North Korea Tried to Hack Our CEO Through a Fake Job Interview on LinkedIn
Contents
North Korea Tried to Hack Our CEO Through a Fake Job Interview on LinkedIn
How we caught Lazarus Group's BeaverTail malware red-handed — and reverse-engineered every stage of their attack
Christian PapathanasiouChristian Papathanasiou
March 5, 2026
20 min read
Confirmed State-Sponsored Attack
DPRK / Lazarus Group — "Contagious Interview" Campaign — BeaverTail Malware Family
TL;DR
•A "recruiter" on LinkedIn asked me to clone a repo and open it in VS Code for a "technical assessment"
•I got suspicious, told them to f**k off, then downloaded the repo in an isolated VM to investigate
•It was North Korean state-sponsored malware with 3 independent infection vectors that executes the moment you open the folder
•We captured and reverse-engineered 3 stages of the malware before the operators detected us and triggered a kill switch
•The endgame: steal your crypto wallets, browser passwords, SSH keys, env secrets — everything
1The LinkedIn Message That Started It All
If you're a founder, CTO, or senior …
How we caught Lazarus Group's BeaverTail malware red-handed — and reverse-engineered every stage of their attack
Christian PapathanasiouChristian Papathanasiou
March 5, 2026
20 min read
Confirmed State-Sponsored Attack
DPRK / Lazarus Group — "Contagious Interview" Campaign — BeaverTail Malware Family
TL;DR
•A "recruiter" on LinkedIn asked me to clone a repo and open it in VS Code for a "technical assessment"
•I got suspicious, told them to f**k off, then downloaded the repo in an isolated VM to investigate
•It was North Korean state-sponsored malware with 3 independent infection vectors that executes the moment you open the folder
•We captured and reverse-engineered 3 stages of the malware before the operators detected us and triggered a kill switch
•The endgame: steal your crypto wallets, browser passwords, SSH keys, env secrets — everything
1The LinkedIn Message That Started It All
If you're a founder, CTO, or senior …