Have you ever thought of quitting your job? Do you maybe feel like your abilities go unnoticed or underappreciated? Are you searching for that “click” that could define your career path with immense satisfaction?

If so, North Korea-aligned threat actors have some delicious offers for you! Top salaries, top positions, and the best benefits, including having your life and current employer compromised!

Key points of this article:

  • Cybercriminals exploit career anxiety, leveraging layoffs, job‑hopping trends, and the rise of freelance work to target vulnerable applicants searching for better opportunities.
  • Malicious job offers are exploding, with bad actors posing as recruiters and using deepfakes, PDF-formatted decoys or malicious documents, and infected project offers to infiltrate companies and steal sensitive data.
  • ESET Research uncovered multiple campaigns by North Korea-aligned groups, from LinkedIn‑based spearphishing to trojanized coding challenges, revealing how sophisticated and global these job‑scam operations have become.
  • Attackers tailor their lures with precision, using AI‑generated identities, live face swaps, and custom malware to pass as trustworthy recruiters, even during video interviews.
  • Companies face a growing insider‑style threat that’s outpacing what traditional security can monitor for.

The dynamic world of classifieds

Following unprecedented numbers of layoffs across multiple sectors, poor employment prospects for recent graduates, and a job market marred by the smell of a recession in the wind, employees are realizing that the job landscape is anything but static—a 2025 Randstad report says that around 1 in 3 Gen Z workers plan to switch jobs within the year, with around 54% already browsing for a new role.

This dynamism gives way for opportunity seekers, both those making the best of a terrible situation by job-hopping to hasten their career growth and malicious opportunists looking to take advantage. With experts saying that the future will be defined by individuals with nonlinear careers, as opposed to singular lifelong commitments, the job market looks likely to be a long-term attack vector. 

We can’t forget about AI redefining existing job roles and processes, something that ESET acknowledges as a real transformative opportunity for the cybersecurity sector.

How does the world of classified job ads compensate for this increased demand? With fake job offers, ghost jobs, and recruiters that are, in essence, artificial constructs. Oh yes, and deepfakes—we can’t forget about those.

This leads us to the worst of the worst in this regard: malicious job offers. 

Intercepting deceptive dream jobs

Wait a minute. Isn’t a malicious job offer just another fake post? Yes, but also no. 

The differences between the two can be both subtle and stark:

  • Fake jobs don’t necessarily need to be malicious. Companies sometimes offer positions that have already been filled internally or exist just for marketing purposes. The reasons can be many.
  • While “real” fake jobs are usually static adverts, malicious classifieds are often supported by the work of an active (often deepfaked) “recruiter” and a dose of spearphishing to lure in the right victim.
  • Concerning phishing, malicious offers also use trojanized PDFs or PDF viewers and malicious URLs to get malware onto a victim’s device. This would ensure that a cyberespionage operation, for example, could go ahead without further personal involvement. Threat actors could also steal identities, defraud the victim, and more.

But who’s behind all this duplicity, and why target unsuspecting employees? To that, ESET Research has multiple answers.

The watchful eyes of ESET Research

Researchers at ESET have detected both multiple and diverse campaigns involving the use of malicious job offers, so let’s have a bit of a retrospective.

Operation In(ter)ception

In 2020, ESET researchers Dominik Breitenbacher and Kaspars Osis published their report on Operation In(ter)ception, an investigation into targeted attacks against companies active in the aerospace and defense sectors in Europe and the Middle East. As part of the initial compromise phase, the attackers used LinkedIn to pose as HR personnel of known companies in aerospace and defense like Collins Aerospace and General Dynamics.

With this, the attackers sought out employees of the targeted companies, messaging them with fake offers like the one in the image below.

Example of a typical fake job offer sent via LinkedIn

A typical fake job offer sent via LinkedIn (Source: ESET Research/WLS).

Once connected, the attackers shared documents related to the job description via OneDrive or email, the contents of which were laced with custom malware.

Scheme of attack scenario from initial contact to compromise

Attack scenario from initial contact to compromise (Source: ESET Research/WLS).

On the compromised machines, the attackers would seek to exfiltrate data, probably seeking technical and business-heavy information, but also attempted a business email compromise scenario in one of the cases to monetize their access.

Operation DreamJob

In 2023, ESET Researchers Peter Kálnai and Marc-Etienne M. Léveillé reported on how Lazarus, a North Korea-aligned APT group, had targeted Linux users with the SimplexTea backdoor, also engaging in similar social engineering techniques to the previous story via an HSBC-themed PDF lure.

An HSBC-themed lure in the Linux DreamJob campaign

An HSBC-themed lure in the Linux DreamJob campaign (Source: ESET Research/WLS).

This story was important in highlighting the multiplatform capacity of Lazarus to target all major desktop systems, including Windows and macOS. Additionally, it linked the 3CX supply-chain compromise to the APT group, which enabled the stealthy download and execution of any kind of payload through the 3CX software. 

Illustration of the probable chain of compromise

Illustration of the probable chain of compromise (Source: ESET Research/WLS).

