A recent phishing campaign, suspected to be linked to North Korea, has targeted developers by sending more than 250 fraudulent job offers over a six-week period. This operation, tracked by Proofpoint researchers under the name UNK_DeadDrop, primarily affected individuals in nearly 100 organizations, predominantly in the United States.
Details of the Campaign
The phishing emails were designed to appear as legitimate job offers for developer roles, such as “Full-Stack Engineer” and “Agent Lead Developer.” The attackers spoofed several companies, including Ondo Finance and Empower Pharmacy, using attacker-controlled domains to send these emails. The emails contained links to GitHub repositories disguised as coding assignments or cryptocurrency-related projects, enticing victims to clone the repositories and execute malicious scripts.
Malicious Techniques Used
The campaign employed tactics similar to previous North Korean phishing activities, such as the Contagious Interview campaign. However, it marked a shift in social engineering techniques, moving from fake interviews to unsolicited job offers. The emails instructed recipients to open the repositories in code editors like VS Code or Cursor, where a pre-configured task would execute malware across macOS, Linux, and Windows systems.
Technical Aspects of the Attack
Once the victim opened the repository, a malicious Visual Studio Code extension (VSIX) was installed, masquerading as a legitimate Google service. This extension activated each time the code editor was launched, establishing a persistent connection to the attackers’ command-and-control (C2) infrastructure. The malware was capable of stealing cryptocurrency wallet information and credentials from various browsers.
Impact and Ongoing Threat
Researchers noted that the UNK_DeadDrop campaign reflects an evolution in North Korean operations targeting developers for financial gain. The shift from social media-based scams to large-scale phishing email campaigns indicates a more industrialized approach to cybercrime. As the tactics evolve, the potential for widespread credential theft and cryptocurrency loss increases, highlighting the need for vigilance among developers and organizations in the tech sector.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
