Eleven Hours: Inside the Lazarus Operator’s Disk After the Fake Interview Campaign

the FTP Server: How One Boring Label Hid a Second Layer of the Campaign

Episode 05 focuses on how infrastructure can be misclassified during an active investigation. The server discussed here was initially understood through its FTP exfiltration role. Later evidence tied the same host to additional campaign-linked services, including OtterCookie-related collection behavior.

Eleven Hours: Inside the Lazarus Operator’s Disk After the Fake Interview Campaign

A live adversary server. Two password changes. Eleven hours. Episode 04 follows the forensic window where researchers preserved a contested Windows machine used in a Lazarus-attributed fake-interview campaign, uncovering the operator workbench behind the lures: campaign archives, fake-company material, targeting pipelines, wallet artifacts, browser traces, and signs of AI-assisted workflow.

The Factory: How a Lazarus-Attributed Credential Pipeline Collected Its Own Operators

Episode 3 focuses on the operator side of the campaign: - why the collection pipeline did not distinguish between targets and operators; - how operator workstations appeared in material collected by the campaign; - how those workstations exposed social-engineering workflow, persona infrastructure, testing behavior, provisioning activity, and command structure; - why OtterCookie should be understood as a post-access occupation tool; - what defenders can learn from the factory model without needing access to sensitive data.

Trailer: The Fake Interview

A fake coding interview. A malicious repository. A real developer workstation. The Fake Interview is a Red Asgard narrative investigation into a DPRK-linked, Lazarus-attributed campaign targeting developers, Web3 engineers, and freelance technologists through job offers, coding tests, and trust. Start with Episode 1: Real Blood on the Wire.

The Repository That Called Home: Lazarus, Fake Interviews, and Malicious Code

Episode 2 of The Fake Interview follows the first repository: a fake software project delivered through a job interview that behaved like real work until the moment it called home. We examine how a malicious coding test abused normal developer behavior: opening a project, trusting a workspace, installing dependencies, running local code, and debugging what looked like a broken app. This episode covers: - DPRK-linked fake interview activity - malicious GitHub / contractor repositories - VSCode and Cursor workspace trust abuse - run-on-folder-open execution - Function.constructor abuse in JavaScript - Vercel-hosted stage-one infrastructure - payload delivery and command-and-control routing - why developer machines are high-value targets Companion notes: https://podcast.redasgard.com/pages/companion-technical-notes-episode-02-the-repository-that-called-home