Lazarus Group Targets Job Seekers with Fake Coinbase Offers: How to Defend Against APT Social Engineering in 2026

The North Korean Lazarus Group has launched a malware campaign targeting job seekers by leveraging fake job descriptions for prominent companies like Coinbase. This sophisticated social engineering tactic aims to infect Macs on both Intel and M1 chipsets, using a Mach-O executable disguised as a PDF. Here’s what you need to know.

Ozan Ucar, Founder and CEO of Keepnet

Last Updated: 2026-06-01

Lazarus Group's New Malware Campaign Targets Job Seekers on Macs

In a striking example of social engineering, North Korea's Lazarus Group targeted job seekers in the cryptocurrency and technology sectors with malware disguised as job offer documents. First documented in 2022, this campaign technique has continued and expanded through 2025 under various names including Operation Dream Job and Operation In(ter)ception. By 2026, Lazarus Group is one of the most active and financially motivated state-sponsored threat actors globally, having stolen an estimated $3 billion in cryptocurrency between 2017 and 2023 according to UN panel reports. The job offer lure remains one of their most reliable initial access techniques because it exploits natural job-seeking behavior and provides a plausible reason for opening an unsolicited document.

The Evolution of Lazarus Group’s Tactics

Lazarus Group is infamous for targeting specific sectors with advanced persistent threats. In recent years, the group has expanded from financial institutions and cryptocurrency exchanges to defense contractors, cybersecurity firms, and technology companies across Europe, Asia, and North America. Their tactics have evolved to include supply chain compromises, trojanized developer tools, and multi-stage infection chains that are difficult to detect at each individual stage. The group's financial operations fund North Korea's weapons programs, giving it both state resources and strong incentive to maintain operational tempo.

Security researchers recently identified malware disguised as a Coinbase job description, which was used to target professionals in the cryptocurrency sector on macOS. The malware was delivered as a Universal Binary capable of running on both Intel and Apple Silicon Macs, demonstrating Lazarus's continued investment in macOS-targeted capabilities. Similar fake job offer campaigns have since been documented targeting blockchain engineers, DeFi protocol developers, and NFT platform staff.

How the Malware Works

1. Bait and Infect with a Fake PDF

Lazarus Group’s latest attack begins with a fake PDF named “Coinbase_online_careers_2022_07.pdf,” which is actually a Mach-O executable file. Instead of a simple document, this executable acts as a dropper to initiate the infection process.

When the unsuspecting victim opens this “PDF,” it runs the FinderFontsUpdater package as a background process. This step doesn’t reveal any signs of malicious activity to the user, allowing the malware to operate undetected.

2. A Multi Stage Infection Process

After running the FinderFontsUpdater, the malware initiates a second payload, launching an installer called safarifontsagent. This agent connects to a remote server, where it can download additional malicious files or data, potentially gaining access to sensitive information or further embedding itself within the infected system. The malware’s multi stage execution shows how advanced the Lazarus Group’s capabilities have become, designed specifically to evade detection.

3. Targeting MacOS: Why It Matters

With Apple’s market share continuing to grow, Macs are increasingly attractive targets for cybercriminals. While macOS has a reputation for strong security, its widespread adoption by remote workers has made it a valuable target for APTs. Moreover, the Lazarus Group’s focus on ensuring compatibility with both Intel and M1 chips demonstrates their intention to compromise as many users as possible, regardless of their device's processor.

At the core of this campaign lies an effective social engineering strategy. Lazarus uses legitimate seeming job descriptions from a highly regarded firm like Coinbase to entice individuals actively seeking employment. This form of phishing capitalizes on victims’ trust in familiar brands and their eagerness to find career opportunities.

Using job postings as bait also gives Lazarus Group another layer of legitimacy, reducing the likelihood of raising suspicions among victims. Given the job market's competitive nature, it’s unsurprising that job seekers may overlook security measures, unknowingly falling into these traps.

