Lazarus Group's 19-Day A/B Test: How North Korean APT Pivoted from Airdrops to Fake CVEs to Dream Jobs

description: "Technical analysis of three consecutive Lazarus Group campaigns targeting the same GitHub users with different social engineering vectors: cryptocurrency airdrops, fake security advisories, and fraudulent job offers. Includes air-gapped defense architecture."

series: Lazarus GitHub Campaigns
Lazarus Group's 19-Day A/B Test: How North Korean APT Pivoted from Airdrops to Fake CVEs to Dream Jobs

Three campaigns, one threat actor, same targets: the evolution of Operation Dream Job tactics on GitHub—and how to architect defenses against persistent APT targeting

Executive Summary
Between March 20 and April 8, 2026, I received three distinct phishing campaigns from the same threat actor (attributed to Lazarus Group based on TTP overlap). This article documents a rare opportunity to observe real-time tactical evolution: the pivot from greed-based (fake airdrop) to fear-based (fake CVE) to ambition-based (fake job offer) social engineering—all targeting identical GitHub user cohorts.
Critical finding: The username @toxy4ny appears in all three campaign target lists, confirming this is not opportunistic spam, but deliberate behavioral A/B testing on a surveillance-identified victim pool.

This article concludes with a practical defense architecture: how I protect my adversarial ML research using air-gapped infrastructure—a model applicable to any developer targeted by persistent APT groups.

The 19-Day Campaign Timeline
Date Campaign Vector Psychological Trigger Infrastructure
Mar 20 OpenClaw Airdrop Fake token claim Greed/FOMO share.google/eGzdhAucWKKcwkZi9
Mar 27 VS Code CVE Fake security advisory Fear/Urgency share.google/N3NwdcmyaYu9kwZ6D

Apr 8 Uniswap Recruitment Fake job offer Ambition/Career share.google/GVTYMEMANZWqTptr2

Campaign #3: The "Dream Job" Lure
Full email content (April 8, 2026):
Hey,
Your recent activity on GitHub got our attention. We are expanding Uniswap and looking for developers whose level align with ours.
Every roles are fully online. Annual pay is paid in USD.
Available roles & salary:
Engineering: Senior BE, FE, Smart Contract, Infra — up to $450k
Product & Design: Product Manager, Sr. Design, Design Engineer — up to $350k
Business & Ops: BizDev, Partnerships, Community, Recruiter, Solutions Eng — up to $300k
Marketing: Dev Relations, Technical Writer, Content Eng — with up to $300k
Next Instructions:
Fill out this form here: https://share.google/GVTYMEMANZWqTptr2
Choose a job that fits you.
Share some words about your experience and what interests you.
Our recruiters will look at your profile and contact you directly to schedule a call.
👇 Matched users
This message was selected. If you find your GitHub handle below, we are reaching out because your account matches our roles:
…list true username on GitHub…

We hope to connect soon.

Attribution: Operation Dream Job Evolved
This campaign represents a tactical evolution of Operation Dream Job, Lazarus Group's long-running campaign targeting developers with fake employment opportunities. Traditional Operation Dream Job lures used LinkedIn and direct email; this iteration leverages GitHub's notification system to abuse platform trust.
Connection to Known Lazarus TTPs
Observed Behavior Lazarus Operation Dream Job Profile
Salary ranges ($300k-$450k) Consistent with "excessive compensation" lures used to target crypto developers.
Remote work emphasis Aligns with post-COVID hiring patterns exploited since 2023.
Smart Contract/Blockchain targeting Primary target vertical for Lazarus revenue generation.
Fake recruiter infrastructure Impersonation of Uniswap, Coinbase, Robinhood documented in ClickFake Interview campaigns.
Typosquatting "Uniswap" impersonation (zero instead of letter O in some variants) matches historical tactics.

The ClickFake Interview campaign documented by Sekoia in March 2025 used identical techniques: fake job interviews for crypto positions leading to malware deployment via "video driver installation". The Uniswap lure in this campaign likely leads to a similar GolangGhost or PylangGhost backdoor delivery mechanism.

Technical Analysis
Infrastructure Consistency
All three campaigns abuse Google Share (share.google) links as the initial redirect vector:
Campaign 1: share.google/eGzdhAucWKKcwkZi9 → Wallet drainer
Campaign 2: share.google/N3NwdcmyaYu9kwZ6D → Fake VS Code update
Campaign 3: share.google/GVTYMEMANZWqTptr2 → "Job application" (likely malware dropper)
This technique bypasses email security filters by leveraging Google's domain reputation while enabling rapid infrastructure rotation.
The "toxy4ny" Indicator
Critical forensic evidence: The GitHub username @toxy4ny appears in target lists of all three campaigns:

