Lazarus Group Uses AI to Target Developers With Backdoored Coding Challenges
Key Takeaways A North Korean state-sponsored group, HexagonalRodent (a Lazarus subgroup), is targeting software developers, particularly in Web3, with sophisticated malware delivered via fake job...
Key Takeaways
- A North Korean state-sponsored group, HexagonalRodent (a Lazarus subgroup), is targeting software developers, particularly in Web3, with sophisticated malware delivered via fake job interviews and coding challenges.
- The attackers extensively use generative AI tools like ChatGPT and Cursor to craft convincing fake identities, company websites, and even malicious code, demonstrating a new level of industrialization in their operations.
- The primary infection vector involves booby-trapped VSCode projects that automatically execute malware upon opening, leading to credential theft (BeaverTail) and remote access (OtterCookie, InvisibleFerret).
- The group successfully exfiltrated 26,584 cryptocurrency wallets from 2,726 infected systems in three months, exposing public keys for assets valued at up to $12 million.
A North Korean state-sponsored cyber espionage group is employing advanced tactics, including the widespread use of artificial intelligence, to ensnare software developers with malicious code disguised as legitimate coding challenges. This campaign, spearheaded by a subgroup of the infamous Lazarus Group, aims to compromise developer systems and exfiltrate cryptocurrency and other valuable assets.
Table Of Content
Cybersecurity firm Expel has identified and tracked this specific threat actor as HexagonalRodent (also referred to as Expel-TA-0001). Researchers believe it operates as a specialized division within the broader Lazarus ecosystem, which is directly linked to North Korea’s intelligence operations.
AI-Powered Recruitment Scams
The campaign operates on a straightforward yet highly effective premise: threat actors impersonate tech recruiters and engage developers, often through professional networking sites like LinkedIn or by posting fraudulent job listings on popular career portals. Once a developer expresses interest, they are presented with a “take-home coding assessment” – a project designed to appear authentic but secretly embedded with malware.
A distinctive feature of this operation is its heavy reliance on generative AI. The attackers have leveraged tools such as ChatGPT and Cursor to generate malicious code, construct elaborate fake company websites, and even invent entire fictional leadership teams to bolster the credibility of their fraudulent recruitment efforts.
Expel analysts uncovered the breadth of this campaign after investigating a BeaverTail malware incident on a client’s network in October 2025. This investigation led to the discovery of an extensive network of command-and-control (C2) panels, infrastructure, and internal tracking systems maintained by the group.
Targeting Web3 Developers and Supply Chain Compromises
HexagonalRodent primarily targets Web3 developers, with the explicit goal of stealing cryptocurrency and non-fungible tokens (NFTs). In a mere three-month period, the threat actors successfully exfiltrated data from 26,584 cryptocurrency wallets across 2,726 compromised developer systems. This included public keys for wallets holding up to $12 million in crypto assets.
Unlike previous Lazarus campaigns that often focused on large-scale intrusions into major cryptocurrency exchanges, HexagonalRodent employs a strategy of high-volume, opportunistic attacks against individual developers. This approach exploits the fact that many smaller Web3 projects and individual investors, despite holding significant digital assets, often lack robust security defenses.
The malware itself, developed in NodeJS and Python, is designed to blend seamlessly with the common development tools used daily, making it particularly difficult to detect on personal machines.
The group’s capabilities expanded significantly in early 2026 when researchers confirmed HexagonalRodent executed a supply chain attack. A widely used VSCode extension named “fast-draft” was compromised and utilized to distribute OtterCookie malware. This incident marked the first confirmed supply chain attack by this particular subgroup, indicating an evolution in their attack methodologies and an increase in technical sophistication.
Inside the Infection Mechanism
The core infection method capitalizes on features within VSCode, a prevalent code editor. Attackers embed a malicious tasks.json configuration file within the coding assessment project sent to targets. This file enables VSCode to automate tasks based on editor events.
Critically, the threat actors configure this file with a runOn:"folderOpen" command. This ensures that the malware executes automatically the moment a developer simply opens the project folder in VSCode, requiring no suspicious clicks or manual code execution from the victim.
Beyond this, the actual source code files within the assessment also contain hidden malicious functions designed to activate when the developer runs the code normally. This serves as a secondary infection vector, providing a fallback for developers who might not use VSCode or have automated tasks disabled. These dual infection pathways significantly increase the probability of a successful compromise.
Once a system is compromised, the BeaverTail malware initiates the exfiltration of credentials from various sources, including web browsers, the macOS Keychain, Linux Keyring, and password managers like 1Password. A second component, OtterCookie, establishes a reverse shell, granting attackers direct remote access. Additionally, InvisibleFerret, a Python-based tool, also functions as a reverse shell.
Expel’s analysis of the group’s exposed C2 panels confirmed that these tools operate in concert, with BeaverTail handling credential theft while OtterCookie facilitates persistent system access.
What You Should Do
- Exercise Extreme Caution with External Code: Never execute code from unknown or unverified sources, even if presented as part of a job interview. Thoroughly review every file within a project, including hidden configuration files like
tasks.json, before running any code. - Disable Automatic Task Execution in VSCode: Navigate to your VSCode Settings and disable automatic task execution to prevent tasks from running simply by opening a folder.
- Utilize Code Auditing Tools: Employ AI-based or manual code auditing tools to scan any assessment source code for unusual functions, suspicious network calls, or obfuscated logic prior to execution.
- Implement Hardware Security Tokens: For cryptocurrency wallets, use hardware security tokens. Expel’s investigation confirmed these provide a significantly stronger defense against asset draining by threat actors.
- Verify Recruiter Identities Independently: Before engaging with any recruiter or accepting coding tasks, independently verify their identity and the legitimacy of the company. Cross-reference information with the company’s official website and contact them through verified channels, not just the initial contact method.
- Monitor for Suspicious Processes: Keep an eye out for unexpected NodeJS or Python processes establishing persistent outbound TCP connections, which could indicate active BeaverTail or OtterCookie malware on your system.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.