Full Report
A North Korea-aligned activity cluster tracked by ESET as DeceptiveDevelopment drains victims' crypto wallets and steals their login details from web browsers and password managers
Analysis Summary
# Threat Actor: DeceptiveDevelopment (North Korea-aligned activity cluster)
## Attribution & Identity
The activity is attributed to a **North Korea-aligned activity cluster**.
Known aliases: **DeceptiveDevelopment**.
## Activity Summary
The campaign involves threat actors posing as headhunters to target freelance software developers with information-stealing malware disguised as coding tests. The activity has been tracked by ESET back to at least **November 2023**. The primary goal appears to be financial gain by draining cryptocurrency wallets and stealing sensitive credentials.
## Tactics, Techniques & Procedures
- **Spearphishing:** Distributing malicious materials via job-hunting and freelancing sites.
- **Deception:** Posing as legitimate recruiters/headhunters offering coding tests as part of the application process.
- **Delivery via Private Repositories:** Hosting the malware-laden files necessary for the "coding test" on private repositories (e.g., GitHub).
- **Information Stealing:** Exfiltrating login details from web browsers and password managers.
- **Financial Theft:** Draining victims' cryptocurrency wallets.
## Targeting
- **Sectors:** Software developers (specifically freelance developers).
- **Geography:** *Not explicitly detailed in the provided text, but generally targets individuals active on job-hunting/freelancing sites.*
- **Victims:** Freelance software developers.
## Tools & Infrastructure
- **Malware Families Used:** Info-stealers (specific family names not mentioned, but implants are delivery mechanisms for credential theft and crypto draining).
- **Infrastructure (C2, domains, IPs):** Malicious files hosted on private repositories such as **GitHub**.
## Implications
This actor cluster employs a highly targeted social engineering approach to exploit the vulnerability of job-seeking developers, suggesting a persistent, financially motivated threat aligned with North Korean state interests. The impact includes significant financial loss (crypto draining) and compromise of corporate/personal security (stolen credentials).
## Mitigations
- Exercise extreme caution with unsolicited job offers, especially those requiring the execution of code or download of files from third-party/private repositories as part of an initial screening test.
- Ensure robust security hygiene and use multi-factor authentication on all sensitive accounts (browsers, password managers, crypto wallets).
- Endpoint protection should monitor for activity related to credential dumping and unusual cryptocurrency transaction initiation.