North Korean Threat Actor Targets Developers in Large-Scale Phishing Campaign
A likely North Korean threat actor has conducted a sophisticated phishing campaign, targeting nearly 100 organizations primarily in the U.S. with fake job offers and code-review requests to steal cryptocurrency and credentials. The operation, tracked by Proofpoint as UNK_DeadDrop, sent over 250 malicious emails in April and May 2026, focusing on employees in technology, education, finance, and cryptocurrency firms.
How the Attack Worked
The campaign used shifting pretexts including fake full-stack developer roles, AI payment agent projects, and ERC-4626 smart-contract testing to lure victims into cloning malicious GitHub or GitLab repositories. Once opened in VS Code or Cursor, a hidden tasks.json file executed automatically, exploiting a legitimate editor feature.
- VS Code displayed a trust prompt, but Cursor ran the payload silently without user interaction.
- The malware installed a fake Google-themed VS Code extension, ensuring persistence by relaunching on macOS and Linux whenever the editor reopened.
- Linux/macOS systems received a Go-based remote access trojan (RAT) from the open-source Overlord framework, while Windows ran JavaScript directly in the editor, leaving no disk footprint.
Data Theft & Wallet Drainage
The malware targeted cryptocurrency wallets and browser credentials, including:
- Browser extensions: MetaMask, Phantom, Keplr
- Desktop wallets: Exodus, Electrum, Ledger Live
- Saved passwords & cookies from Chrome, Brave, Edge, and Firefox
To bypass security:
- macOS/Linux displayed a fake password prompt, using the input to escalate privileges and dump keychains.
- Windows bypassed Chrome’s app-bound encryption to extract data.
After exfiltration, the malware deleted itself to evade detection.
Attribution & Distinct Tactics
While resembling Contagious Interview a long-running North Korean operation Proofpoint tracks UNK_DeadDrop separately due to its email-led delivery, large-scale repository creation, and self-contained payloads that persist even after infrastructure takedowns. Though attribution remains unconfirmed, the campaign aligns with North Korea’s history of targeting developers since 2022.
Source: https://www.infosecurity-magazine.com/news/north-korean-hackers-developers/
Mozilla cybersecurity rating report: https://www.rankiteo.com/company/mozilla-corporation
Phantom Security Group cybersecurity rating report: https://www.rankiteo.com/company/phantom-cyber-group
GitLab cybersecurity rating report: https://www.rankiteo.com/company/gitlab-com
Proofpoint cybersecurity rating report: https://www.rankiteo.com/company/proofpoint
Google cybersecurity rating report: https://www.rankiteo.com/company/google
GitHub cybersecurity rating report: https://www.rankiteo.com/company/github
"id": "MOZPHAGITPROGOOGIT1780935989",
"linkid": "mozilla-corporation, phantom-cyber-group, gitlab-com, proofpoint, google, github",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'industry': ['Technology',
'Education',
'Finance',
'Cryptocurrency'],
'location': 'Primarily U.S.',
'type': 'Technology, Education, Finance, '
'Cryptocurrency firms'}],
'attack_vector': 'Malicious emails with fake job offers and code-review '
'requests, malicious GitHub/GitLab repositories',
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': 'Browser credentials, '
'saved passwords',
'sensitivity_of_data': 'High (PII, financial data)',
'type_of_data_compromised': ['Browser credentials',
'Cryptocurrency wallet data',
'Saved passwords',
'Cookies']},
'date_detected': '2026-04',
'description': 'A likely North Korean threat actor conducted a sophisticated '
'phishing campaign targeting nearly 100 organizations '
'primarily in the U.S. with fake job offers and code-review '
'requests to steal cryptocurrency and credentials. The '
'operation, tracked as UNK_DeadDrop, sent over 250 malicious '
'emails in April and May 2026, focusing on employees in '
'technology, education, finance, and cryptocurrency firms.',
'impact': {'data_compromised': 'Browser credentials, cryptocurrency wallet '
'data, saved passwords, cookies',
'financial_loss': 'Cryptocurrency wallet drainage',
'identity_theft_risk': 'High (PII and credentials stolen)',
'payment_information_risk': 'High (cryptocurrency wallets '
'targeted)',
'systems_affected': 'macOS, Linux, Windows systems running VS Code '
'or Cursor'},
'initial_access_broker': {'backdoors_established': 'Fake Google-themed VS '
'Code extension, Overlord '
'RAT',
'entry_point': 'Malicious emails with fake job '
'offers/code-review requests',
'high_value_targets': 'Developers, cryptocurrency '
'wallet users'},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain (cryptocurrency theft), credential theft',
'post_incident_analysis': {'root_causes': 'Exploitation of VS Code/Cursor '
'automatic task execution, lack of '
'user interaction requirement in '
'Cursor, fake password prompts for '
'privilege escalation'},
'references': [{'source': 'Proofpoint'}],
'response': {'third_party_assistance': 'Proofpoint (threat tracking)'},
'threat_actor': 'UNK_DeadDrop (likely North Korean)',
'title': 'North Korean Threat Actor Targets Developers in Large-Scale '
'Phishing Campaign',
'type': 'Phishing, Malware, Credential Theft, Cryptocurrency Theft',
'vulnerability_exploited': 'Automatic execution of tasks.json in VS '
'Code/Cursor, lack of user interaction requirement '
'in Cursor'}