North Korean hackers target the crypto sector with BeaverTail malware, using fake job offers to steal login credentials and crypto wallets.
North Korean hackers have expanded their cyberattacks on the cryptocurrency sector, deploying a sophisticated malware known as BeaverTail through fake job offers. This new campaign, targeting non-developers, marks a shift in tactics for the hackers, who previously focused on tech-savvy professionals.
The malware aims to steal login credentials and cryptocurrency wallet information from unsuspecting victims. Experts warn that the malware is harder to detect due to its use of disguised files and password-protected archives.
The latest wave of attacks involves North Korean threat actors using fake job offers to lure individuals into running malicious software. The hackers target people seeking marketing, sales, and trading roles in the cryptocurrency and retail sectors, rather than software developers.
These fake offers often instruct potential candidates to record video assessments to fix non-existent issues with their microphone or camera. When the victim follows the instructions, malware is deployed on their device.
North Korea’s Lazarus-linked hackers strike again!
Fake crypto job interviews → bogus “mic fix” → BeaverTail + InvisibleFerret malware hits Windows, Mac & Linux.
One click and your data’s gone.
Full report → https://t.co/OBPYfWxgt1
— The Hacker News (@TheHackersNews) September 21, 2025
This method, known as ClickFix social engineering, is designed to trick victims into executing malware without suspecting anything is wrong. Once the malware is installed, it quietly runs in the background, stealing sensitive data like login credentials and cryptocurrency wallet information. Experts warn that non-technical individuals are particularly vulnerable to this type of attack since they may not recognize the risks associated with downloading unverified software.
BeaverTail malware, which was first exposed in 2023 by Palo Alto Networks, acts as an information stealer and a downloader for a Python-based backdoor known as InvisibleFerret.
The malware is written in JavaScript and is typically delivered via fake job applications or malicious software packages. The most recent iteration of BeaverTail is designed to be easier to execute, without requiring victims to have any programming knowledge.
Unlike previous versions that targeted specific browser extensions and required specific programming tools, the latest variant of BeaverTail is bundled with seemingly harmless decoy files. These decoy files might appear to be legitimate software, making it harder for security software to detect the malware. Additionally, the malware is often hidden inside password-protected archives, which adds an extra layer of difficulty in identifying the threat.
North Korea has been actively targeting the cryptocurrency industry for years, with previous campaigns aimed at stealing funds and gathering intelligence. The use of fake job applications to distribute malware represents an evolution in their approach, expanding their focus beyond software developers to include a wider range of cryptocurrency workers.
These North Korean hackers are advanced, creative and patient. I have seen/heard:
1. They pose as job candidates to try to get jobs in your company. This gives them a “foot in the door”. They especially like dev, security, finance positions.
2. They pose as employers and try to… https://t.co/axo5FF9YMV
— CZ
BNB (@cz_binance) September 18, 2025
Cybersecurity experts stress the importance of caution when receiving unsolicited job offers or instructions to run software from untrusted sources. Users are advised to avoid downloading software from unverified platforms, especially those that request to access system resources or ask for personal information.
The crypto industry continues to be a prime target for North Korean hackers, with their persistence and adaptability posing a growing risk. According to GitLab researcher Oliver Smith, “The campaign suggests a shift in targeting strategy, aiming at marketing and trading roles across the cryptocurrency and retail sectors.” As the attackers refine their tactics, vigilance remains crucial in protecting sensitive data from cybercriminals.
The post Crypto Industry Hit by North Korean “BeaverTail” Malware Campaign appeared first on Live Bitcoin News.
Also read: Avalanche Price Drop: AgriFORCE Rename as $AVAX One Help or Hurt?
