Security Experts:

Connect with us

Hi, what are you looking for?



North Korean Hackers Use Fake Job Offers to Deliver New macOS Malware

Researchers with cybersecurity company ESET have observed a new macOS malware sample developed by the infamous North Korean advanced persistent threat (APT) actor Lazarus.

Researchers with cybersecurity company ESET have observed a new macOS malware sample developed by the infamous North Korean advanced persistent threat (APT) actor Lazarus.

Believed to be backed by the North Korean government, Lazarus has been active since at least 2009, orchestrating various high-profile attacks, including numerous assaults on cryptocurrency entities.

Also referred to as Hidden Cobra, Lazarus is believed to comprise multiple subgroups, the activities of which often overlap, the same as their tools.

Over the past couple of years, Lazarus has been targeting various entities – including defense and governmental organizations and companies in the chemical sector – with fake job offers and sophisticated social engineering.

ESET now warns that Lazarus is once again relying on fake job offerings for the distribution of malware, as a continuation of an attack detailed in May, which relied on similar decoy documents for the distribution of Windows and macOS malware.

“A signed Mac executable disguised as a job description for Coinbase was uploaded to VirusTotal from Brazil. This is an instance of Operation In(ter)ception by #Lazarus for Mac,” ESET said on Twitter.

Targeting both Intel and Apple chips, the malware was designed to drop three files on the victim’s machine, including a decoy PDF document, a bundle package, and a downloader named ‘safarifontagent’.

The bundle has a signing timestamp of July 21, which suggests that it was built to be part of a new instance of the campaign. The certificate used to sign it, however, was issued in February 2022 to developer ‘Shankey Nohria’.

“The application is not notarized and Apple has revoked the certificate on August 12,” ESET notes.

According to the security firm, the downloader was designed to reach out to a remote command-and-control (C&C) server, but the researchers could not retrieve a payload from it.

Earlier this month, security researchers observed a Windows counterpart of the malware, which would drop the exact same decoy document.

Related: US Offers $10 Million for Information on North Korean Hackers

Related: U.S. Details North Korean Malware Used in Attacks on Defense Organizations

Related: North Korea Lazarus Hackers Blamed for $100 Million Horizon Bridge Heist

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.