Security researchers at Proofpoint have identified a large-scale phishing campaign targeting software developers that sent more than 250 malicious emails to nearly 100 organizations over a six-week period in April and May 2025. The operation, tracked as UNK_DeadDrop and suspected to have North Korean ties, primarily targeted technology, education, business services, and financial services sectors in the United States. The campaign represents an evolution in North Korean cybercrime tactics, shifting from social media-based fake interview schemes to high-volume email phishing with malicious code repositories.

The attackers impersonated legitimate companies including cryptocurrency platform Ondo Finance, pharmaceutical firm Empower Pharmacy, and mortgage servicer Valon, among others. Phishing emails offered developer positions such as Full-Stack Engineer or requested peer reviews on open-source projects, with all messages directing victims to attacker-controlled GitHub repositories. The repositories were themed around cryptocurrency platforms, exploit archives, Ethereum development tools, and AI payment systems, designed to appear as legitimate coding assignments or collaborative projects.

When victims cloned these repositories and opened them in integrated development environments like VS Code or Cursor, pre-configured tasks silently executed platform-specific loaders. These loaders installed a malicious VS Code extension (VSIX) disguised as a Google service, which established persistence on macOS and Linux systems by reactivating each time the code editor launched. The malware used different infection chains depending on the operating system: Linux and macOS versions deployed a Go-based remote access trojan built on the legitimate Overlord C2 framework, while Windows attacks ran entirely as JavaScript within the editor's Electron process.

The malware included three custom modules targeting financial assets and credentials. The browserlogin module stole credentials from Chrome and Firefox, while companywallet specifically targeted 35 cryptocurrency wallet extensions (including MetaMask, Phantom, and Rabby) and 18 standalone wallet applications such as Exodus and Ledger Live. On macOS, the malware displayed fake system dialogs to capture user passwords, then modified keychain access controls across multiple Chromium-based browsers to extract Safe Storage keys. The Linux variant used Zenity dialog prompts for credential theft and attempted to access GNOME Keyring passwords. Windows infections installed Python to execute browser-specific stealers and used COM Elevation Moniker to bypass App-Bound Encryption protections in Chrome, Edge, and Brave.

Organizations should immediately educate developers about this threat and establish verification procedures for any unsolicited recruitment or code review requests received via email. Security teams should monitor for unauthorized VS Code extensions, particularly those masquerading as Google services, and implement controls to prevent automatic task execution when opening repositories in development environments. The campaign's shift from targeted social engineering to industrialized email phishing suggests North Korean threat actors are scaling their operations against the developer community, making awareness and technical controls critical for defense.

Source: https://www.theregister.com/security/2026/06/08/suspected-norks-send-250-fake-dev-job-pitches-to-steal-crypto/5252526