Well-known Chollima APT hackers are targeting job applicants and organizations to distribute JavaScript-based malware.

The North Korean-linked Famous Chollima APT group has emerged as a sophisticated threat actor, orchestrating targeted campaigns against job seekers and organisations through deceptive recruitment processes. Active since December 2022, this advanced persistent threat has developed an intricate multi-stage attack methodology that exploits the trust inherent in professional networking and job-seeking activities. The group’s operations represent a significant evolution in social engineering tactics, leveraging the vulnerability of individuals seeking employment opportunities to establish footholds within target organisations. The attack campaign demonstrates remarkable sophistication in its approach, beginning with attackers posing as legitimate recruiters or hiring managers who invite potential victims to participate in online interviews. During these seemingly authentic interactions conducted through video conferencing platforms, the threat actors skillfully manipulate targets into downloading and installing malicious NPM packages hosted on GitHub repositories.

The attackers present these packages as legitimate software requiring technical evaluation or code review, effectively weaponising the standard practices of software development interviews. Offensive Security Engineer Abdulrehman Ali identified the malware’s complex infection chain, noting that the group strategically targets software developers and IT professionals who possess both technical expertise and potential access to sensitive organisational resources. The campaign’s effectiveness stems from its exploitation of two key demographic vulnerabilities: recently laid-off employees who may retain access credentials to former employers, and active professionals seeking freelance opportunities alongside their primary employment. The delivery mechanism represents a sophisticated abuse of GitHub’s trusted infrastructure, transforming the platform into an unwitting distribution network for malicious payloads. The attackers create repositories containing NPM packages embedded with obfuscated JavaScript code designed to deploy the InvisibleFerret backdoor, establishing persistent command-and-control communication through TCP connections secured with XOR encryption.