A sub-cluster of the notorious Lazarus Group has created deceptive infrastructure mimicking skills assessment portals for inclusion in its social engineering campaigns.
Microsoft has linked the observed activity to a threat actor identified as Sapphire Sleet, noting it as a “change in the persistent actor’s tactics.”
Sapphire Sleet, known by aliases APT38, BlueNoroff, CageyChameleon, and CryptoCore, has a history of conducting cryptocurrency theft through social engineerin
As per reports on X, Microsoft revealed that Sapphire Sleet has recently set up deceptive portals posing as recruitment and skills assessment websites. These fraudulent sites prompt users to register, allowing the hackers to collect sensitive personal information and credentials.
The websites are hosted on malicious domains and are password-protected to evade analysis. Microsoft has successfully blocked numerous known domains associated with these campaigns.
The transition to counterfeit skills assessment portals, according to Microsoft, suggests that Sapphire Sleet has altered its approach in response to the rapid detection and removal of their earlier malicious attachments and links.
Sapphire Sleet is currently focusing on LinkedIn users, tailoring their approach based on users’ expertise and experience. The initial outreach includes links to deceptive sites masked as authentic skills tests.
Microsoft recommends that LinkedIn users, particularly those in IT and recruiting roles, exercise caution when receiving unsolicited messages containing links or skill assessment offers. It is advised to verify the authenticity of any websites before sharing login credentials or sensitive information.
Lazarus, also recognized as Hidden Cobra, gained prominence in 2014 for hacking Sony Pictures in relation to the film “The Interview,” a comedy depicting the assassination of North Korean leader Kim Jong-un. It is widely believed to maintain close ties with the North Korean government.
Subsequently, the group shifted focus to cryptocurrency thefts, allegedly pilfering approximately $400 million in cryptocurrency in the year 2021.