{ "id": "d6cad76b-75f3-454e-8345-34fe7cce07ba", "created_at": "2026-04-06T00:20:12.799364Z", "updated_at": "2026-04-10T03:36:17.174898Z", "deleted_at": null, "sha1_hash": "6931934cb76ada666412bcfb38ae02adbcb084d6", "title": "DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 512514, "plain_text": "DeceptiveDevelopment: From primitive crypto theft to\r\nsophisticated AI-based deception\r\nBy Peter KálnaiMatěj Havránek\r\nArchived: 2026-04-05 21:06:15 UTC\r\nThis blogpost introduces our latest white paper, presented at Virus Bulletin 2025, where we detail the operations\r\nof the North Korea-aligned threat actor we call DeceptiveDevelopment and its connections to North Korean IT\r\nworker campaigns. The white paper provides full technical details, including malware analysis, infrastructure, and\r\nOSINT findings. Here, we summarize the key insights and highlight the broader implications of this hybrid threat.\r\nKey points of this blogpost:\r\nThe invention and focus of the operations are on the social-engineering methods.\r\nDeceptiveDevelopment’s toolset is mostly multiplatform and consists of initial obfuscated\r\nmalicious scripts in Python and JavaScript, basic backdoors in Python and Go, and a dark web\r\nproject in .NET.\r\nWe provide insights into operational details of North Korean IT workers, like work assignments,\r\nschedules, communication with clients, etc., gathered from public sources.\r\nNative, more complex Windows backdoors are an occasional addition in the execution chain and\r\nare likely shared by other North Korea-aligned actors.\r\nDeceptiveDevelopment and North Korean IT workers have different objectives and means, but\r\nwe consider them as tightly connected.\r\nIntroduction\r\nIn this blogpost, we examine the DeceptiveDevelopment group and the WageMole activity cluster as two tightly\r\nconnected North Korea-aligned entities. WageMole is a label that we have adopted for activities associated with\r\nNorth Korean IT workers. While the campaigns of both are driven by financial gain, each plays a distinct and\r\ncomplementary role in relation to the other:\r\nDeceptiveDevelopment operators pose as recruiters, using fraudulent job offers to compromise the systems\r\nof job seekers.\r\nNorth Korean IT workers then use the information gained by the DeceptiveDevelopment operators to pose\r\nas job seekers. To secure a real job position, they may employ several tactics, including proxy interviewing,\r\nusing stolen identities, and fabricating synthetic identities with AI-driven tools.\r\nFirst, we provide a catalogue of multiplatform tools used by DeceptiveDevelopment, from simple but obfuscated\r\nscripts like BeaverTail and InvisibleFerret to a complex toolkit, TsunamiKit, centered around a .NET backdoor.\r\nWe also disclose specific links between more complex backdoors used by DeceptiveDevelopment, AkdoorTea and\r\nTropidoor, and other, more APT-oriented North Korea-aligned operations. Next, we describe interesting aspects of\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception/\r\nPage 1 of 15\n\nNorth Korean IT workers’ modus operandi, obtained from public sources, mostly from unintentionally exposed\r\ndata, testimonials of victims, and investigations of independent researchers..\r\nDeceptiveDevelopment \r\nDeceptiveDevelopment is a North Korea-aligned group active since at least 2023, focused on financial gain. Its\r\nactivities overlap with Contagious Interview, DEV#POPPER, and Void Dokkaebi. The group targets software\r\ndevelopers on all major systems – Windows, Linux, and macOS – and especially those in cryptocurrency and\r\nWeb3 projects. Initial access is achieved exclusively via various social engineering techniques like ClickFix, and\r\nfake recruiter profiles similar to Lazarus’s Operation DreamJob, to deliver trojanized codebases during staged job\r\ninterviews. Its most typical payloads are the BeaverTail, OtterCookie, and WeaselStore infostealers, and the\r\nInvisibleFerret modular RAT.