Beware — that dream job offer could be malware sent by Iranian hackers

An image of network security icons for a network encircling a digital blue earth.

(Image credit: Shutterstock) (Image credit: Shutterstock)

Iranian state-sponsored actors are targeting aerospace pros with fake jobs
The goal is to install backdoors and exfiltrate important data
The style mimics that of Lazarus, a known North Korean actor

Iranian state-sponsored hackers have been observed targeting victims in the aerospace industry with fake job offers, which resulted in the deployment of the SnailResin malware, as part of their cyber-espionage campaign.

Cybersecurity researchers at ClearSky revealed how the threat actor, known as TA455, created fake recruitment sites, and fake profiles on social media sites such as LinkedIn. After that, they would approach their targets, and get them to download files as part of the onboarding process.

Among the files was SnailResin, a piece of malware that acts as a loader for the SlugResin backdoor, capable of data exfiltration, command-and-control (C2) communication, and persistence on victim systems.

Iranians? Or North Koreans? Or both?

The campaign, dubbed “Dream Job” started in September 2023, if not earlier, ClearSky noted.

TA455 is a well-known cyberespionage group, linked with Iran's Islamic Revolutionary Guard Corps (IRGC), and shares similarities with other groups like APT35 and TA453. Besides the aerospace industry, TA455 was seen targeting defense, and government entities, in the Middle East, Europe, and the US. Its goal, for the most part, is cyber-espionage, gathering sensitive information for geopolitical intelligence purposes.

What makes this campaign particularly interesting is the fact that it mimics the style of Lazarus, a North Korean state-sponsored group. Fake job attacks are basically synonymous with Lazarus at this point, as they were used in some of the most destructive campaigns against firms in the crypto industry. At this point, ClearSky doesn’t know if TA455 is mimicking Lazarus, tries to hide behind the group, or is in cooperation with them.

“The similar “Dream Job” lure, attack techniques, and malware files suggest that either Charming Kitten was impersonating Lazarus to hide its activities, or that North Korea shared attack methods and tools with Iran,” they said.

In any case, be careful when getting new job offers, especially if they sound too good to be true.

North Korean Lazarus hackers are using a fake coding test to steal passwords
Here's a list of the best firewalls today
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.