North Korean hackers are targeting LinkedIn jobseekers with new malware - here's how to stay safe

Hacker silhouette working on a laptop with North Korean flag on the background

(Image credit: Getty Images)

North Korean hackers are using LinkedIn to scam jobseekers
The fake job offers often promise well-paid remote work
But the victims are eventually infected with malware

A long-running campaign by notorious North Korean hacking group Lazarus has seen job hopefuls scammed in many different ways, including downloading malware disguised as interview software, fake coding tests, infostealers, and some companies have even accidentally hired North Korean hackers as remote IT workers.

Now, a new facet of the ‘Contagious Interview’ campaign has arisen, and this time, hackers are using LinkedIn to scam victims, research from Bitdefender warns.

LinkedIn can be a fantastic tool for professionals to network, and many businesses use the app to recruit new employees, and now, it turns out, so are the Lazarus group.

Malicious offers

The fake recruitment scams ultimately result in the victim being infected with malware, and the hackers tend to target jobseekers in high profile industries, like defense, aerospace, or engineering - looking to exfiltrate classified or sensitive information, or even corporate credentials.

The fake jobs researchers observed in these scams were often remote work, flexible and well paid, sometimes involving cryptocurrencies as payment. These are designed to be enticing offers, so be wary of anything that looks a little too good to be true.

Scammers will message a victim via LinkedIn, then requesting a CV or personal GitHub repository link (which could be used to harvest personal information). From there, the ‘recruiter’ shares a ‘feedback’ document, which infects the victim with malware.

There are some warning signs to look out for, like vague job descriptions, poor communications, and users without popper documentations. Make sure to vet any job offers, applications, and interview offers thoroughly - and don’t click any links from unknown sources.

In February 2025, Apple delivered a new patch on Xprotect, its on-device malware removal tool to block variants of the macOS ‘FerretFamily’ - which had been found disguised as Chrome or Zoom installers targeting applicants.

Take a look at our pick of the best antivirus software
Check out our recommendations for the best small business router picks around
“Everyone will experience a hack” - how incident response can protect your organization

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.