\r\nTargeting strategy\r\nDeceptiveDevelopment operators use various methods to compromise their victims, relying on clever social\r\nengineering tricks. Via both fake and hijacked profiles, they pose as recruiters on platforms like LinkedIn,\r\nUpwork, Freelancer, and Crypto Jobs List. They offer fake lucrative job opportunities to attract their targets’\r\ninterest. Victims are requested to participate in a coding challenge or a pre-interview task. The task involves\r\ndownloading a project from private GitHub, GitLab, or Bitbucket repositories. These repositories contain\r\ntrojanized code, often hidden cleverly in long comments displayed well beyond the right-hand edge of a code\r\nbrowser or editor window. Participation in the task triggers the execution of BeaverTail, the first-stage malware.\r\nBesides these fake recruiter accounts, the addition of a new social engineering technique known as ClickFix was\r\nobserved. ClickFix in relation to DeceptiveDevelopment was first reported by Sekoia.io in March 2025, when it\r\nwas used by the group as the initial access method on macOS and Windows systems; in September 2025, GitLab\r\nspotted it being used on Linux systems too. The attackers direct the victim to a fake job interview website,\r\ncontaining an application form that they are asked to complete. The application form contains a few lengthy\r\nquestions related to the applicant’s identity and qualifications, leading the victim to put significant time and effort\r\ninto filling in the form and making them feel like they are almost done, and therefore more likely to fall for the\r\ntrap. In the final step of the application, the victim is asked to record a video of them answering the final question.\r\nThe site triggers a pop-up asking the victim to allow camera access, but the camera is never actually accessed.\r\nInstead, an error message appears saying that access to the camera or microphone is currently blocked and offers a\r\n“How to fix” link. That link leads to a pop-up employing the ClickFix social engineering technique. The victim is\r\ninstructed, based on their operating system, to open a terminal and copy and paste a command that should solve\r\nthe issue. However, instead of enabling the victim’s camera, the command downloads and executes malware.\r\nToolset\r\nBeaverTail and InvisibleFerret\r\nThe first indication of DeceptiveDevelopment activity came in November 2023, when Unit 42 reported the\r\nContagious Interview campaign; we later associated this campaign with the group. Unit 42 coined the names\r\nBeaverTail and InvisibleFerret for the two malware families used in this campaign. We documented this campaign\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception/\r\nPage 2 of 15\n\nin more detail in our WeLiveSecurity blogpost from February 2025, dissecting how the threat actor makes use of\r\nthese two malware families.\r\nBeaverTail is a simple infostealer and downloader that collects data from cryptocurrency wallets, keychains, and\r\nsaved browser logins. We have observed variants of this malware written in JavaScript, hidden in fake job\r\nchallenges, and also in C++, using the Qt framework and disguised as conferencing software. Its primary function\r\nis downloading the second-stage malware InvisibleFerret. At the end of 2024, a new malware family with\r\nfunctionality similar to BeaverTail emerged – it was named OtterCookie by NTT Security. OtterCookie is written\r\nin JavaScript and uses very similar obfuscation techniques. We believe that OtterCookie is an evolution of\r\nBeaverTail and is used by some teams within DeceptiveDevelopment instead of the older BeaverTail, while other\r\nteams continue using and modifying the original codebase.