The gist of the story is that APTs like Lazarus don’t need to revolutionize their initial access method when they can rely on human error and unsecure email clients (depending on how a victim receives their lure). 

Internal ESET MDR telemetry shows that phishing and social engineering are the second most detected threat category (22%), though still leaps and bounds behind ransomware (48%), which could very well also be the result of a compromise via phishing.

Read the ESET MDR Threat Report Q1 2026 for more relevant insight.

DeceptiveDevelopment

In early 2025, ESET researchers led by Matěj Havránek analyzed a peculiar campaign, which deployed malware packaged with job interview challenges.

As an even more involved form of malicious job offer, this time, fake recruiters on social media (LinkedIn, Upwork, Freelancer.com, and similar) asked their targets (mostly freelance software devs) to do a coding test, like adding a feature to an existing project like games with blockchain functionality or gambling with crypto features. All the necessary files (all of them trojanized) were reposited on GitHub and similar platforms. 

README of a trojanized GitHub project

README of a trojanized GitHub project (Source: ESET Research/WLS).

Thus, once these trojanized files were downloaded and the project executed, they would compromise the victim’s computer with BeaverTail and InvisibleFerret malware. Both are flagship infostealers used to steal crypto wallets and exfiltrate login information from browsers and password managers. The victims were globally sourced (mainly from the US but also from Spain, South Africa, Ukraine, and India), with diverse job maturity scopes from juniors to experts.

DeceptiveDevelopment compromise chain

DeceptiveDevelopment compromise chain (Source: ESET Research/WLS).

The attackers also deployed other infostealers like WeaselStore (targeting Windows, Linux, and macOS), but this time, they utilized the ClickFix social engineering method. Victims were lured to a fake job interview site and asked to fill out a detailed application form. At the final step, they were prompted to record a video answer, but the site displays a camera error and offers a “How to fix” link. This link then instructed the users to open a terminal and copy a command that should solve the camera or microphone issue, which instead of fixing the issue, downloaded and executed the malware.

Two sides of the same bad coin

However, what about suspicious hires? It’s not just the recruiters that can be fake. In 2025, ESET researchers released an analysis of the North Korean IT workers scheme, highlighting how “the workers [attackers] utilize AI to perform their job tasks and rely heavily on AI for manipulating photos in their profile pictures and CVs, and even perform face swaps in real-time video interviews to appear as the persona they are currently using. They utilize remote interviewing platforms like Zoom, MiroTalk, FreeConference, or Microsoft Teams.” 

These “workers” pay a lot of attention to keeping their stories straight, tracking their work, and maintaining their fake identities, CVs, and portfolios to apply for jobs, targeting headhunters and recruiters (obviously). Considering that no malware had been used prior to onboarding, it says a lot about the actual long-term intent of these criminals—be it cyberespionage or something much worse.

As for the targets? Based on the analysis of many fake CVs, the workers initially targeted jobs in the US but later shifted focus to European states, such as France, Poland, Ukraine, and Albania.

Operation DreamJob … again?!

In late 2025, researchers Peter Kálnai and Alexis Rapin revealed a continuation of Lazarus’ Operation DreamJob campaign, this time targeting several European companies active in the defense sector, including designers and manufacturers of unmanned aerial vehicle components. Posing as lucrative job offers, the victims, again, received decoy documents with a trojanized PDF reader to open them.

Lazarus’ primary goal was reportedly cyberespionage, focusing on stealing sensitive data, intellectual property, and proprietary information likely to boost North Korea’s drone program, with a secondary motive of financial gain.

For other relevant insight, read the periodic ESET APT Activity Report.

Fake jobs, dashed hopes

To quote ESET Research, “Even with widespread media coverage of Operation DreamJob and its use of social engineering, the level of employee awareness in sensitive sectors—technology, engineering, and defense—is insufficient to handle the potential risks of a suspicious hiring process.”

This isn’t a perfunctory message, as the existence of these fake job campaigns illustrates a real susceptibility of professionals to highly targeted content, especially because these attacks are also highly persistent.

“We saw cases when the initial attack on a targeted network was blocked, but two weeks later, a different endpoint in the network was compromised,” commented Peter Kálnai, Senior Malware Researcher at ESET.

This shouldn’t be surprising; spearphishing attacks are deceptively clever in their design, researching the wants and desires of the intended victims—such as having a high-profile job or landing the position at an industry leader. And they need to be persistent because the potential gain might be worth the effort.

This, in a way, also transforms the case into an insider threat, and an unwitting one at that. With various BYOD policies, remote work, and a diverse corporate network in general, internal security likely can’t cover every possible attack vector, especially if it comes from an employee’s social account, a clear case of shadow IT at work. So it makes sense why Lazarus would opt to communicate through fake job ads to commit cyberespionage: It’s somewhat of a blind spot.

How to mitigate fake job scams?

So how can you mitigate this threat vector? Primarily, the main issue behind the success of fake jobs is people mixing their personal and work lives. Researching job offers while on a device containing their current employer’s data, or while connected to their internal network, is a big no-no. It could also very well be against some stipulations in the employee’s work contract, thereby risking termination. 

