North Korean-linked crews connected to the pervasive IT worker scams have upped their malware game, using more advanced tools, including a backdoor that has much of the same code as Pyongyang's infamous Lazarus Group deploys.

In a white paper [PDF] presented at Virus Bulletin 2025, ESET researchers Peter Kálnai and Matěj Havránek identified new links between DeceptiveDevelopment's malware and the Lazarus Group 's PostNapTea RAT.

DeceptiveDevelopment, a North Korea-aligned group that has been active since at least 2023, overlaps with the Contagious Interview and WageMole campaigns , plus a gang that CrowdStrike tracks as Famous Chollima. Its members pose as recruiters, posting fake profiles on social media along the lines of Lazarus' Operation Dream Job , which tricked job seekers into cl

See Full Page