\r\nInvisibleFerret is modular malware written in Python with more information-stealing capabilities than BeaverTail,\r\nalso capable of providing remote control to attackers. It usually comes with the following four modules:\r\na browser-data stealer module (extracts and exfiltrates data saved by browsers and cryptocurrency wallets),\r\na payload module (remote access trojan),\r\na clipboard module (containing keylogging and clipboard logging capabilities) – in some cases distributed\r\nas part of the payload module, and\r\nan AnyDesk module (which deploys the AnyDesk remote access tool to allow direct attacker access to the\r\ncompromised machine).\r\nWeaselStore\r\nAs DeceptiveDevelopment evolved and started to include more teams in its operations, those teams started\r\nmodifying the codebase to meet their own needs and introduced new malware tooling. One such example is a\r\ncampaign that ESET researchers investigated in August 2024. In addition to the conventional BeaverTail and\r\nInvisibleFerret malware, the team responsible for the campaign deployed what we believe is its own new malware\r\n– which we named WeaselStore.\r\nWeaselStore (also called GolangGhost and FlexibleFerret) is a multiplatform infostealer written in Go, though in\r\nMay 2025, Cisco Talos reported about WeaselStore being rewritten in Python; they called that malware\r\nPylangGhost. As the implementation is identical, for simplicity, we refer to both implementations as WeaselStore\r\nin this blogpost.\r\nWeaselStore’s functionality is quite similar to both BeaverTail and InvisibleFerret, with the main focus being\r\nexfiltration of sensitive data from browsers and cryptocurrency wallets. Once the data has been exfiltrated,\r\nWeaselStore, unlike traditional infostealers, continues to communicate with its C\u0026C server, serving as a RAT\r\ncapable of executing various commands.\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception/\r\nPage 3 of 15\n\nFigure 1. Execution chain of WeaselStore\r\nThe most interesting aspect of WeaselStore in Go is that it is delivered to the victim’s system in the form of Go\r\nsource code, along with the Go environment binaries necessary to build and execute it, allowing the malware to\r\ntarget three main operating systems – Windows, Linux, and macOS (see Figure 1). The installation mechanism\r\ndiffers based on the victim’s operating system, but in all cases the chain ends with downloading the WeaselStore\r\nGo source code and then compiling and executing it using a Go build environment, which is also provided\r\nalongside.\r\nTsunamiKit\r\nIn November 2024, a new version of the InvisibleFerret malware delivered a modified browser-data stealer\r\nmodule. This module, in addition to its normal functionality, contains a previously unseen, large, encoded block\r\nwith the first stage of the execution chain deploying a completely new malware toolkit, also intended for\r\ninformation and cryptocurrency theft. We named this toolkit TsunamiKit, based on the developer’s repeated use of\r\n“Tsunami” in the names of its components (see Table 1). The threat being publicly reported by Alessio Di Santo in\r\nNovember 2024 and by Bitdefender in February 2025; our white paper adds context by placing it in the overall\r\nDeceptiveDevelopment modus operandi. The paper also dives into the details of TsunamiKit’s complex execution\r\nchain.\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception/\r\nPage 4 of 15\n\nTable 1. Components of the TsunamiKit execution chain\r\nComponent name Description\r\nTsunamiLoader\r\nThe initial stage, obfuscating and dropping TsunamiInjector. It contains a quote\r\nSometimes you never know the value of a moment until it becomes a memory,\r\noften attributed to Dr. Seuss.\r\nTsunamiInjector Downloader of TsunamiInstaller. Also drops TsunamiHardener.