Defensive Measures for Organizations and Job Seekers

Both companies and individuals need to take preventive steps to avoid falling victim to such attacks:

To reduce the chances of employees falling victim to job offer scams, organizations should invest in Security Awareness Training that focuses on phishing simulation exercises. By educating staff on the risks of targeted attacks like these, companies can improve their workforce’s ability to detect red flags in suspicious messages. Security Awareness Training not only builds individual awareness but strengthens overall organizational security.

2. Enhanced File Validation

Organizations should encourage employees to verify the legitimacy of any job related documents. For instance, a true PDF file has a distinct signature, while an executable like a Mach-O file could signal malware. File validation software can also be used to scan and identify potentially harmful file types before they’re opened.

3. Endpoint Detection and Response (EDR)

An EDR system can help identify and isolate malware as soon as it attempts to execute. Endpoint security systems can detect suspicious activities, like the Mach-O executable, even if the initial bait (e.g., a job application) seems legitimate. Implementing tools such as incident response platforms also ensures rapid containment of potential threats.

4. Vulnerability Management and Regular Updates

Since the malware targets specific chipsets, maintaining up to date software can mitigate vulnerabilities. Apple frequently patches security flaws in macOS, and enabling automatic updates can reduce exposure to known exploits.

5. Limit Access to Sensitive Information

Implementing strict access controls minimizes damage if a device does get infected. For example, companies should restrict access to sensitive documents and systems to only those who absolutely need it.

The Road Ahead: Lazarus Group’s Future Strategies

Lazarus Group's continued evolution suggests they will target even more diverse sectors as they refine their social engineering playbook. In 2026, researchers have documented Lazarus campaigns targeting AI researchers, quantum computing specialists, and semiconductor engineers, reflecting North Korea's intelligence priorities in emerging technology sectors. The consistent thread across all campaigns is the use of professionally crafted job offers and documents as the initial contact vector. For organizations, taking advantage of human risk management platforms can centralize training and measurement against the specific social engineering tactics Lazarus uses most effectively.

For organizations, taking advantage of Human Risk Management Platforms can centralize training and response efforts, helping mitigate these social engineering threats more effectively. Learn more about building an effective, human risk management program that keeps your teams protected.

Editor's Note: This article was updated on June 1, 2026.

Schedule your 30-minute demo now

You'll learn how to:

Implement simulated phishing campaigns that prepare employees to recognize and report social engineering attempts.

Customize phishing simulations to match current trends in your industry, improving employee detection rates.

Identify human risk factors that could expose your organization to threats, and measure improvements over time.

Frequently Asked Questions

Who is the Lazarus Group and who do they work for?

The Lazarus Group is an advanced persistent threat (APT) actor widely attributed to North Korea's intelligence services, specifically the Reconnaissance General Bureau. The group has been active since at least 2009 and is responsible for some of the most significant state sponsored cyberattacks in history, including the 2014 Sony Pictures breach, the 2016 Bangladesh Bank heist in which approximately $81 million was stolen, and the WannaCry ransomware attack in 2017. Lazarus operates for financial gain as well as espionage, and its targeting has expanded significantly over the years.

How does the Lazarus Group use fake job offers to deliver malware?

The Lazarus Group sends unsolicited messages to individuals in targeted sectors, typically finance and cryptocurrency, claiming to offer attractive job opportunities at well known companies. The messages arrive via LinkedIn, email, or other professional platforms and include a document described as a job description or offer letter. When the recipient opens the file, it executes malware in the background while displaying a convincing document. The job offer lure works because it provides a plausible reason for a stranger to initiate contact and for the recipient to open an unsolicited file.