Sure, having their personal machine compromised might also be unpleasant, but the consequences for their employer are much more severe.

Thus, let’s tackle some of the individual failures first:

  • Never open random attachments that you received from strangers, even if they look legitimate. Same goes for shared URLs. They can easily lead to a phishing website or down the path to downloading malware. Any legitimate entity would send you to a professional hiring site, but even that can be faked, so …
  • Always verify. Double-check both the recruiter’s and the firm’s backgrounds, and search to see if the supposed job offer is also advertised on the firm’s/recruitment agency’s official website (if there is one) and other job portals. These days, only less mature criminals are likely to have tells, like misspellings, stock-looking profile pictures, and a lack of obvious account activity, including an absence of recommendations given or received. 

The AI weighs in

The fakery mentioned above is an area in which researchers have seen dramatic change. Generative AI tools have made it much easier to run fake profiles, with hundreds of connections, links to actual company sources in their bios, and proper language skills. ESET has tracked such an example recently: DanteLabs1, a fake company promoting itself across multiple social platforms, is using a convincing online footprint to appear legitimate and is also guilty of using AI-generated images of the “team.”

So if you ever get that strange feeling deep in your gut that something’s off, it probably is.

  • If someone asks you to install a program just to read a PDF file, don’t. Modern operating systems or browsers have built-in PDF readers, so there’s no reason to install additional software—it could be an attempt to compromise you.

Freelance devs and contractors in the spotlight

Special attention should be paid to the self-employed (developers, for example), who are also targeted. One of the best practices they could employ would be to separate each customer’s data—treating every interview as another separate customer. By using dev containers (like Docker), a virtual private server (VPS), or cloud virtual machines, freelancers can isolate the programming task from their main machines, reducing the risk of a compromise considerably.

By virtue of being hosted externally, cloud virtual machines and VPSs are especially useful in adding distance between the task in execution and its potential fallout on the local machine.

What about business-level mitigation?

Obviously, if the goal of these attacks is to compromise a company, it also makes sense to include a few steps IT or an in-house SOC can take:

  • Your first step is to start with the entry point, the email gateway, by making your email servers and clients more resilient. This can be done by disabling all external content (like PDFs, SVG image files, ZIPs, etc.). At the same time, prohibit employees from using their personal emails at work to further limit company exposure.

Solutions like ESET Mail Security (EMSX) protect against email threats like phishing by proactively scanning emails, including their attachments, for all kinds of malware, actively blocking and filtering malicious content. Additionally, in EMSX, rules can be implemented to prevent emails from being received from known malicious countries or domains as well.

  • Additional security measures should also be implemented against spoofing and homoglyph attacks. Attackers like to use visual tricks to make their emails appear more legitimate by using typosquatting or sender spoofing. This can easily deceive the eyes; therefore, opt for an integrated email security solution that sports anti-spoofing protection.

ESET Cloud Office Security (ECOS) combines robust email security in the form of spam filtering with antimalware scanning, anti-phishing, and advanced threat defense with cloud sandboxing, helping to protect company communications, collaboration, and cloud storage. Essentially, you are secure against almost all malicious job offer vectors with this one ESET PROTECT module.

Apropos, cloud sandboxing is especially useful when you want to detect malware before it gets on your device. So, if an employee were to download an attachment, it’s behavior would be examined within the sandbox and, if found to be malicious, sent immediately to quarantine. In the case of EMSX and ECOS, we also train our AI engine on known scams, so these solutions can detect such attempts quite early.

  • Install multilayered endpoint security (ES) and procure an extended detection and response (XDR) solution or an equivalent managed detection and response (MDR) service. Why? Simply put, while ES offers baseline protection against most malware and viruses, XDR and MDR can catch anything that might slip through. In ESET PROTECT’s case, it’s thanks to its AI-native detection engine built on years of thorough ESET research.
  • Stay one step ahead of malicious job campaigns by subscribing to proprietary threat intelligence feeds, or opt for expanded research offered in APT reports, which can enable an accelerated understanding of the threat landscape and inform prevention steps to be taken.

Staying ahead is the only path toward resilience. Even if you face an ongoing incident related to a malicious job offer PDF, having research on your side that could pinpoint the exact TTPs to watch out for in your detection and response solution will certainly lead to a faster response.

Real jobs on the line

It’s tough out there. Jobs have become a valuable commodity, which spells doom both to job seekers and their existing employers. With the way things are going, we can expect job boards to increasingly harbor scam offers, employing various social engineering and phishing tactics to fool people.

Reversing this trend might be nigh impossible without extreme policing, which is why individuals and companies need to take mitigation of this threat vector into their own hands. Being cyber resilient is not a given thing; it’s a state to strive for, constantly.

For the latest insight into the threat landscape, make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon.

eset-threat-intelligence_banner

Additional references:
1) As mentioned in the ESET APT Activity Report, Q4 2025-Q1 2026, page 17.