1. March 20 (OpenClaw): Listed as "Authorized Builder"
2. March 27 (VS Code CVE): Listed as "At-Risk customer"
3. April 8 (Uniswap): Listed as "Matched user" This overlap confirms: • Single threat actor conducting sequential targeting • Deliberate A/B testing of psychological vectors on identical victims • Persistence: 19-day engagement window suggests automated tracking of victim responses Payload Evolution Hypothesis Based on Lazarus Group's documented Contagious Interview and Operation Dream Job methodologies, the likely attack flow is: GitHub Mention → Email Notification → Google Form → "Skills Assessment" → Fake Video Interview → "Camera Driver Error" → ClickFix Technique → Malware Drop (PylangGhost/GolangGhost) → Credential Theft & C2 Beacon The ClickFix tactic—where victims are instructed to run terminal commands to "fix" camera access—has been Lazarus's preferred delivery method for macOS and Windows backdoors since late 2024. ---- The Psychology of Sequential Targeting This campaign sequence represents sophisticated behavioral profiling: Stage Emotion Target Mindset Lazarus Objective
4. Airdrop Greed "Easy money" Wallet access, quick crypto theft
5. CVE Fear "System compromised" Corporate network access, persistence
6. Job Ambition "Career advancement" Long-term infiltration as "employee" The progression from immediate financial exploitation (airdrop) to technical compromise (CVE) to human asset recruitment (job offer) mirrors Lazarus Group's documented shift from DeFi theft to IT worker infiltration for supply chain attacks. ---- Defense Architecture: Air-Gapped Research Environment As a professional red team operator and adversarial ML researcher, I operate under the assumption of persistent APT targeting. The three campaigns documented here confirm this threat model: Lazarus Group specifically targets developers with access to security research, AI/ML capabilities, and potential supply chain influence. My defense architecture is designed to neutralize the entire attack surface these campaigns exploit. Core Principles Principle Implementation Threat Mitigated Physical isolation No network interfaces (WiFi, Ethernet, Bluetooth) C2 communication, exfiltration Unidirectional data flow Inbound only via ephemeral AirDrop Lateral movement, data theft No persistent trust Per-session pairing, immediate disable Persistence mechanisms Application isolation Sandboxed execution for all untrusted code Malware execution, privilege escalation Technical Implementation Hardware Stack: • MacBook Pro Max M2 (32GB/1TB) — dedicated research machine • Physically disconnected: WiFi card disabled in firmware, Ethernet port blocked • Bluetooth: Enabled only during controlled AirDrop transfers Data Transfer Workflow: [Partner Device] → AirDrop (Contact Only) → [Research MacBook] → Immediate Disable ↓ [Static Analysis: exiftool, pdfid, custom Unicode scanner] ↓ [Sandboxed Ingestion: Isolated user account, no network] ↓ [RAG Processing: Local LLM inference only] AirDrop Hardening: # macOS Settings defaults write com.apple.sharingd DiscoverableMode -string "Contacts Only" defaults write com.apple.sharingd AirDropEnabled -bool false # Disabled by default

AirDrop is enabled only during transfer windows (typically <60 seconds), then immediately disabled via Control Center. This minimizes the discovery window for potential proximity-based attacks.
Why This Neutralizes Lazarus Campaigns
Attack Vector Lazarus Method Air-Gapped Defense
Wallet drainer (Campaign #1) Malicious dApp connection No internet = no Web3 wallet access
Fake software update (Campaign #2) VS Code installer malware No outbound connection = no C2 beacon
Job interview malware (Campaign #3) ClickFix terminal commands Sandboxed execution = no system compromise
Supply chain poisoning Malicious npm/VS Code extensions Manual review in sandbox before ingestion
The "Job Offer" Specific Threat
The third campaign is particularly dangerous for researchers because:

1. "Technical assessment" files — Lazarus often delivers malware disguised as coding challenges or take-home assignments
2. Video interview software — Fake Zoom/Teams installers with backdoors
3. Long-term access — Successful infiltration provides persistent access to research environments My air-gapped architecture ensures that even if I were socially engineered into accepting a "job offer," the execution environment cannot communicate with attacker infrastructure, and no research data can be exfiltrated. Practical Recommendations For individual developers:
4. Isolate research/development environments — Use virtual machines or separate physical hardware for untrusted code evaluation
5. Implement data diodes — Unidirectional transfer from internet-facing to isolated systems only
6. Verify job offers through multiple channels — Contact companies directly via known-good websites, never through email links
7. Use hardware security keys — For GitHub, email, and any crypto operations (YubiKey/FIDO2) For organizations hiring remote developers:
8. Verify identity rigorously — Video interviews with live interaction, government ID verification
9. Assume compromise — New hires from high-risk regions should have restricted access for probation periods
10. Monitor for ClickFix tactics — Any request to run terminal commands during "interviews" is an immediate red flag

4. Code review mandates — All external contributions require human review before CI/CD execution

Detection and Mitigation
For Individual Developers
Immediate red flags:
• Unsolicited GitHub mentions offering $300k+ remote positions
• Google Forms/Share links for "job applications" from crypto companies
• Grammar inconsistencies: "Every roles are fully online" (subject-verb disagreement)
• Excessive salary ranges: Uniswap SDE roles do not reach $450k for remote positions
Verification steps:

1. Check GitHub Security Advisories for repository-based scams
2. Verify job postings on official company careers pages (uniswap.org/careers)
3. Cross-reference recruiters on LinkedIn—Lazarus operatives often use stolen photos and AI-generated resumes For Security Teams Indicators of Compromise (IoCs): Type Indicator Campaign URL share.google/GVTYMEMANZWqTptr2 Uniswap Job (Apr 8) URL share.google/N3NwdcmyaYu9kwZ6D VS Code CVE (Mar 27) URL share.google/eGzdhAucWKKcwkZi9 OpenClaw (Mar 20) Tactic GitHub mass-mention in Discussions All campaigns Target Users with crypto-related GitHub activity All campaigns Detection rules: title: Lazarus Operation Dream Job - GitHub Mention logsource: product: github service: audit detection: selection: action: discussion.comment.created body|contains:
   • 'share.google'
   • 'up to $450k'
   • 'Smart Contract'
   • 'fully online' condition: selection falsepositives:
     • Legitimate recruitment (rare with these phrases) level: high

For Organizations
Supply chain protection:
• Vet remote hires: Lazarus has successfully infiltrated companies as full-time remote developers using stolen identities
• Code review mandates: Ensure all external code contributions undergo human review before CI/CD execution

• Camera access policies: Block requests for "video interview software" installations that require terminal commands (ClickFix indicator)

Conclusion
The 19-day progression from fake airdrops to fake CVEs to fake job offers reveals a mature, adaptive threat actor conducting real-time psychological optimization. By targeting the same GitHub users with different emotional triggers, Lazarus Group is identifying which vectors generate the highest click-through rates for subsequent large-scale deployment.
This is not opportunistic cybercrime; this is state-sponsored A/B testing on the developer community. The overlap in target lists (@toxy4ny and others) provides rare forensic confirmation of persistent, actor-level campaign coordination rather than isolated incidents.
For developers in the crosshairs—particularly those working with AI/ML, security research, or blockchain technologies—air-gapped architectures provide the only guaranteed defense against persistent APT targeting. The cost of hardware isolation is negligible compared to the potential impact of supply chain compromise or research exfiltration.
The golden rule for 2026: If you receive an unsolicited GitHub mention containing a Google link and financial incentives (whether tokens, security patches, or job offers), it is Lazarus Group. Full stop.

Report to abuse@github.com and forward headers to your national CERT.

Timeline and Campaign Correlation
Date Campaign IoC Status
2026-03-20 OpenClaw Airdrop token-claw.xyz Domain sinkholed
2026-03-27 VS Code CVE CVE-2026-40271-64398 (fake) Not in MITRE DB[^2^]

2026-04-08 Uniswap Dream Job share.google/GVTYMEMANZWqTptr2 Active

References
: CVE MITRE. CVE Database Search. https://cve.mitre.org/cve/
: GitHub Community. "Is there a possibility of receiving scam emails from entities on GitHub?" Discussion #191541, April 4, 2026. https://github.com/orgs/community/discussions/191541
: Barracuda Blog. "Lazarus Group: A criminal syndicate with a flag." September 23, 2025. https://blog.barracuda.com/2025/09/23/lazarus-group--a-criminal-syndicate-with-a-flag
: The Hacker News. "Lazarus Group Targets Job Seekers With ClickFix Tactic to Deploy GolangGhost Malware." April 3, 2025. https://thehackernews.com/2025/04/lazarus-group-targets-job-seekers-with.html
: Security Affairs. "Lazarus targets European defense firms in UAV-themed Operation DreamJob." October 23, 2025. https://securityaffairs.com/183783/apt/lazarus-targets-european-defense-firms-in-uav-themed-operation-dreamjob.html
: Enki White Hat. "An attacker, disguised as a job seeker, distributing malware on GitHub." June 4, 2025. https://www.enki.co.kr/en/media-center/blog/an-attacker-disguised-as-a-job-seeker-distributing-malware-on-github
: Sekoia.io. "From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic." March 31, 2025. https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/
: Wiz.io. "TraderTraitor: Deep Dive." July 28, 2025. https://www.wiz.io/blog/north-korean-tradertraitor-crypto-heist
: Decrypt. "North Korea Targets Crypto Professionals With New Malware in Hiring Scams." June 19, 2025. https://decrypt.co/326187/new-malware-crypto-job-scams-north-korea
: SentinelOne. "Contagious Interview | North Korean Threat Actors Reveal Plans and Ops." September 4, 2025. https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/

: SecurityScorecard. "Operation 99: North Korea's Cyber Assault on Software Developers." January 15, 2025. https://securityscorecard.com/blog/operation-99-north-koreas-cyber-assault-on-software-developers/

This is Part 3 in a series documenting Lazarus Group's GitHub targeting campaigns. For Part 1 (OpenClaw analysis) and Part 2 (VS Code CVE), see previous articles.
Stay vigilant. Verify through independent channels. Trust no unsolicited GitHub mentions. Air-gap your research.