Why did the Lazarus Group target macOS users specifically in this campaign?

macOS users in the cryptocurrency and finance sector tend to be high value targets because many professionals in these fields use Macs. Historically, macOS received less attention from malware developers because the platform had a smaller market share, but as Mac adoption has grown among professionals, APT groups have invested in macOS compatible payloads. The campaign described in this article used a Universal Binary that runs on both Intel and Apple Silicon Macs, demonstrating that Lazarus has developed mature macOS capability.

What is a multi stage malware infection and how does it complicate detection?

A multi stage infection uses a sequence of payloads where each stage downloads and executes the next. The initial payload, in this case disguised as a PDF, performs reconnaissance and downloads a second stage installer. The second stage then retrieves the final payload. This approach complicates detection because early stages may appear benign, each component is smaller and simpler than a monolithic payload, different stages can be hosted on different servers, and security tools that analyze each file in isolation may miss the connection between stages.

What sectors are most targeted by the Lazarus Group in 2026?

Lazarus targets any sector with high financial value or significant intelligence value to North Korea. In 2026, their primary targets include cryptocurrency exchanges, DeFi platforms, and blockchain companies for financial theft; defense contractors and government agencies for espionage; cybersecurity firms for intelligence on detection capabilities; and journalists and researchers who cover North Korea. The group also targets individuals rather than organizations, particularly cryptocurrency developers and traders who may hold significant digital asset balances.

How can job seekers protect themselves from Lazarus Group style attacks?

Job seekers should be skeptical of unsolicited job offers that arrive via LinkedIn or email from people they do not know, especially if the message includes an attachment or link. Legitimate recruiters rarely send executable files or unusual document formats in initial contact. Before opening any document from an unverified source, verify the recruiter's identity by searching for their profile and confirming it matches their claimed employer. If a document must be opened, do so in a sandboxed environment or use a document viewer that does not execute embedded code. Report suspicious recruitment contact to your security team.

What is a Universal Binary and why does it matter for macOS malware?

A Universal Binary is a macOS application package that contains compiled code for multiple processor architectures, specifically Intel x86-64 and Apple Silicon ARM. This allows a single file to run natively on both older Intel based Macs and newer Apple Silicon Macs without requiring separate versions. For malware authors, Universal Binaries are valuable because they maximize the number of potential victims with a single payload. The fact that Lazarus built a Universal Binary for this campaign indicates investment in macOS capability and intent to target the widest possible Mac user base.

What is the KANDYKORN malware family associated with Lazarus attacks?

KANDYKORN is a macOS remote access trojan (RAT) identified in Lazarus Group campaigns targeting blockchain engineers. It is delivered through social engineering on professional platforms, arrives as a Python application disguised as a cryptocurrency arbitrage tool, and establishes persistent remote access to the victim's machine. KANDYKORN can upload and download files, execute commands, terminate processes, and exfiltrate data. It represents the continued sophistication of Lazarus's macOS toolset beyond the job offer campaign described in this article.

What security controls most effectively reduce risk from Lazarus Group campaigns?

The most effective controls combine technical and human layer defenses. Technically: deploy endpoint detection and response tools that monitor for unusual process execution and network connections; enforce application allowlisting to prevent unauthorized executables from running; disable macros in Office documents by default; and segment networks to limit lateral movement. From the human layer: train employees to recognize social engineering via professional networks and to treat unsolicited job related documents as suspicious. Keepnet's Phishing Simulator includes spear phishing scenarios that replicate Lazarus Group tactics, building employee recognition skills before a real attack occurs.

What should organizations do if they suspect a Lazarus Group intrusion?

If a Lazarus Group intrusion is suspected, immediately isolate the affected device from the network, preserve forensic artifacts without modifying the device, and engage professional incident response expertise. Notify relevant authorities including CISA, national CERTs, or law enforcement as appropriate. Treat all credentials that may have been accessible from the infected device as compromised and reset them from a clean machine. Cryptocurrency wallets and exchange accounts accessible from the device should be considered at immediate risk. Use Keepnet's Incident Responder to identify whether phishing emails related to the campaign reached other employees.