\r\nTsunamiHardener*\r\nReferred to as TsunamiPayload in the code. Sets up persistence for TsunamiClient,\r\nand Microsoft Defender exclusions for TsunamiClient and the XMRig miner (one\r\nof TsunamiClient’s components).\r\nTsunamiInstaller .NET dropper of TsunamiClientInstaller and a Tor proxy.\r\nTsunamiClientInstaller* Fingerprints the system; downloads and executes TsunamiClient.\r\nTsunamiClient Complex .NET spyware; drops XMRig and NBMiner.\r\n* These components were originally both named TsunamiPayload; we have renamed them to avoid any confusion.\r\nPostNapTea and Tropidoor\r\nOver the course of our research, we spotted an interesting piece of evidence, further linking\r\nDeceptiveDevelopment to North Korea. In April 2025, Ahnlab researchers reported about trojanized Bitbucket\r\nprojects containing BeaverTail and a 64‑bit downloader named car.dll or img_layer_generate.dll. While\r\nBeaverTail, as expected, downloaded InvisibleFerret, this new downloader retrieved an in-memory payload that\r\nwas named Tropidoor by Ahnlab. We realized that Tropidoor shares large portions of code with PostNapTea, a\r\nLazarus RAT distributed via exploitation against South Korean targets in 2022. Table 2 contains a comparison of\r\nboth payloads.\r\nTable 2. Comparison of Tropidoor (DeceptiveDevelopment) and PostNapTea (Lazarus) payloads (asterisks\r\nindicate the country of a VirusTotal submission)\r\n  Tropidoor PostNapTea\r\nFirst seen 2024-11-28 2022-02-25\r\nTargeted countries Kenya*, Colombia*, Canada* South Korea\r\nInitial Access Social engineering Exploitation\r\nHash-based\r\nresolution of\r\nWindows APIs\r\nFowler–Noll–Vo Fowler–Noll–Vo\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception/\r\nPage 5 of 15\n\nTropidoor PostNapTea\r\nString encryption Plain + XOR-based XOR-based\r\nEncryption for\r\nnetwork\r\ncommunication\r\nBase64 + AES-128 Base64 + AES-128\r\nProject C DLL MFC C++ DLL\r\nType of commands\r\nInternal implementation of Windows\r\ncommands\r\nInternal implementation of Windows\r\ncommands\r\nBuilding\r\nenvironment\r\nVisual Studio 2019, v16.11 Visual Studio 2017, v15.9\r\nConfiguration\r\nformat\r\nBinary JSON\r\nUser-Agent\r\n(differences in\r\nreversed color)\r\nMozilla/5.0 (Windows NT 10.0; Win64;\r\nx64) AppleWebKit/537.36 (KHTML,\r\nlike Gecko) Chrome/112.0.0.0\r\nSafari/537.36 Edg/112.0.1722.64\r\nMozilla/5.0 (Windows NT 10.0; Win64;\r\nx64) AppleWebKit/537.36 (KHTML,\r\nlike Gecko) Chrome/91.0.4472.114\r\nSafari/537.36\r\nTropidoor is the most sophisticated payload yet linked to the DeceptiveDevelopment group, probably because it is\r\nbased on malware developed by the more technically advanced threat actors under the Lazarus umbrella. Some of\r\nthe supported commands are shown in Figure 2.\r\nFigure 2. Some Windows commands implemented internally in the Tropidoor code\r\nNew findings\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception/\r\nPage 6 of 15\n\nSince our white paper’s submission, we have uncovered new findings that further strengthen the link between the\r\nactivity of DeceptiveDevelopment and other North Korea-aligned cyberattacks.\r\nWe discovered that the TsunamiKit project dates back at least to December 2021, when it was submitted to\r\nVirusTotal under the name Nitro Labs.zip. One of the components contains the PDB path E:\\Programming\\The\r\nTsunami Project\\Malware\\C#\\C# Tsunami Dist Version 3.0.0\\CTsunami\\obj\\Release\\netcoreapp3.1\\win-x64\\\\System Runtime Monitor.pdb. We conclude that TsunamiKit is likely a modification of a dark web project\r\nrather than a new creation by the attackers, based on TsunamiKit largely predating the approximate start of\r\nDeceptiveDevelopment activity in 2023, similar TsunamiKit payloads without any signs of BeaverTail having\r\nbeen observed in ESET telemetry, and cryptocurrency mining being a core feature of TsunamiKit.