North Korean state-sponsored actors are leveraging artificial intelligence to fuel a sophisticated phishing campaign targeting software developers. This campaign, identified by cybersecurity firm Expel and attributed to a subgroup within the broader Lazarus hacking ecosystem, uses AI-powered techniques to create convincing fake job opportunities and malicious coding challenges designed to infect developer systems with malware.
The threat group, tracked as HexagonalRodent, has been actively recruiting developers through platforms like LinkedIn and fraudulent job boards. Upon attracting interest, they present developers with what appears to be a legitimate take-home coding assessment. However, these assignments are booby-trapped with malware embedded within the codebase and project configuration files. This elaborate scheme aims to steal cryptocurrency and non-fungible tokens (NFTs) from unsuspecting individuals within the Web3 development community.
AI-Assisted Lazarus Campaign Exploits Developers
The HexagonalRodent campaign demonstrates a notable evolution in the tactics employed by North Korean-linked cybercriminals. Unlike previous large-scale attacks on cryptocurrency exchanges, this subgroup is conducting high-volume, opportunistic assaults on individual developers. This approach capitalizes on the fact that many smaller Web3 projects and independent investors, while holding significant digital assets, may lack robust security infrastructures.
The malware, developed using generative AI tools like ChatGPT and Cursor, is written in programming languages such as NodeJS and Python, allowing it to blend seamlessly with legitimate development tools. This stealthy integration makes it considerably harder to detect on the personal machines of developers. The threat actors have also employed AI to construct convincing fake company websites and generate fabricated leadership profiles, further enhancing the credibility of their fraudulent recruitment fronts.
Expel’s investigation into this campaign began in October 2025 following the discovery of BeaverTail malware on a customer network. This led to the uncovering of a sprawling network of command-and-control (C2) panels, associated infrastructure, and internal tracking systems utilized by the group. The financial motivations behind North Korean cyber activities are well-documented, and this campaign appears to be another manifestation of the regime’s efforts to acquire foreign currency.
Adding to the concern, researchers have identified that HexagonalRodent successfully executed a supply chain attack in early 2026. A popular VSCode extension known as “fast-draft” was compromised and subsequently used to distribute malware named OtterCookie. This marks the first confirmed instance of this specific subgroup engaging in supply chain compromises, indicating a progression in their attack methodologies and a growing level of technical sophistication.
Inside the Infection Mechanism: A Dual-Layered Approach
The primary infection vector exploits a feature within Visual Studio Code (VSCode), a widely adopted code editor. Attackers embed a malicious `tasks.json` configuration file within the provided coding assessment. This file enables VSCode to automatically execute tasks under specific conditions. The threat actors configure this file to run malware upon simply opening the project folder in VSCode, a tactic that requires no direct user interaction or execution of suspicious code.
This automated execution serves as the initial entry point. However, the malicious code is also embedded within the actual source code files of the assessment. This provides a secondary infection route, designed to activate if a developer uses an alternative IDE, or if VSCode’s automatic task execution has been disabled. The combination of these two methods significantly increases the likelihood of successful system compromise, irrespective of how the developer interacts with the project files.
Once a system is infected, the BeaverTail malware family begins its operation by exfiltrating sensitive credentials. This includes information stored in web browsers, the macOS Keychain, Linux Keyring, and popular password managers such as 1Password. This credential harvesting is crucial for gaining access to other accounts and potentially further sensitive data.
Complementing BeaverTail, a component known as OtterCookie functions as a reverse shell, granting the attackers direct remote access to the compromised machine. A third tool, InvisibleFerret, also a reverse shell written in Python, further bolsters the attackers’ control. Expel’s analysis of the group’s exposed C2 infrastructure confirms that these tools operate in concert, with BeaverTail focusing on initial data exfiltration and OtterCookie maintaining persistent access and enabling further malicious activities.
Security experts and Expel strongly recommend that developers implement several key precautions to safeguard themselves against such advanced threats. It is imperative to never execute code received from unknown sources, even within the context of a job interview, without thoroughly reviewing every file, including hidden configuration files like `tasks.json`. Disabling automatic task execution in VSCode settings can mitigate the risk of unintended malware activation upon opening project folders.
Furthermore, leveraging AI-powered code auditing tools to scan assessment source code for unusual functions or suspicious network communications before execution is advisable. For those involved in cryptocurrency, utilizing hardware security tokens for wallet protection has proven to be a significant deterrent against fund exfiltration, as confirmed by the Expel investigation. Developers should also independently verify the identities of recruiters by cross-referencing information with official company websites and using verified contact channels before agreeing to any coding tasks.
Finally, vigilance regarding system processes is key. Developers should monitor for any unexpected NodeJS or Python processes initiating persistent outbound TCP connections, as these could indicate active BeaverTail or OtterCookie activity. The ongoing threat landscape necessitates continuous awareness and proactive security measures for all individuals involved in software development.