Researchers are warning that Lazarus has expanded its campaign using fake jobs with cryptocurrency exchanges to trick macOS users into downloading malware.

Just last month, researchers observed Lazarus using Coinbase job openings to trick macOS users into downloading malware. Now, SentinelOne says the same threat group has expanded its phishing campaign to include fraud job postings at another cryptocurrency exchange, Crypto.com.

According to the SentinelOne report on the new crypto job lure, the additional victims were initially contacted by Lazarus through LinkedIn messaging.

Lazarus is an advanced persistent threat (APT) group with ties to the North Korean state. SentinelOne pointed out that the attack group has been targeting cryptocurrency exchanges since 2018, and has specifically used fake cryptocurrency exchange jobs as lures since 2020.

"The Lazarus (aka Nukesped) threat actor continues to target individuals involved in cryptocurrency exchanges," the SentinelOne researchers wrote. "This has been a long-running theme going as far back as the AppleJeus campaigns that began in 2018."