\r\nAkdoorTea\r\nIn August 2025, a BAT file named ClickFix-1.bat and a ZIP archive named nvidiaRelease.zip were uploaded to\r\nVirusTotal. The BAT file just downloads the archive and executes run.vbs from it. The archive contains various\r\nlegitimate JAR packages for the NVIDIA CUDA Toolkit, together with the following malicious files:\r\nshell.bat, a trojanized installer for Node.js, which is executed afterward.\r\nmain.js, an obfuscated BeaverTail script, automatically loaded by Node.js.\r\ndrvUpdate.exe, a TCP RAT, to which we assign the codename AkdoorTea, as it is similar to Akdoor\r\nreported by AlienVault in 2018 (see Table 3). Akdoor is a detection root name by Ahnlab and usually\r\nidentifies a North Korea-aligned payload.\r\nrun.vbs, a VBScript that executes the trojanized installer and AkdoorTea.\r\nTable 3. Comparison of variants of AkdoorTea and Akdoor\r\n  AkdoorTea 2025 Akdoor 2018\r\nDistribution name drvUpdate.exe splwow32.exe, MMDx64Fx.exe\r\nEncryption Base64 + XOR with 0x49 Base64 + RC4\r\nNumber of supported commands 5 4\r\nC\u0026C 103.231.75[.]101\r\n176.223.112[.]74\r\n164.132.209[.]191\r\nVersion 01.01 01.01\r\nOne of the differences between AkdoorTea from 2025 and Akdoor from 2018 is the numbering of commands; see\r\nFigure 3. Also, the command name “version” is called “shi” now.\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception/\r\nPage 7 of 15\n\nFigure 3. Version parsing in Akdoor from 2018 and AkdoorTea from 2025\r\nNorth Korean IT workers (aka WageMole)\r\nWhile our research into DeceptiveDevelopment is primarily based on data from our telemetry and reverse-engineering the group’s toolset, it is interesting to point out DeceptiveDevelopment’s relations to fraud operations\r\nby North Korean IT workers, overlapping with the activity of the UNC5267 and Jasper Sleet threat groups.\r\nIT worker campaigns have been ongoing since at least April 2017, according to an FBI wanted poster, and have\r\nbeen increasingly prominent in recent years. A joint advisory released in May 2022 describes IT worker\r\ncampaigns as a coordinated effort by North Korea-aligned individuals to gain employment at overseas companies,\r\nwhose salaries are then used to help fund the country. They have also been known to steal internal company data\r\nand use it to extort companies, as stated in an announcement by the FBI in January 2025.\r\nIn addition to using AI to perform their job tasks, they rely heavily on AI for manipulating photos in their profile\r\npictures and CVs, and even perform face swaps in real-time video interviews to look like the persona they are\r\ncurrently using, as described in more detail in a blogpost by Unit 42 in April 2025.\r\nA methodological insight was provided by a DTEX report in May 2025. The IT workers reportedly operate in a\r\nscattered manner, with numerous teams of workers, usually based in foreign countries like China, Russia, and\r\ncountries in Southeast Asia. Each team works in a slightly different manner, but their end goals and modus\r\noperandi are the same – posing as foreign remote workers with fake documents and CVs, and looking for remote\r\nemployment or freelance work to gather funds from the salaries.\r\nAnalyzing OSINT data\r\nMultiple researchers have observed ties and instances of information exchange between these IT workers and\r\nDeceptiveDevelopment. In August 2024, the cybersecurity researcher Heiner García published an investigation of\r\nhow both groups share email accounts or are mutually followed between the GitHub profiles of fake recruiters and\r\nIT workers. In November 2024, Zscaler confirmed that identities stolen from compromised victims are used by\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception/\r\nPage 8 of 15\n\nscammers to secure remote jobs. This leads us to assert with medium confidence that although these activities are\r\nconducted by two different groups, they are most likely connected and collaborating.