There's another likely North Korean-linked scam hitting developers and their employers, while snarfing up credentials and cryptocurrency - and this one doesn't even involve embedding IT workers at high-profile tech giants.A previously unseen phishing crew, suspected to have DPRK ties, sent more than 250 emails to people working in almost 100 organizations, mostly based in the US, over six weeks in April and May. According to security sleuths, it is yet another digital-heist attempt designed to steal cryptocurrency wallets and developers’ credentials.Proofpoint threat researchers spotted this campaign and tracked the digital thievery as UNK_DeadDrop.
Like earlier phishing expeditions from the Norks, including the Contagious Interview campaign, this one uses developer recruitment or code review lures to target victims, primarily in technology, education, business services, and financial services, and ultimately steal credentials and cryptocurrency.
In another common tactic seen with DPRK-linked credential-stealing activities, the lures attempt to send victims to attacker-controlled GitHub repositories hosting malicious scripts that execute cross-platform malware across macOS, Linux, and Windows machines.“However, there are several differences between the activity sets, such as the shift in social engineering from arranging fake interviews to unsolicited job offer or code review approaches as well as the move from delivery platforms such as LinkedIn to email,” researchers Saher Naumaan and Carlos Rubio said in a Monday blog, citing other differences between UNK_DeadDrop and Contagious Interview. “Based on the use of email for initial access, the high volume of emails, industrialization and scale of repository creation, a new self-contained payload, and distinct infrastructure from previous Proofpoint observations of Contagious Interview campaigns, Proofpoint Threat Research continues to track UNK_DeadDrop activity as an independent cluster,” the researchers wrote.Full-stack engineer wantedThe attacks begin with an email that looks like it originated from a real company, with job offers for developer roles including “Full-Stack Engineer” or “Agent Lead Developer” positions. Proofpoint caught the crooks spoofing a handful of companies to send these emails from attacker-owned sender domains including:Ondo Finance: a decentralized finance (DeFi) platformEmpower Pharmacy: a pharmaceutical companyNXLog: a log collection and centralization toolOnePlan: a strategic portfolio and work management platformHypen Connect: a Web3 and AI Talent AgencyValon: a mortgage service providerNourish: a telehealth companyThe emails contain links to GitHub repos disguised as coding assignments or cryptocurrency-related projects - part of the phony job application process. All of the emails instructed the target to clone the repository and open it in a code editor like VS Code or Cursor. Proofpoint’s report lists all 10 repositories, all focused on four themes - cryptocurrency platforms, exploit archives, Foundry testing, and AI payments - and all hosted by different GitHub accounts, so be sure to check out the vendor’s list.
