North Korean-Linked Phishing Campaign Targets Developers in Credential and Crypto Theft Scheme
A newly identified phishing campaign, tracked as UNK_DeadDrop and suspected to be linked to North Korea, has targeted over 250 individuals across nearly 100 organizations primarily in the U.S. between April and May 2024. The operation, uncovered by Proofpoint threat researchers, aims to steal developer credentials and cryptocurrency wallets through deceptive job offers and code review requests.
Attack Methodology
The campaign begins with unsolicited emails spoofing legitimate companies, including Ondo Finance, Empower Pharmacy, NXLog, OnePlan, Hypen Connect, Valon, and Nourish. These messages offer fake roles such as "Full-Stack Engineer" or "Agent Lead Developer" and direct victims to malicious GitHub repositories disguised as coding assignments or cryptocurrency projects.
In May, the attackers shifted tactics, sending peer-review requests for open-source projects under the guise of companies like Pulsynk and Trixauvex, or soliciting Ethereum smart contract testing via Foundry. When victims open the repositories in VS Code or Cursor, a pre-configured task executes, deploying cross-platform malware on Windows, macOS, and Linux.
Malware Execution & Payloads
-
Linux & macOS: The malware uses a Go-based backdoor derived from the Overlord C2 framework, a legitimate red-team tool repurposed for malicious use. It includes modules for:
- Browser credential theft (Chrome, Firefox, and Chromium-based browsers).
- Cryptocurrency wallet exfiltration (MetaMask, Phantom, Exodus, Ledger Live, etc.).
- Anti-forensic cleanup to remove traces.
On macOS, the malware displays a fake system password prompt to escalate privileges, while on Linux, it uses Zenity for credential harvesting.
-
Windows: The attack runs as JavaScript within VS Code’s Electron process, targeting 35 wallet extensions, 18 standalone wallets, and browser profiles. It installs Python-based stealers to extract credentials, cookies, and encrypted browser data, then exfiltrates them to attacker-controlled servers.
Infrastructure & Evolution
Unlike previous North Korean-linked campaigns (e.g., Contagious Interview), UNK_DeadDrop relies on email-based phishing rather than social media, suggesting a scaled, industrialized approach. The attackers maintain distinct infrastructure, using GitHub repositories themed around cryptocurrency, exploits, AI payments, and Foundry testing to lure victims.
Impact & Implications
The campaign highlights North Korea’s evolving cybercrime tactics, shifting from high-touch social engineering to large-scale phishing for financial gain. The use of legitimate tools (Overlord, Foundry, GitHub) and cross-platform malware underscores the growing sophistication of state-aligned threat actors targeting developers, financial services, and tech firms.
OnePlan cybersecurity rating report: https://www.rankiteo.com/company/oneplansolutions
NXLog cybersecurity rating report: https://www.rankiteo.com/company/nxlog
Hyphen Connect cybersecurity rating report: https://www.rankiteo.com/company/hyphen-connect
Inovalon cybersecurity rating report: https://www.rankiteo.com/company/inovalon
Ondo Finance cybersecurity rating report: https://www.rankiteo.com/company/ondo-finance
Empower Pharmacy cybersecurity rating report: https://www.rankiteo.com/company/empower-pharmacy
"id": "ONENXLHYPINOONDEMP1780957588",
"linkid": "oneplansolutions, nxlog, hyphen-connect, inovalon, ondo-finance, empower-pharmacy",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Finance (Cryptocurrency)',
'location': 'U.S.',
'name': 'Ondo Finance',
'type': 'Company'},
{'industry': 'Pharmaceutical',
'location': 'U.S.',
'name': 'Empower Pharmacy',
'type': 'Company'},
{'industry': 'Technology (Logging)',
'location': 'U.S.',
'name': 'NXLog',
'type': 'Company'},
{'location': 'U.S.',
'name': 'OnePlan',
'type': 'Company'},
{'location': 'U.S.',
'name': 'Hypen Connect',
'type': 'Company'},
{'location': 'U.S.', 'name': 'Valon', 'type': 'Company'},
{'location': 'U.S.',
'name': 'Nourish',
'type': 'Company'},
{'name': 'Pulsynk', 'type': 'Company'},
{'name': 'Trixauvex', 'type': 'Company'}],
'attack_vector': ['Email Phishing',
'Malicious GitHub Repositories',
'Fake Job Offers',
'Code Review Requests'],
'data_breach': {'data_exfiltration': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Browser Credentials',
'Cryptocurrency Wallets',
'Browser Cookies',
'Encrypted Browser Data']},
'date_detected': '2024-05',
'description': 'A phishing campaign tracked as UNK_DeadDrop, suspected to be '
'linked to North Korea, targeted over 250 individuals across '
'nearly 100 organizations primarily in the U.S. between April '
'and May 2024. The operation aimed to steal developer '
'credentials and cryptocurrency wallets through deceptive job '
'offers and code review requests.',
'impact': {'data_compromised': ['Browser Credentials',
'Cryptocurrency Wallets',
'Browser Cookies',
'Encrypted Browser Data'],
'identity_theft_risk': 'High',
'payment_information_risk': 'High',
'systems_affected': ['Windows', 'macOS', 'Linux']},
'initial_access_broker': {'backdoors_established': 'Yes (Go-based backdoor '
'derived from Overlord C2 '
'framework)',
'entry_point': ['Email Phishing',
'Malicious GitHub Repositories'],
'high_value_targets': ['Developers',
'Financial Services',
'Tech Firms']},
'investigation_status': 'Ongoing',
'lessons_learned': 'The campaign highlights North Korea’s evolving cybercrime '
'tactics, shifting from high-touch social engineering to '
'large-scale phishing for financial gain. The use of '
'legitimate tools (Overlord, Foundry, GitHub) and '
'cross-platform malware underscores the growing '
'sophistication of state-aligned threat actors targeting '
'developers, financial services, and tech firms.',
'motivation': ['Financial Gain', 'Credential Theft', 'Cryptocurrency Theft'],
'post_incident_analysis': {'root_causes': ['Use of legitimate tools '
'(Overlord, Foundry, GitHub) for '
'malicious purposes',
'Cross-platform malware targeting '
'Windows, macOS, and Linux']},
'references': [{'source': 'Proofpoint threat researchers'}],
'response': {'third_party_assistance': 'Proofpoint threat researchers'},
'threat_actor': 'North Korea (suspected)',
'title': 'North Korean-Linked Phishing Campaign Targets Developers in '
'Credential and Crypto Theft Scheme (UNK_DeadDrop)',
'type': 'Phishing, Credential Theft, Cryptocurrency Theft'}