\r\nAdditionally, we managed to gather publicly available data detailing the inner workings of some of the IT worker\r\nteams. We gathered this information from multiple sources (with significant help from @browsercookies on X),\r\namong them GitHub profiles belonging to the IT workers, containing publicly accessible internal data and content\r\nshared publicly by researchers. These include details of their work assignments, schedules, communication with\r\nclients and each other, emails, various pictures used for online profiles (both real and fake), fake CVs, and text\r\ntemplates used when job hunting; due to information sharing agreements, we are not disclosing the specific\r\nsources of the data used in our analysis. We dive into these details in our white paper, and provide a compact\r\nsummary below.\r\nAnalysis of fake CVs and internal materials shows that IT workers initially targeted jobs in the US, but have\r\nrecently shifted focus to Europe, including France, Poland, Ukraine, and Albania.\r\nEach team is led by a “boss” who sets quotas and coordinates work. Members spend 10–16 hours daily acquiring\r\njobs, completing tasks, and self-educating – mainly in web programming, blockchain, English, and AI integration.\r\nThey meticulously track their work and use fake identities, CVs, and portfolios to apply for jobs. Communication\r\nwith employers follows scripted responses to appear qualified.\r\nAdditionally, they use premade scripts to recruit real people as proxies, offering them a share of the salary to\r\nattend interviews or host work devices in less suspicious countries. In one case, Ukrainian developers were\r\ntargeted due to perceived hiring advantages.\r\nConclusion\r\nDeceptiveDevelopment’s TTPs illustrate a more distributed, volume-driven model of its operations. Despite often\r\nlacking technical sophistication, the group compensates through scale and creative social engineering. Its\r\ncampaigns demonstrate a pragmatic approach, exploiting open-source tooling, reusing available dark web\r\nprojects, adapting malware probably rented from other North Korea-aligned groups, and leveraging human\r\nvulnerabilities through fake job offers and interview platforms.\r\nThe activities of North Korean IT workers constitute a hybrid threat. This fraud-for-hire scheme combines\r\nclassical criminal operations, such as identity theft and synthetic identity fraud, with digital tools, which classify it\r\nas both a traditional crime and a cybercrime (or eCrime). Proxy interviewing poses a severe risk to employers,\r\nsince an illegitimate employee hired from a sanctioned country may not only be irresponsible or underperforming,\r\nbut could also evolve into a dangerous insider threat.\r\nOur findings also highlight the blurred lines between targeted APT activity and cybercrime, particularly in the\r\noverlap between malware campaigns by DeceptiveDevelopment and the operations of North Korean IT workers.\r\nThese dual-use tactics – combining cybertheft and cyberespionage with non-cyberspace employment-fraud\r\nschemes – underscore the need for defenders to consider broader threat ecosystems rather than isolated\r\ncampaigns..\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception/\r\nPage 9 of 15\n\nFor any inquiries about our research published on WeLiveSecurity, please contact us at\r\nthreatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nIoCs\r\nFiles\r\nA comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.\r\nSHA-1 Filename Detection Description\r\nE34A43ACEF5AF1E5197D\r\n940B94FC37BC4EFF0B2A\r\nnvidiadrivers.zip\r\nWinGo/DeceptiveDeve\r\nlopment.F\r\nA trojanized project\r\ncontaining WeaselStore.\r\n3405469811BAE511E62C\r\nB0A4062AADB523CAD263\r\nVCam1.update\r\nWinGo/DeceptiveDeve\r\nlopment.F\r\nA trojanized project\r\ncontaining WeaselStore.\r\nC0BAA450C5F3B6AACDE2\r\n807642222F6D22D5B4BB\r\nVCam2.update\r\nWinGo/DeceptiveDeve\r\nlopment.F\r\nA trojanized project\r\ncontaining WeaselStore.