Lazarus Group used fake recruiter outreach on LinkedIn and other job platforms to lure developers into running malicious coding-assessment projects. The infection chain hid an obfuscated JavaScript loader and infostealer inside repositories copied from public code, then downloaded self-unpacking Python scripts and a later binary payload. The final stages expanded credential and data theft and communicated with command-and-control infrastructure through Tor, while public services such as Pastebin were used during the chain. The campaign matters because it turns routine developer hiring workflows into an execution path for malware, making social-engineering controls and code-review hygiene critical for organizations.