North Korean Hackers Exploit AI to Target Developers with Malicious Coding Challenges
A North Korean state-sponsored cyber group, identified as HexagonalRodent—a subgroup within the notorious Lazarus hacking collective—has launched a sophisticated campaign aimed at software developers. By masquerading as tech recruiters, these threat actors distribute malware through deceptive job interviews and compromised coding assessments.
Deceptive Recruitment Tactics
The attackers initiate contact with developers via professional networking platforms like LinkedIn or by posting fraudulent job listings on popular career portals. Once a developer expresses interest, they are provided with a take-home coding assessment to complete and submit. These assessments appear legitimate but are embedded with concealed malware within the code and project configuration files.
Targeting Web3 Developers
The primary focus of this campaign is on Web3 developers, with the objective of exfiltrating cryptocurrency and non-fungible tokens (NFTs). Over a span of three months, the threat actors successfully extracted 26,584 cryptocurrency wallets from 2,726 compromised developer systems. Public keys associated with these wallets revealed holdings of up to $12 million in crypto assets.
Leveraging Generative AI
A distinguishing feature of this campaign is the extensive use of generative AI tools such as ChatGPT and Cursor. The attackers utilized these technologies to craft malware code, develop counterfeit company websites, and fabricate entire leadership teams, thereby enhancing the credibility of their fraudulent recruitment schemes.
Discovery and Analysis
Cybersecurity firm Expel uncovered this campaign following an investigation into a BeaverTail malware infection on a client network in October 2025. This led to the revelation of an extensive network of command-and-control (C2) panels, infrastructure, and internal tracking systems employed by HexagonalRodent.
Shift in Attack Strategy
Traditionally, the Lazarus group has targeted large cryptocurrency exchanges through complex, multi-step intrusions. However, HexagonalRodent has shifted focus to high-volume, opportunistic attacks against individual developers. This strategy exploits the fact that many small Web3 projects and individual investors possess substantial digital assets but often lack robust security measures.
Supply Chain Attack
In early 2026, HexagonalRodent executed a supply chain attack by compromising a popular Visual Studio Code (VSCode) extension named fast-draft to distribute OtterCookie malware. This marked the first confirmed instance of this subgroup conducting a supply chain attack, indicating an expansion in their attack methodologies and growing technical proficiency.
Infection Mechanism
The core infection vector exploits a feature in VSCode, a widely used code editor among developers. The attackers embed a malicious `tasks.json` configuration file within the coding assessment project. This file is configured with a `runOn:folderOpen` command, causing the malware to execute automatically when the developer opens the project folder in VSCode, without requiring any manual action.
Recommendations for Developers
To mitigate the risk of such attacks, developers are advised to:
– Verify Recruiter Credentials: Conduct thorough research on recruiters and the companies they represent before engaging in any recruitment process.
– Scrutinize Coding Assessments: Carefully examine coding assessments for any unusual or suspicious configurations, especially hidden files or scripts.
– Monitor System Behavior: Be vigilant for unexpected system behavior, such as unauthorized access to cryptocurrency wallets or unusual network activity.
– Implement Robust Security Measures: Utilize comprehensive security solutions to detect and prevent malware infections.
Conclusion
The HexagonalRodent campaign underscores the evolving tactics of state-sponsored cyber groups, particularly their use of AI technologies to enhance the effectiveness and credibility of their attacks. By targeting individual developers through sophisticated social engineering and leveraging trusted development tools, these attackers pose a significant threat to the security of digital assets. Developers must remain vigilant and adopt proactive security measures to safeguard against such insidious threats.
