Fake recruiters from North Korea plot attacks on Slack, abuse Western cyber intelligence

Published: 6 September 2025
Last updated: 6 September 2025
north korean hackers
Image by Cybernews.

Hundreds of people were hacked between March and June this year by North Korean hackers posing as recruiters or job seekers, cybersecurity researchers warn. They abuse Western cyber intelligence platforms and other commercial tools when carrying out cyberattacks.

Several unintentionally uncovered North Korean hackers’ servers exposed logs, helping identify over 230 individuals hacked by fake recruiters. And it was just a part of their infrastructure.

“The actual number is likely much higher,” the researchers at SentinelLabs said in a new report.

ADVERTISEMENT

“Given the continuous success of their campaigns in engaging targets, it may be more pragmatic and efficient for the threat actors to deploy new infrastructure rather than maintain existing assets.”

Niamh Ancell BW justinasv Marcus Walsh profile vilius
Get our latest stories on Google News
Google News Follow us

The hackers’ goal in offering fake job offers is to steal cryptocurrency assets. Therefore, most of the affected individuals work in roles related to blockchain technologies, primarily within the marketing and finance sectors. The victims are widely distributed geographically around the world.

SentinelLabs shared rare insights into how these hackers operate. They use Slack for real-time collaboration and abuse major cyber intelligence platforms as an early warning system to their advantage.

How does the attack work?

The malicious campaigns, dubbed “Contagious Interview,” were first used in 2023 by Lazarus, a North Korean state-sponsored umbrella group. Now they expanded into a cluster of campaigns, abusing various social engineering tactics to trick targets into executing malware.

“This supports North Korea’s efforts in evading sanctions and generating illicit revenue for financing its projects, including missile programmes,” SentinelLabs explains.

Has my data been leaked?
Check Now
ADVERTISEMENT

In recent attacks, hackers mostly relied on providing fake CAPTCHA tests to trick victims into running malware themselves, a technique known as ClickFix.

Targeted job seekers usually receive an invitation to participate in a job application process. Cybercrooks direct them to a lure website, where they are prompted to complete a skill assessment. The fabricated error messages or other tricks are used to instruct them to copy and paste malicious scripts.

OPSEC failures reveal the use of Western infrastructure

The research unveils concerning abuses of various intelligence sources to identify vulnerabilities and exposed infrastructure.

Validin, a threat intelligence data cyber intelligence platform for tracking threats, adversaries, DNS history, and others, has already blocked many hackers’ accounts. The attackers abused it to monitor when their infrastructure was exposed or flagged. They also used the platform to look for more domains that were not labeled as malicious.

hackers-using-validin

For example, the threat actors check the status of domain names related to hiring that are available for purchase. Later, they monitor the acquired infrastructure for any indicators of detection.

The researchers observed “multiple instances” of errors, including the unintended exposure of files and web root directory contents, which indicate poor OPSEC practices.

Similarly, the North Korean hackers likely rely on VirusTotal to see which malware was already identified. They also use Maltrail, an open-source list of known malicious domains and IP addresses, to act as their early warning system.

“North Korean threat groups actively examine Cyber Threat Intelligence (CTI) information to identify threats to their operations and improve the resilience and effectiveness of their campaigns, depending on their operational priorities,” SentinelLabs said.

ADVERTISEMENT
North Korean hacker
By GettyImages

What do they do once they are detected? They just move somewhere else.

The report found that “threat actors do not implement systematic changes to their infrastructure based on the CTI information they consume from multiple sources, which could make their operations harder to detect or disrupt.”

“The threat actors rapidly deployed new infrastructure in response to service provider takedowns.”

This is likely explained by competitive pressures stemming from revenue quotas set by the authoritarian regime – teams aren’t incentivised to implement centrally coordinated large-scale updates.

Strong indicators – Slack Bot requests – suggest that the hackers operate in coordinated teams and use Slack for real-time collaboration. They were observed sharing and accessing URLs using the platform.

The exposed assets helped researchers to close many accounts and disrupt operations by identifying fake recruitment websites, dozens of email addresses, IPs, malware distribution servers, and other indicators of compromise.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
By participating in this viral trend, you help train AI where it struggles the most
Windows hibernation may contribute to SSD wear as storage costs rise
UFO skeptic Michael Shermer apologizes to David Grusch
Man tries to make a sale on Facebook Marketplace, gets scammed out of $300 via Zelle
Critical FFmpeg flaw discovered: just watching a video can fully compromise your system
The world's top intelligence alliance: AI could supercharge cyberattacks within months
ADVERTISEMENT