\r\nDAFB44DA364926BDAFC7\r\n2D72DBD9DD728067EFBD\r\nnvidia.js\r\nJS/Spy.DeceptiveDeve\r\nlopment.Q\r\nWeaselStore downloader\r\nfor Windows.\r\n015583535D2C8AB710D1\r\n232AA8A72136485DB4EC\r\nffmpeg.sh\r\nOSX/DeceptiveDeve\r\nlopment.B\r\nWeaselStore downloader\r\nfor OSX/Linux.\r\nCDA0F15C9430B6E0FF1A\r\nCDA4D44DA065D547AF1C\r\nDriverMinUpdate\r\nOSX/DeceptiveDeve\r\nlopment.B\r\nFake prompt requesting\r\nuser's login on macOS.\r\n214F0B10E9474F0F5D32\r\n0158FB71995AF852B216\r\nnvidiaupdate.exe\r\nWinGo/DeceptiveDeve\r\nlopment.B\r\nCompiled WeaselStore\r\nbinary for Windows.\r\n4499C80DDA6DBB492F86\r\n67D11D3FFBFEEC7A3926\r\nbow\r\nPython/DeceptiveDeve\r\nlopment.C\r\nInvisibleFerret.\r\nB20BFBAB8BA732D428AF\r\nBA7A688E6367232B9430\r\nN/A\r\nPython/DeceptiveDeve\r\nlopment.C\r\nBrowser-data stealer\r\nmodule of\r\nInvisibleFerret.\r\nC6888FB1DE8423D9AEF9\r\nDDEA6B1C96C939A06CF5\r\nWindows Update\r\nScript.pyw\r\nPython/TsunamiKit.A TsunamiInjector.\r\n4AAF0473599D7E3A5038\r\n41ED10281FDC186633D2\r\nRuntime Broker\r\n.exe\r\nMSIL/DeceptiveDeve\r\nlopment.A\r\nTsunamiInstaller.\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception/\r\nPage 10 of 15\n\nSHA-1 Filename Detection Description\r\n251CF5F4A8E73F8C5F91\r\n071BB043B4AA7F29D519\r\nTsunami Payload\r\n.exe\r\nMSIL/DeceptiveDeve\r\nlopment.A\r\nTsunamiClientInstaller.\r\nD469D1BAA3417080DED7\r\n4CCB9CFB5324BDB88209\r\nTsunami Payload\r\n.dll\r\nMSIL/DeceptiveDeve\r\nlopment.A\r\nTsunamiClient.\r\n0C0F8152F3462B662318\r\n566CDD2F62D8E350A15E\r\nRuntime Broker\r\n.exe\r\nWin64/Riskware.Tor.A Tor Proxy.\r\nF42CC34C1CFAA826B962\r\n91E9AF81F1A67620E631\r\nautopart.zip\r\nWin64/DeceptiveDeve\r\nlopment.C\r\nJS/Spy.DeceptiveDeve\r\nlopment.A\r\nA trojanized project\r\ncontaining BeaverTail\r\nand a downloader of\r\nTropidoor.\r\n02A2CD54948BC0E2F696\r\nDE412266DD59D150D8C5\r\nhoodygang.zip\r\nWin64/DDeceptiveDeve\r\nlopment.C\r\nJS/Spy.DeceptiveDeve\r\nlopment.A\r\nA trojanized project\r\ncontaining BeaverTail\r\nand a downloader of\r\nTropidoor.\r\n6E787E129215AC153F3A\r\n4C05A3B5198586D32C9A\r\ntailwind.config.js\r\nJS/Spy.DeceptiveDeve\r\nlopment.A\r\nA trojanized JavaScript\r\ncontaining BeaverTail.\r\nFE786EAC26B61743560A\r\n39BFB905E6FB3BB3DA17\r\ntailwind.config.js\r\nJS/Spy.DeceptiveDeve\r\nlopment.A\r\nA trojanized JavaScript\r\ncontaining BeaverTail.\r\n86784A31A2709932FF10\r\nFDC40818B655C68C7215\r\nimg_layer_gen\r\nerate.dll\r\nWin64/DeceptiveDeve\r\nlopment.C\r\nA downloader of the\r\nTropidoor RAT.\r\n90378EBD8DB757100A83\r\n3EB8D00CCE13F6C68E64\r\nN/A\r\nWin64/DeceptiveDeve\r\nlopment.D\r\nTropidoor RAT.\r\nC86EEDF02B73ADCE0816\r\n4F5C871E643E6A32056B\r\ndrivfixer.sh\r\nOSX/DeceptiveDeve\r\nlopment.C\r\nA trojanized macOS\r\ninstaller and launcher of\r\nNode.js.\r\n4E4D31C559CA16F8B7D4\r\n9B467AA5D057897AB121\r\nClickFix-1.bat\r\nPowerShell/Decepti\r\nveDevelopment.B\r\nAn initial stage on\r\nWindows: BAT\r\ndownloading a malicious\r\nnvidiaRelease.zip\r\narchive.\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception/\r\nPage 11 of 15\n\nSHA-1 Filename Detection Description\r\nA9C94486161C07AE6935\r\nF62CFCC285CD342CDB35\r\ndriv.zip\r\nJS/Spy.DeceptiveDeve\r\nlopment.A\r\nOSX/DeceptiveDeve\r\nlopment.C\r\nA ZIP archive containing\r\nBeaverTail.\r\nF01932343D7F13FF1094\r\n9BC0EA27C6516F901325\r\nnvidiaRelease.zip\r\nJS/Spy.DeceptiveDeve\r\nlopment.A\r\nWin32/DeceptiveDeve\r\nlopment.A\r\nVBS/DeceptiveDeve\r\nlopment.B\r\nBAT/DeceptiveDeve\r\nlopment.A\r\nA ZIP archive containing\r\nBeaverTail and\r\nAkdoorTea.\r\nBD63D5B0E4F2C72CCFBF\r\n318AF291F7E578FB0D90\r\nmac-v-j1722.fixer\r\nOSX/DeceptiveDeve\r\nlopment.D\r\nAn initial stage on\r\nmacOS: a bash script\r\nthat downloads a\r\nmalicious driv.zip\r\narchive.\r\n10C967386460027E7492\r\nB6138502AB61CA828E37\r\nmain.js\r\nJS/Spy.DeceptiveDeve\r\nlopment.A\r\nAn obfuscated\r\nBeaverTail script,\r\nautomatically loaded by\r\nNode.js.