Kaspersky has uncovered new developments in the Lazarus DreamJob campaign, revealing that cybercriminals targeted two employees at a nuclear-related company with updated malware in an attempt to gain unauthorized access.

The notorious Lazarus Group, associated with the North Korean government, has been observed targeting IT professionals at the same nuclear-related organization with fresh strains of malware. This series of attacks appears to be an extension of the Operation DreamJob, also known as Deathnote, initiated in 2020. The attackers would masquerade as offering lucrative job opportunities within defense, aerospace, cryptocurrency, and other sectors globally, utilizing social media platforms like LinkedIn. During the “interview” process, victims would be exposed to malware or trojanized remote access tools.

The main objective of this campaign is to acquire sensitive information or cryptocurrency. In the recent incident, Lazarus utilized malicious remote access tools to infect two individuals with CookieTime malware, enabling the threat actors to execute commands on the compromised system. This allowed them to traverse the network and download various malware strains, including LPEClient, Charamel Loader, ServiceChanger, and an updated version of CookiePlus, a new plugin-based malicious program recently discovered by Kaspersky.

The attacks occurred in January 2024, underscoring Lazarus as a significant cyber threat originating from North Korea. This information was reported by The Hacker News.