North Korean-Originated Graphalgo Campaign Uses Fake Job Test Modus to Spread Malware

JAKARTA - A cyber campaign linked to a North Korean threat actor has been revealed using a fake job posting to spread malware to software developers. This operation is known as Graphalgo and is reported to target JavaScript and Python professionals, especially those with experience in the crypto field.

The report from ReversingLabs states that the campaign has been active since May 2025. The perpetrators disguised themselves as blockchain and cryptocurrency trading companies, then posted fake job ads through platforms such as LinkedIn, Facebook, and Reddit.

Interested applicants are asked to complete a technical test as part of the recruitment process. Usually the task is in the form of debugging or improving an example project that looks legitimate and professional. However, behind the project, there are dangerous dependencies that are hidden and uploaded to trusted repositories such as npm and PyPI.

When the victim runs the project, a dangerous dependency will install a remote access trojan (RAT) into the system. This malware gives the perpetrator full control over the infected device without the victim's knowledge.

According to the findings revealed, at least 192 malicious packages are related to the Graphalgo operation. In one case, the package named bigmathutils was initially clean until version 1.1.0, before it was infiltrated with a malicious payload. After that, the package was removed to avoid further detection.

The RAT installed is capable of performing various dangerous activities, including displaying a list of running processes, executing arbitrary commands, extracting files, and downloading and running additional payloads. The malware also checks for the presence of the MetaMask crypto wallet extension in the victim's browser, indicating the financial motive behind the attack.

Communication between the malware and the control server is carried out using a protected token-based method, making it difficult for external monitoring by security systems.

Cyber security experts assess that the Graphalgo operation is most likely related to the Lazarus group, a hacker group that has long been associated with North Korea and is known to be active in social engineering-based attacks and fake job vacancy schemes.

This case is again a reminder for developers to always perform a thorough verification of packages and dependencies before installing them, including checking version history, publisher reputation, and suspicious update activity in software repositories.