Since early 2024, ESET researchers have been tracking DeceptiveDevelopment, a series of malicious campaigns linked to North Korea-aligned operators. Disguising themselves as software development recruiters, these threat actors lure victims with fake job offers and deliver software projects embedded with infostealing malware.
“As part of a fake job interview process, the DeceptiveDevelopment operators ask their targets to take a coding test, such as adding a feature to an existing project, with the files necessary for the task usually hosted on private repositories on GitHub or other similar platforms. Unfortunately for the eager work candidate, these files are trojanized: Once they download and execute the project, the victim’s computer gets compromised,” explains ESET researcher Matěj Havránek, who made the discovery and analyzed DeceptiveDevelopment.
Attribution
While DeceptiveDevelopment’s affiliation remains unconfirmed, its tactics closely mirror those of known North Korea-aligned cyber operations. The campaign primarily targets freelance software developers through spearphishing on job-hunting and freelancing platforms, to steal cryptocurrency wallets and login credentials from browsers and password managers.
DeceptiveDevelopment employs tactics, techniques, and procedures (TTPs) similar to other North Korea-linked operations. Its operators specifically target developers across Windows, Linux, and macOS, aiming to steal cryptocurrency for financial gain, with potential secondary objectives related to cyberespionage.
To infiltrate their targets, they use fake recruiter profiles on social media, masquerading as legitimate employers. Their attacks are not geographically restricted; instead, they cast a wide net to maximize their chances of compromising victims and extracting funds and sensitive information.
How DeceptiveDevelopment works
DeceptiveDevelopment primarily uses two malware families as part of its activities, delivered in two stages. In the first stage, BeaverTail (infostealer, downloader) acts as a simple login stealer, extracting browser databases containing saved logins, and as a downloader for the second stage, InvisibleFerret (infostealer, RAT), which includes spyware and backdoor components, and is also capable of downloading the legitimate AnyDesk remote management and monitoring software for post-compromise activities.
In order to pose as recruiters, the attackers copy profiles of existing people or even construct new personas. They then either directly approach their potential victims on job-hunting and freelancing platforms, or post fake job listings there. While some of these profiles are set up by the attackers themselves, others are potentially compromised profiles of real people on the platform, modified by the attackers.
Some of the platforms where these interactions occur are generic job-hunting ones, while others focus primarily on cryptocurrency and blockchain projects and are thus more in line with the attackers’ goals. The platforms include LinkedIn, Upwork, Freelancer.com, We Work Remotely, Moonlight, and Crypto Jobs List.
Victims receive the project files either directly via file transfer on the site, or through a link to a repository like GitHub, GitLab, or Bitbucket. They are asked to download the files, add features or fix bugs, and report back to the recruiter. Additionally, they are instructed to build and execute the project in order to test it, which is where the initial compromise happens.
The attackers often use a clever trick to hide their malicious code: They place it in an otherwise benign component of the project, usually within backend code unrelated to the task given to the developer, where they append it as a single line behind a long comment. This way, it is moved off-screen and stays mostly hidden.
“The DeceptiveDevelopment cluster is an addition to an already large collection of money-making schemes employed by North Korea-aligned actors and conforms to an ongoing trend of shifting focus from traditional money to cryptocurrencies,” concludes Havránek.
