Full Report
When an unsolicited job offer sounds too good to be true …
Analysis Summary
# Threat Actor: UNK_DeadDrop
## Attribution & Identity
* **Identification:** Suspected North Korean (DPRK) state-sponsored actor.
* **Aliases:** Currently tracked by Proofpoint as **UNK_DeadDrop**.
* **Associated Groups:** Shared TTPs link this activity to the **"Contagious Interview"** cluster (often associated with **Lazarus Group** or **BlueNoroff** subgroups), though it is currently tracked as an independent, industrialized cluster.
## Activity Summary
Between April and May 2026, UNK_DeadDrop conducted a high-volume phishing campaign targeting developers. Unlike previous North Korean campaigns that relied on long-term social engineering via LinkedIn, this group utilized industrialized email blasts (250+ emails across nearly 100 organizations) featuring unsolicited job offers or requests for open-source code reviews. The campaign focused on tricking victims into cloning malicious GitHub repositories.
## Tactics, Techniques & Procedures
* **Initial Access:** Phishing via unsolicited emails using job recruitment lures (Full-Stack Engineer, Agent Lead Developer) or Peer Review requests.
* **Social Engineering:** Spoofing legitimate companies and using "coding assignments" to build trust.
* **Execution via IDE:** Leveraging Integrated Development Environments (IDEs) like VS Code or Cursor to execute malicious "pre-configured tasks" when a repository is opened.
* **Cross-Platform Payloads:** Tailored infection chains for macOS, Linux, and Windows.
* **Persistence:** Installation of a malicious VS Code extension (VSIX) masquerading as a Google service.
* **Post-Exploitation:** Use of the **Overlord C2 framework** (red-team tool) with custom modules.
* **Privilege Escalation:** Use of stolen passwords to re-launch backdoors as root; use of COM Elevation Moniker on Windows.
* **Anti-Forensics:** Use of a "cleanup" module to remove workspace artifacts.
* **Relevant MITRE ATT&CK IDs:**
* T1566.002 (Phishing: Spearphishing Link)
* T1204.002 (User Execution: Malicious File)
* T1546 (Event Triggered Execution)
* T1555 (Credentials from Password Stores)
* T1176 (Browser Extensions)
## Targeting
* **Sectors:** Technology, Education, Business Services, Financial Services, and Decentralized Finance (DeFi).
* **Geography:** Predominantly United States-based organizations.
* **Victims:** Approximately 100 organizations; specific spoofed companies include Ondo Finance, Empower Pharmacy, NXLog, Valon, and Nourish.
## Tools & Infrastructure
* **Malware:**
* **Overlord C2 Framework:** Custom Go-based RAT (Linux/macOS).
* **Custom Modules:** `browserlogin` (credential theft), `companywallet` (crypto theft), and `cleanup`.
* **Node.js Pipeline:** Native execution within Electron processes (Windows).
* **Infrastructure:**
* **GitHub:** Used to host malicious repositories (Crypto platforms, Exploit archives, AI payments).
* **Spoofed Domains:** `pulsynk[.]com`, `trixauvex[.]com` (note: actual actor domains should be defanged).
* **C2:** Shared infrastructure for exfiltration across all platforms.
## Implications
This campaign represents a shift in North Korean strategy toward **industrialization and scale**. By moving from time-intensive LinkedIn social engineering to high-volume email campaigns, the actor can target more victims simultaneously. The focus on stealing both developer credentials and cryptocurrency wallets suggests a dual objective of financial gain and potential supply-chain access through compromised developer environments.
## Mitigations
* **Repository Hygiene:** Prohibit cloning of external repositories from untrusted sources directly into production-connected IDE environments.
* **IDE Security:** Disable "Automatic Task Execution" in VS Code and similar editors when opening new workspaces.
* **Extension Monitoring:** Audit installed VS Code extensions (VSIX) for unrecognized or spoofed names (e.g., fake Google services).
* **Credential Protection:** Implement hardware-based MFA to mitigate the impact of stolen browser credentials and Safe Storage keys.
* **Egress Filtering:** Monitor and restrict outbound connections from developer workstations to unauthorized C2 infrastructure or unknown GitHub accounts.