an extensive network of command-and-control (C2) panels, infrastructure, and internal tracking systems maintained by the group.

Targeting Web3 Developers and Supply Chain Compromises

HexagonalRodent primarily targets Web3 developers, with the explicit goal of stealing cryptocurrency and non-fungible tokens (NFTs). In a mere three-month period, the threat actors successfully exfiltrated data from 26,584 cryptocurrency wallets across 2,726 compromised developer systems. This included public keys for wallets holding up to $12 million in crypto assets.

Unlike previous Lazarus campaigns that often focused on large-scale intrusions into major cryptocurrency exchanges, HexagonalRodent employs a strategy of high-volume, opportunistic attacks against individual developers. This approach exploits the fact that many smaller Web3 projects and individual investors, despite holding significant digital assets, often lack robust security defenses.

The malware itself, developed in NodeJS and Python, is designed to blend seamlessly with the common development tools used daily, making it particularly difficult to detect on personal machines.

The group’s capabilities expanded significantly in early 2026 when researchers confirmed HexagonalRodent executed a supply chain attack. A widely used VSCode extension named “fast-draft” was compromised and utilized to distribute OtterCookie malware. This incident marked the first confirmed supply chain attack by this particular subgroup, indicating an evolution in their attack methodologies and an increase in technical sophistication.

Inside the Infection Mechanism

The core infection method capitalizes on features within VSCode, a prevalent code editor. Attackers embed a malicious tasks.json configuration file within the coding assessment project sent to targets. This file enables VSCode to automate tasks based on editor events.

Critically, the threat actors configure this file with a runOn:"folderOpen" command. This ensures that the malware executes automatically the moment a developer simply opens the project folder in VSCode, requiring no suspicious clicks or manual code execution from the victim.

Beyond this, the actual source code files within the assessment also contain hidden malicious functions designed to activate when the developer runs the code normally. This serves as a secondary infection vector, providing a fallback for developers who might not use VSCode or have automated tasks disabled. These dual infection pathways significantly increase the probability of a successful compromise.

Once a system is compromised, the BeaverTail malware initiates the exfiltration of credentials from various sources, including web browsers, the macOS Keychain, Linux Keyring, and password managers like 1Password. A second component, OtterCookie, establishes a reverse shell, granting attackers direct remote access. Additionally, InvisibleFerret, a Python-based tool, also functions as a reverse shell.

Expel’s analysis of the group’s exposed C2 panels confirmed that these tools operate in concert, with BeaverTail handling credential theft while OtterCookie facilitates persistent system access.

What You Should Do

  • Exercise Extreme Caution with External Code: Never execute code from unknown or unverified sources, even if presented as part of a job interview. Thoroughly review every file within a project, including hidden configuration files like tasks.json, before running any code.
  • Disable Automatic Task Execution in VSCode: Navigate to your VSCode Settings and disable automatic task execution to prevent tasks from running simply by opening a folder.
  • Utilize Code Auditing Tools: Employ AI-based or manual code auditing tools to scan any assessment source code for unusual functions, suspicious network calls, or obfuscated logic prior to execution.
  • Implement Hardware Security Tokens: For cryptocurrency wallets, use hardware security tokens. Expel’s investigation confirmed these provide a significantly stronger defense against asset draining by threat actors.
  • Verify Recruiter Identities Independently: Before engaging with any recruiter or accepting coding tasks, independently verify their identity and the legitimacy of the company. Cross-reference information with the company’s official website and contact them through verified channels, not just the initial contact method.
  • Monitor for Suspicious Processes: Keep an eye out for unexpected NodeJS or Python processes establishing persistent outbound TCP connections, which could indicate active BeaverTail or OtterCookie malware on your system.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCybersecurityMalwareSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Bitwarden CLI Supply Chain Attack Exposes Secrets Via GitHub Actions

Next Post

North Korean Hackers Pose as IT Workers to Infiltrate Companies

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access
July 4, 2026
India Bans Apps Used to Remotely Disable E-Rickshaws
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us