20-Linux.pdf (1 MB)

Lazarus Operation DreamJob activity used a fake HSBC job-offer lure to deliver a native 64-bit Linux ELF downloader, expanding the campaign beyond earlier Windows and macOS targeting. The infection chain starts with a ZIP containing a deceptive file name that appears to be a PDF, opens a decoy document with the system PDF viewer, and uses OdicLoader to fetch the SimplexTea Linux backdoor from OpenDrive. Persistence is established by modifying ~/.bash_profile so the downloaded backdoor runs with Bash while suppressing output. The excerpt links SimplexTea to Lazarus tooling similarities and notes that the Linux payload strengthens the case connecting Lazarus to the 3CX supply-chain compromise, where trojanized Windows and macOS 3CX applications enabled arbitrary payload delivery.