Lazarus uses deepfake job interviews on LinkedIn to target executives

Deepfakes are no longer theoretical threats

Chris Papathanasiou, CEO of AllSecure, received what appeared to be a legitimate LinkedIn recruiting contact. The profile looked credible, with professional history, real connections and an attractive executive opportunity.

The interaction evolved into a remote interview. During the call, both audio and video were generated in real time using AI-powered deepfake technology.

The objective was not simply to impersonate recruiters. The operation aimed to establish trust and eventually compromise corporate assets.

The attack failed because the CEO identified subtle inconsistencies during the conversation, including delayed responses, artificial facial behavior and vague answers.

The incident highlights a growing reality many organizations still underestimate: AI-assisted social engineering campaigns are already being used against executives, finance teams and privileged users.

How Lazarus operationalizes this type of attack

The Lazarus group, linked to North Korea's Reconnaissance General Bureau, has a long history of advanced offensive operations. The group has been associated with campaigns such as the Sony Pictures breach in 2014, WannaCry in 2017 and multiple cryptocurrency theft operations.

Over the past few years, Lazarus evolved from malware-centric operations into hybrid campaigns combining custom malware with advanced social engineering.

Instead of relying exclusively on technical exploitation, operators increasingly abuse professional trust, recruiting processes and executive public exposure.

In the AllSecure incident, the attack followed a common modern intrusion workflow:

OSINT collection on LinkedIn and social media
        ↓
Synthetic identity creation
        ↓
Targeted recruiter outreach
        ↓
Real-time deepfake video interview
        ↓
Malicious link or file delivery
        ↓
Credential theft and malware deployment

The deepfake itself was not the final objective. It served as a trust acceleration mechanism to facilitate malware execution, MFA bypass, credential theft or persistent remote access.

The technology behind the deepfake

The attackers leveraged facial synthesis and voice cloning models trained using publicly available media. Interviews, podcasts, conference recordings and social media content provide enough material to create highly convincing impersonations.

Today, these capabilities are no longer restricted to state-grade infrastructure. Underground forums and Telegram channels already offer accessible tooling capable of:

• Voice cloning from short audio samples
• Real-time lip synchronization
• Dynamic facial rendering during calls
• Webcam simulation
• Live expression manipulation

More mature operations also register domains resembling legitimate video conferencing platforms to host payloads, credential harvesting kits and reverse proxy infrastructure.

In many cases, the video call itself is only an intermediate step before deploying malware families such as LightlessCan, AppleJeus or HTTP(S)-based backdoors linked to Lazarus campaigns.

Why this attack would work in many organizations

Most security awareness programs are still focused on traditional email phishing.

The problem is that modern attacks increasingly abuse platforms users already trust:

• LinkedIn
• Zoom
• Google Meet
• Microsoft Teams
• Corporate messaging platforms

Executives routinely participate in remote interviews, investor calls and networking conversations. That naturally lowers suspicion levels.

During Red Team operations, Antisec frequently identifies scenarios where:

• Fake recruiter profiles engage executives within hours
• External meeting invitations bypass validation workflows
• Security teams overtrust legitimate collaboration platforms
• Files shared during calls evade inspection
• Corporate credentials are reused outside controlled environments

When combined with generative AI, this approach dramatically reduces operational costs for attackers.

Indicators that exposed the deepfake

The CEO identified subtle behavioral anomalies that are often ignored during fast-paced virtual meetings:

• Artificial pauses before answering
• Unnatural facial movement
• Irregular blinking patterns
• Imperfect lip synchronization
• Weak technical contextualization
• Minor lighting inconsistencies

This is relevant because traditional defensive controls such as EDR, CASB or email security platforms are not designed to detect manipulated human interaction during live video calls.

The human factor remains one of the last effective defensive barriers against these operations.

The real issue is not the deepfake itself

The most common mistake when analyzing this case is focusing exclusively on AI.

The operational risk comes from the combination of:

• Aggressive OSINT collection
• Contextual social engineering
• Abuse of legitimate platforms
• Custom malware
• Corporate trust exploitation
• Low-noise execution

This model allows APT groups to reduce reliance on sophisticated technical exploitation.

In practice, convincing a user to execute a payload is still cheaper than burning a zero-day vulnerability.

How organizations can reduce exposure

No isolated security control can fully stop this type of operation.

Reducing exposure requires a combination of operational validation, offensive simulations and detection maturity.

Effective defensive measures include:

• Independent verification of recruiters and vendors
• Strict execution controls for external binaries
• Advanced social engineering awareness training
• Video conference phishing simulations
• Threat Hunting for anomalous remote access
• Executive endpoint hardening
• Typosquatting domain monitoring
• Review of executive public exposure

Traditional phishing simulations alone are no longer sufficient to measure resilience.

Organizations that do not test modern executive-targeted attack paths likely have significant blind spots.

What this incident means for CISOs

The AllSecure incident demonstrates how social engineering has evolved into multimodal operations involving AI-generated voice, video, malware and live human interaction.

This directly changes the modern corporate attack surface.

Today, a highly visible executive can become the initial intrusion vector without attackers ever exploiting a traditional vulnerability.

The core issue is not only Lazarus capabilities. It is the number of organizations still validating trust based solely on appearance, context and familiar platforms.

Antisec performs advanced social engineering simulations, Red Team operations and offensive assessments focused on real-world attack scenarios used by modern APT groups. The objective is not limited to validating defensive technologies, but understanding how organizations respond under realistic offensive pressure.