Norks blast 250+ fake job offers to developers over 6 weeks to try and snarf creds and crypto

There's another likely North Korean-linked scam hitting developers and their employers, while snarfing up credentials and cryptocurrency - and this one doesn't even involve embedding IT workers at high-profile tech giants. A previously unseen phishing crew, suspected to have DPRK ties, sent more than 250 emails to people working in almost 100 organizations, mostly based in the US, over six weeks in April and May. According to security sleuths, it is yet another digital-heist attempt designed to steal cryptocurrency wallets and developers' credentials. Proofpoint threat researchers spotted this campaign and tracked the digital thievery as UNK_DeadDrop. Like earlier phishing expeditions from the Norks, including the Contagious Interview campaign, this one uses developer recruitment or code review lures to target victims, primarily in technology, education, business services, and financial services, and ultimately steal credentials and cryptocurrency. In another common tactic seen with DPRK-linked credential-stealing activities, the lures attempt to send victims to attacker-controlled GitHub repositories hosting malicious scripts that execute cross-platform malware across macOS, Linux, and Windows machines. However, there are several differences between the activity sets, such as the shift in social engineering from arranging fake interviews to unsolicited job offer or code review approaches as well as the move from delivery platforms such as LinkedIn to email," researchers Saher Naumaan and Carlos Rubio said in a Monday blog, citing other differences between UNK_DeadDrop and Contagious Interview. Based on the use of email for initial access, the high volume of emails, industrialization and scale of repository creation, a new self-contained payload, and distinct infrastructure from previous Proofpoint observations of Contagious Interview campaigns, Proofpoint Threat Research continues to track UNK_DeadDrop activity as an independent cluster," the researchers wrote. Full-stack engineer wanted The attacks begin with an email that looks like it originated from a real company, with job offers for developer roles including Full-Stack Engineer" or Agent Lead Developer" positions. Proofpoint caught the crooks spoofing a handful of companies to send these emails from attacker-owned sender domains including: Ondo Finance: a decentralized finance (DeFi) platform Empower Pharmacy: a pharmaceutical company NXLog: a log collection and centralization tool OnePlan: a strategic portfolio and work management platform Hypen Connect: a Web3 and AI Talent Agency Valon: a mortgage service provider Nourish: a telehealth company The emails contain links to GitHub repos disguised as coding assignments or cryptocurrency-related projects - part of the phony job application process. All of the emails instructed the target to clone the repository and open it in a code editor like VS Code or Cursor. Proofpoint's report lists all 10 repositories, all focused on four themes - cryptocurrency platforms, exploit archives, Foundry testing, and AI payments - and all hosted by different GitHub accounts, so be sure to check out the vendor's list. In May, the attackers switched tactics and began sending victims requests for peer reviews on open-source projects, with a potential job offer based on the fixes. These emails purported to come from cryptocurrency trading or prediction companies, including Pulsynk and Trixauvex. Another UNK_DeadDrop campaign in late May targeted finance and technology companies, requesting recipients to test an ERC-4626 vault in Foundry, a toolkit for Ethereum and smart contract development. In all of these instances, when the victim opens what they believe to be a legit repository folder in an integrated development environment, a pre-configured task silently executes and triggers a platform-specific loader that decodes embedded payloads on whatever system the developer uses, working across Linux, macOS, and Windows machines. The loader installs a malicious VS Code extension (VSIX) masquerading as a legitimate Google service. Every time the user opens the code editor on macOS or Linux, the VSIX extension activates, and relaunches the infection-chain if it's not already running. The persistence mechanism doesn't work on Windows machines, however. After installing VSIX, the infection chain looks different, depending on what platform the target uses. The Linux and macOS attacks use a native Go binary that connects to the command-and-control (C2) infrastructure as a persistent remote access trojan (RAT). The Windows chain, however, runs a Node.js pipeline inside the editor's Electron process. Both use the same C2 infrastructure and exfiltration endpoints. Linux, macOS backdoors The Linux and macOS binaries are based on the open-source Overlord C2 framework - this is a legitimate red-team tool that automates covert infrastructure setup and management, and orchestrates post-exploitation activities. This, of course, also makes it a very handy tool for attackers. For this campaign, the North Koreans added three custom modules: browserlogin (Chrome and Firefox credential theft), companywallet (crypto-wallet stealer and exfiltration), and cleanup (anti-forensic removal of workspace artifacts). On macOS, Overlord first collects wallet extension data, browser profile artifacts, and standalone wallet directories, compressing them into a ZIP and uploading them to the C2 server. Five minutes later, the malware moves on to credential theft, using a second embedded Mach-O binary that displays a fake system dialogue and prompts the user to enter their password. The Overlord process validates the credentials, and assuming they are legit, the malware modifies keychain access-control lists across Chrome, Brave, Edge, Opera, Vivaldi, Arc, Yandex, and other Chromium-based web browsers, before extracting Safe Storage keys and sending all of the stolen goods - collected credentials, Safe Storage keys, and keychain data - to the attacker-controlled server. The backdoor also re-launches itself as root, using the stolen password. The Linux malware follows a similar pattern, first scooping up wallet-related data and sending that via ZIP to the C2 server before moving on to credential theft. It, however, uses Zenity, a standard GTK dialog tool, to create a prompt and collect victim credentials. This backdoor attempts to steal passwords from GNOME Keyring by spawning Python 3 processes for each browser, and ultimately re-launches itself as root using a swiped password. Windows attacks Windows attacks run entirely as JavaScript inside the editor's Electron process, which appears as Code.exe in Task Manager. The malware first steals wallet info, targeting 35 wallet extension IDs (MetaMask, Phantom, Rabby, Keplr, and others), 18 standalone wallet applications (Exodus, Electrum, Ledger Live, Monero, Solana CLI, Bitcoin, and others), and Firefox profiles. Next, it installs Python and executes a stealer (detect_malware.py) for each browser profile that collects a ton of credentials across Chromium and Firefox browsers, steals cookies from Chrome/Edge/Brave and uses COM Elevation Moniker to access credentials across these browsers protected by App-Bound Encryption. It also attempts to read locked databases using five cascade methods, and ultimately uploads all the secrets to the same endpoint before terminating. UNK_DeadDrop activity suggests North Korea-aligned operations targeting developers for financial gain are maturing and evolving," Naumaan and Rubio wrote. The shift from active social engineering over social media platforms to conduct fake interviews to large campaigns of recruitment-themed phishing emails distributing links to malicious repositories could indicate an actor industrializing and scaling operations." (R)