Suspected North Korean threat actors are targeting developers with fake job offers and “coding assignments” that lead to the deployment of cross-platform malware for cryptocurrency and credential theft, Proofpoint reported Monday.The threat cluster, tracked as UNK_DeadDrop, shows similarities to Contagious Interview and sent more than 250 emails across nearly 100 target companies over a six-week period between April and May 2026. The emails mostly targeted technology, education, business services, financial services, entertainment/media companies and telecommunications companies in the United States, with a particular focus on the cryptocurrency industry.In the emails, the attackers pose as recruiters from legitimate companies such as the decentralized finance company Ondo Finance, the telehealth company Nourish and the Web3 and AI talent agency Hypen Connect, offering the target to apply for a software development role and complete a coding assignment.In some cases, the attackers also presented as fake cryptocurrency and AI startups, with names like Pulsynk and Trixauvex, requesting the target for a peer-review of their code. In either case, the attacker included a link to a GitHub or GitLab repository with instructions to clone the repo to Visual Studio Code (VS Code) or Cursor code editors. The repositories include a hidden tasks.json file that abuses VS Code and Cursor’s task automation abilities to automatically execute malicious files when a certain project folder is open in the editor. VS Code will prompt the user to approve the task execution while Cursor does not display a prompt, Proofpoint noted.
Related reading:
The malware acts differently depending on whether the victim is using Windows, Linux or macOS.On Linux and macOS systems, the attacker leverages an open-source command-and-control (C2) framework called Overlord, deploying Go binaries with remote access trojan (RAT) capabilities that establish a persistent WebSocket connection to the attacker’s servers.On Windows systems, the attack chain runs as JavaScript within the code editor’s Electron process and performs a single infostealer operation without persistence, Proofpoint said.The Overlord RAT first extracts browser wallet extensions and standalone wallet directories and transmits them as a ZIP archive to the C2 server. Five minutes later, it displays a fake system dialog prompt for the user to enter their system password, leveraging a Mach-O binary on macOS systems and the Zenity tool on Linux systems. If the user enters their password, the malware leverages the password to extract browser credentials from Keychain and GNOME Keyring and subsequently relaunches itself as root to perform further Keychain and GNOME Keyring dumps.On Windows, the malicious task launches a VBScript that calls a CMD file, which then decodes an additional embedded script that stages three encrypted payloads. These payloads are decrypted at runtime and serve to facilitate infostealing capabilities.The malware scans for 35 Chromium browser wallet extensions and 18 standalone wallet applications and also uses a Python-based stealer to extract passwords from Chromium and Firefox browsers, and cookies from Chrome, Edge and Brave browsers. The stolen data is sent to the C2 server via an HTTP POST request.The malicious task also installs a malicious VSIX extension that enables persistence on Linux and macOS machines, causing the malware processes to be relaunched every time VS Code or Cursor are opened. This extension is installed on Windows machines but does not re-execute the malicious operation on these machines.Proofpoint found that UNK_DeadDrop mainly emailed victims from domains registered via Namecheap set up with MailHostBox mailservers. Some of the domains were hosted on Vercel and included websites promoting the fake startups that were likely AI-generated, the researchers said.UNK_DeadDrop’s victim targeting, social-engineering techniques and theft of cryptocurrency wallets and credentials overlap with the North Korean Contagious Interview campaign. However, this cluster shows some distinct techniques such as the use of email rather than social media channels like LinkedIn to contact victims, the abuse of task.json auto-execution rather than npm installation, and the use of Overlord Go binaries rather than other malware known to be used by Contagious Interview, such as OtterCookie and FlexibleFerret.“The consistent creation of new GitHub repositories as well as a new malware framework with iterative builds and a stealthy new execution and persistence technique through VSIX extensions demonstrates dedicated resourcing and active development of tooling,” the researchers concluded.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds