North Korean Hackers Target Developers with UNK_DeadDrop Phishing Campaign

Severity: High (Score: 75.5)

Sources: blog.denv.it, Proofpoint, www.veracode.com, Infosecurity-Magazine

Published: 2026-06-08 · Updated: 2026-06-08

Keywords: developers, steal, cryptocurrency, north, korean, fake, threat

Summary

In April and May 2026, a phishing campaign known as UNK_DeadDrop targeted software developers across nearly 100 organizations, primarily in the US, with over 250 emails sent. The attackers, likely North Korean threat actors, used fake job offers and coding tasks to lure victims into cloning malicious GitHub repositories. These repositories contained hidden scripts designed to execute upon opening, installing malware that exfiltrated cryptocurrency wallets and credentials. The malware leveraged legitimate features of development tools like VS Code and Cursor to run silently. The campaign is distinct from previous operations, though it echoes tactics used in the long-running Contagious Interview operation. The focus was on the cryptocurrency sector, with the aim of draining digital assets from compromised accounts. Proofpoint continues to monitor this ongoing activity as a separate cluster from known DPRK operations. Key Points: • UNK_DeadDrop phishing campaign targeted developers with fake job offers. • Over 250 emails were sent to nearly 100 organizations, mainly in the US. • Malware exfiltrated cryptocurrency wallets and credentials using malicious GitHub repositories.

Detailed Analysis

**Impact** Over 250 phishing emails targeted nearly 100 organizations worldwide, primarily in the US, across technology, education, business services, financial services, and cryptocurrency sectors. The campaign focused on developers, aiming to steal cryptocurrency wallets, API tokens, credentials, and browser wallet extensions. Compromised data includes sensitive developer assets and decrypted credentials, risking financial theft and unauthorized access to corporate and personal cryptocurrency holdings. **Technical Details** The attack vector is phishing emails containing links to attacker-controlled GitHub or GitLab repositories masquerading as coding assignments or job-related tasks. Payload execution abuses Visual Studio Code and Cursor editor features via a malicious `tasks.json` file that silently runs on folder open, installing a trojanized VS Code extension (VSIX) posing as a Google service. Linux/macOS systems receive a Go-based remote access trojan from the Overlord framework, while Windows runs JavaScript malware inside the editor without dropping files. The malware exfiltrates browser wallet extensions (MetaMask, Phantom, Keplr), desktop wallets (Exodus, Electrum, Ledger Live), and saved browser credentials, using fake password prompts to escalate privileges on macOS/Linux and bypassing Chrome encryption on Windows. The infection chain deletes payloads post-exfiltration to evade detection. No CVEs exploited or specific IOCs were provided. **Recommended Response** Block and monitor email domains and URLs associated with the phishing campaign and attacker-owned GitHub/GitLab repositories. Enforce strict execution policies and user prompts for VS Code extensions, disable automatic task execution where possible, and educate developers on risks of cloning unknown repositories. Deploy endpoint detection for anomalous VSIX installations and network traffic to known C&C servers. Monitor for suspicious password prompt dialogs and unusual privilege escalations on macOS/Linux systems. No patches specific to exploited vulnerabilities were mentioned.

Source articles (4)

I Was Likely Targeted By Dprk In A Sophisticated Developer Malware Campaign — blog.denv.it · 2026-06-08
On May 25th, 2026, I received a remote smart-contract-security recruiting email from “Olivia Ben” at “Pulsynk.” It asked me to clone a GitLab repository called rekt-db and open it in VS Code or Cursor…
North Korean Hackers Use Fake Coding Tasks to Steal Crypto — Infosecurity-Magazine · 2026-06-08
A likely North Korean threat actor has phished software developers at almost 100 organizations with fake job and code-review lures to steal cryptocurrency and credentials. According to new analysis fr…
Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency — Proofpoint · 2026-06-08
Since at least 2022, North Korea-aligned threat actors have made a concerted effort not only to target cryptocurrency and decentralized finance organizations, but specifically to target developers usi…
Sophisticated Ongoing Attack Discovered On Npm — www.veracode.com · 2026-06-08

Timeline

2026-04-01 — UNK_DeadDrop campaign began: Phishing emails targeting developers started to be observed, focusing on fake job offers and coding tasks.
2026-05-31 — Campaign peaks with 250 emails: Proofpoint reported that over 250 phishing emails were sent to developers across various sectors, primarily targeting cryptocurrency firms.
2026-06-08 — Proofpoint reports on UNK_DeadDrop: Proofpoint published an analysis detailing the phishing techniques and malware used in the UNK_DeadDrop campaign.

Related entities

UNK_DeadDrop (Apt Group)
Citrine Sleet (Apt Group)
Malware (Attack Type)
Phishing (Attack Type)
Supply Chain Attack (Attack Type)
Trojan (Attack Type)
Contagious Interview (Campaign)
Bybit (Company)
Radiant Capital (Company)
Wormhole (Company)
Education (Company)
Cursor (Company)
Zenity (Company)
North Korea (Country)
advinservers.com (Domain)
careerpredictto.space (Domain)
empowerpharmacy.space (Domain)
hr.mailpulsynk.xyz (Domain)
hr.predicttocareer.space (Domain)
hr.pulsynk.org (Domain)
hr.recruitvex.us (Domain)
hr.trixauvex.org (Domain)
hyperdevpipline.org (Domain)
kaiko.ai (Domain)
nxlog.tech (Domain)
ondofinance.tech (Domain)
predictcareertogether.space (Domain)
predicttocareer.space (Domain)
pulsnyk.org (Domain)
recruitptogether.xyz (Domain)
valorecuiting.online (Domain)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
[email protected] (Email)
Financial (Industry)
Technology (Industry)
170.205.29.83 (Ipv4)
23.137.105.75 (Ipv4)
AppleJeus (Malware)
Coldcat (Malware)
Overlord (Malware)
Simplesea (Malware)
Taxhaul (Malware)
T1003 - OS Credential Dumping (Mitre Attack)
T1041 - Exfiltration Over C2 Channel (Mitre Attack)
T1059 - Command and Scripting Interpreter (Mitre Attack)
T1071 - Application Layer Protocol (Mitre Attack)
T1566.002 - Spearphishing Link (Mitre Attack)
T1566 - Phishing (Mitre Attack)
Go (Mitre Attack)
Electron (Platform)
GitHub (Platform)
Gitlab (Platform)
Gnome Keyring (Platform)
GTK (Platform)
Linux (Platform)
MacOS (Platform)
Visual Studio Code (Platform)
Windows (Platform)
Foundry (Tool)
Google Chrome (Tool)
Node.js (Tool)
VS Code (Tool)
VSCodium (Tool)
Overlord Framework (Tool)
2812e0847d472cb8870c94f463331dbe53b84135132b9bf5f6d84c2382be628f (Sha256)
3b1ff1ac2120b0a9b852e686d10b4b2526d41f08c4c6361160efeefb588aaf77 (Sha256)
4f7a8c3d2e1b5f9071a6b2c8d4e3f50a92b1c7d6e8f4a30b5c2d9e1f7a6b8c4d (Sha256)
52886aab179f26421678ff23af1b0fabf0a17ffbb534369cdbbac8008cbed8e7 (Sha256)