AI-Enhanced Lazarus Campaign Targets Crypto Developers

A North Korean hacking subgroup, known as HexagonalRodent, has launched a sophisticated campaign targeting software developers, particularly those involved with Web3 technologies. This operation involves tricking developers into downloading malware through phony job interviews and manipulated coding tests.

Fake Recruitment Tactics

The group, identified by cybersecurity firm Expel, is believed to be affiliated with the notorious Lazarus hacking collective. The attackers impersonate tech recruiters on platforms like LinkedIn, offering fake job opportunities. Developers expressing interest are given a coding challenge designed to surreptitiously install malware onto their systems.

These coding assessments appear legitimate but contain hidden malicious code. The primary objective is to steal cryptocurrency and NFTs, leading to the compromise of thousands of developer systems and exposing wallet keys worth millions in crypto assets.

Innovative Use of AI Tools

What differentiates this campaign from other North Korean cyber activities is its extensive application of AI technologies. Tools such as ChatGPT and Cursor are employed to craft malware, fabricate websites, and create fictitious corporate identities, enhancing the credibility of their schemes.

The campaign was uncovered by Expel analysts following an investigation into a BeaverTail malware incident in October 2025. This led to the discovery of an expansive network of command-and-control systems utilized by the hackers.

Targeting Developers Through VSCode Exploits

HexagonalRodent leverages the popularity of VSCode, a widely used code editor, to deliver its payload. By embedding a malicious tasks.json configuration file in coding projects, the malware activates upon opening the project, requiring no further action from the developer.

Moreover, the source code files themselves contain secondary infection mechanisms, ensuring a broad infection scope across different user scenarios. This strategy is compounded by a recent supply chain attack involving a compromised VSCode extension, further extending the group’s reach.

Security Measures and Recommendations

To mitigate such threats, Expel advises rigorous code inspections and disabling automatic task execution in VSCode. Additionally, developers should employ AI-based auditing tools and verify recruiter identities via official channels.

Adopting hardware security tokens for cryptocurrency wallets is also recommended, as these provide robust protection against unauthorized access. Monitoring for suspicious NodeJS or Python activities can help identify ongoing threats.

By implementing these protective strategies, developers can better safeguard their digital assets from the evolving tactics of cyber adversaries.