Hacker groups from Iran and the DPRK are believed to be behind a recent spate of job offer hacking attempts, according to two new reports from Mandiant and Secureworks.

The hack attempts, which were both reported on March 9, appear to be aimed at either targeting dissidents and their allies, in the case of the suspected Iran attacks, or at general espionage, in the case of the suspected DPRK attacks.

Suspected Iran attack. A threat actor or actors posing as an Atlantic Council worker named Sara Shokouhi targeted Middle East analysts in late February, asking them to help with a report. No one named Shokouhi appears to work with the Council, however, and the photos used in the profile belong to a tarot reader based in Russia.

Analysts from Secureworks believe the Shokouhi account is part of Iranian threat group COBALT ILLUSION. The group’s tactics include using messaging platforms and sending links and documents to build trust before sending malicious phishing code that allows them to access email, social media, and other online systems.

Suspected DPRK attacks. Unlike the suspected COBALT ILLUSION attacks, which target dissidents and political enemies, attacks from the DPRK-based UNC2970 group have recently targeted media organizations in the US and Europe and at least one US-based technology company.

According to Mandiant researchers, the attackers used LinkedIn to establish contact with prospective job-seekers. Once they made contact, threat actors sent job postings embedded with malicious code.