Back

Void Dokkaebi's Malware Campaign Exploits Developer Repositories via Fake Job Interviews

Severity: High (Score: 75.5)

Sources: www.cybersecuritydive.com, Darkreading, www.microsoft.com, Trendmicro, opensourcemalware.com

Summary

Void Dokkaebi, a North Korean threat actor, has escalated its malware distribution tactics by using fake job interviews to compromise software developers. This campaign, known as the 'Contagious Interview,' targets developers with access to cryptocurrency wallets and CI/CD pipelines, turning their own repositories into self-propagating malware vectors. The attack method involves luring victims to clone malicious code hosted on platforms like GitHub, GitLab, or Bitbucket, which then spreads through Visual Studio Code configurations. Trend Micro reports over 750 infected repositories, indicating a significant supply chain threat. The malware can execute during normal development activities, allowing it to spread rapidly through trusted workflows. The campaign has been active since at least 2023 and continues to evolve, posing a growing risk to the software development community. Key Points: • Void Dokkaebi uses fake job offers to compromise developers and spread malware. • The campaign has infected over 750 code repositories, posing a significant supply chain risk. • Malware spreads through Visual Studio Code configurations, leveraging developer trust.

Key Entities

  • FAMOUS CHOLLIMA (apt_group)
  • Void Dokkaebi (apt_group)
  • FlexibleFerret (apt_group)
  • Malware (attack_type)
  • Supply Chain Attack (attack_type)
  • Trojan (attack_type)
  • Worm (attack_type)
  • Contagious Interview (campaign)
  • Apple (company)
  • DataStax (company)
  • Neutralinojs (company)
  • North Korea (country)
  • CWE-94 - Code Injection (cwe)
  • socket.io (domain)
  • 136.0.9.8 (ipv4)
  • 154.91.0.196 (ipv4)
  • 166.88.4.2 (ipv4)
  • 198.105.127.210 (ipv4)
  • 23.27.120.142 (ipv4)
  • BeaverTail (malware)
  • Dev#popper RAT (malware)
  • Ferrett (malware)
  • InvisibleFerret (malware)
  • OmniStealer (malware)
  • T1027 - Obfuscated Files Or Information (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1059.003 - Windows Command Shell (mitre_attack)
  • T1059.007 - JavaScript (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • Aptos (platform)
  • Binance Smart Chain (platform)
  • GitHub (platform)
  • Gitlab (platform)
  • MacOS (platform)
  • BitBucket (tool)
  • Node.js (tool)
  • Npm (tool)
  • Git (tool)
  • Socket.io-client (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed