Since 2024, ESET researchers have observed a series of malicious North Korea-aligned activities, where the operators, posing as software development recruiters, entice the victims with fake employment offers. Subsequently, they try to serve their targets with software projects that conceal infostealing malware. ESET Research calls this activity cluster DeceptiveDevelopment. This North Korea-aligned activity is currently not attributed by ESET to any known threat actor. It targets freelance software developers through spearphishing on job-hunting and freelancing sites, aiming to steal cryptocurrency wallets and login information from browsers and password managers.
“As part of a fake job interview process, the DeceptiveDevelopment operators ask their targets to take a coding test, such as adding a feature to an existing project, with the files necessary for the task usually hosted on private repositories on GitHub or other similar platforms. Unfortunately for the eager work candidate, these files are trojanized: Once they download and execute the project, the victim’s computer gets compromised,” explains ESET researcher Matěj Havránek, who made the discovery and analyzed DeceptiveDevelopment.
DeceptiveDevelopment’s tactics, techniques, and procedures are similar to several other known North Korea-aligned operations. Operators behind DeceptiveDevelopment target software developers on Windows, Linux, and macOS. They steal cryptocurrency primarily for financial gain, with a possible secondary objective of cyberespionage. To approach their targets, these operators use fake recruiter profiles on social media. The attackers don’t distinguish based on geographical location, instead aiming to compromise as many victims as possible to increase the likelihood of successfully extracting funds and information.
DeceptiveDevelopment primarily uses two malware families as part of its activities, delivered in two stages. In the first stage, BeaverTail (infostealer, downloader) acts as a simple login stealer, extracting browser databases containing saved logins, and as a downloader for the second stage, InvisibleFerret (infostealer, RAT), which includes spyware and backdoor components, and is also capable of downloading the legitimate AnyDesk remote management and monitoring software for post-compromise activities.
In order to pose as recruiters, the attackers copy profiles of existing people or even construct new personas. They then either directly approach their potential victims on job-hunting and freelancing platforms, or post fake job listings there. While some of these profiles are set up by the attackers themselves, others are potentially compromised profiles of real people on the platform, modified by the attackers.
Some of the platforms where these interactions occur are generic job-hunting ones, while others focus primarily on cryptocurrency and blockchain projects and are thus more in line with the attackers’ goals. The platforms include LinkedIn, Upwork, Freelancer.com, We Work Remotely, Moonlight, and Crypto Jobs List.
Victims receive the project files either directly via file transfer on the site, or through a link to a repository like GitHub, GitLab, or Bitbucket. They are asked to download the files, add features or fix bugs, and report back to the recruiter. Additionally, they are instructed to build and execute the project in order to test it, which is where the initial compromise happens. The attackers often use a clever trick to hide their malicious code: They place it in an otherwise benign component of the project, usually within backend code unrelated to the task given to the developer, where they append it as a single line behind a long comment. This way, it is moved off-screen and stays mostly hidden.
“The DeceptiveDevelopment cluster is an addition to an already large collection of money-making schemes employed by North Korea-aligned actors and conforms to an ongoing trend of shifting focus from traditional money to cryptocurrencies,” concludes Havránek.