\r\n59BA52C644370B4D627F\r\n0B84C48BDA73D97F1610\r\nrun.vbs\r\nVBS/DeceptiveDeve\r\nlopment.B\r\nA VBScript that\r\nexecutes AkdoorTea and\r\nshell.bat.\r\n792AFE735D6D356FD30D\r\n2E7D0A693E3906DECCA7\r\ndrvUpdate.exe\r\nWin32/DeceptiveDeve\r\nlopment.A\r\nAkdoorTea, a TCP RAT.\r\nNetwork\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception/\r\nPage 12 of 15\n\nIP Domain\r\nHosting\r\nprovider\r\nFirst seen Details\r\n199.188.200[.]147 driverservices[.]store Namecheap, Inc. 2025‑08‑08\r\nRemote storage for\r\nDeceptiveDevelopment.\r\n116.125.126[.]38\r\nwww.royalsevr\r\nes[.]com\r\nSK Broadband\r\nCo Ltd\r\n2024‑06‑25\r\nRemote storage for\r\nDeceptiveDevelopment.\r\nN/A\r\nn34kr3z26f3jz\r\np4ckmwuv5ipqy\r\natumdxhgjgsmu\r\ncc65jac56khdy\r\n5zqd[.]onion\r\nN/A 2023‑10‑06\r\nTsunamiClient C\u0026C\r\nserver.\r\n103.231.75[.]101 N/A\r\nTHE-HOSTING-MNT\r\n2025‑08‑10 AkdoorTea C\u0026C server.\r\n45.159.248[.]110 N/A\r\nTHE-HOSTING-MNT\r\n2025‑06‑29 BeaverTail C\u0026C server.\r\n45.8.146[.]93 N/A\r\nSTARK\r\nINDUSTRIES\r\nSOLUTIONS\r\nLTD\r\n2024‑10‑26 Tropidoor C\u0026C server.\r\n86.104.72[.]247 N/A\r\nSTARK\r\nINDUSTRIES\r\nSOLUTIONS\r\nLTD\r\n2024‑10‑31 Tropidoor C\u0026C server.\r\n103.35.190[.]170 N/A\r\nSTARK\r\nINDUSTRIES\r\nSOLUTIONS\r\nLTD\r\n2024‑06‑24 Tropidoor C\u0026C server.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 17 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nReconnaissance T1589 Gather Victim Identity\r\nInformation\r\nDeceptiveDevelopment steals victims'\r\ncredentials to be used by WageMole in\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception/\r\nPage 13 of 15\n\nTactic ID Name Description\r\nconsequent social engineering.\r\nResource\r\nDevelopment\r\nT1585.001\r\nEstablish Accounts: Social\r\nMedia Accounts\r\nFake recruiter accounts created on\r\nLinkedIn, Upwork, Freelancer.com, etc.\r\n  T1586 Compromise Accounts\r\nHijacked GitHub and social media\r\naccounts used to distribute malware.\r\nInitial Access T1566.001\r\nPhishing: Spearphishing\r\nAttachment\r\nFake job offers include attachments or\r\nlinks to malicious projects.\r\n  T1566.002\r\nPhishing: Spearphishing\r\nLink\r\nClickFix technique uses deceptive links to\r\nfake troubleshooting guides.\r\nExecution T1204.001\r\nUser Execution: Malicious\r\nLink\r\nVictims are lured to fake job interview\r\nsites (e.g., ClickFix) that initiate malware\r\ndownload.\r\n  T1204.002\r\nUser Execution: Malicious\r\nFile\r\nTrojanized coding challenges contain\r\nvariants of BeaverTail.\r\n  T1059\r\nCommand and Scripting\r\nInterpreter\r\nDeceptiveDevelopment uses VBS,\r\nPython, JavaScript, and shell commands\r\nfor execution.\r\nDefense Evasion T1078 Valid Accounts\r\nWageMole reuses stolen identities and\r\ncredentials, especially for fake recruiter\r\nand GitHub accounts.\r\n  T1027\r\nObfuscated Files or\r\nInformation\r\nObfuscated malicious scripts are hidden\r\nin long comments or outside IDE view.\r\n  T1055 Process Injection\r\nTsunamiKit uses injection techniques in\r\nits execution chain.\r\n  T1036 Masquerading\r\nMalware disguised as legitimate software\r\n(e.g., conferencing tools, NVIDIA\r\ninstallers).\r\n  T1497\r\nVirtualization/Sandbox\r\nEvasion\r\nTsunamiKit includes environment checks\r\nand obfuscation to evade analysis.\r\nCollection T1056.001 Input Capture: Keylogging\r\nInvisibleFerret includes clipboard and\r\nkeylogging modules.\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception/\r\nPage 14 of 15\n\nTactic ID Name Description\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web Protocols\r\nAkdoorTea, BeaverTail, and Tropidoor\r\ncommunicate with C\u0026C servers over\r\nHTTP/S.\r\n  T1105 Ingress Tool Transfer\r\nBeaverTail downloads second-stage\r\npayloads like InvisibleFerret, TsunamiKit,\r\nor Tropidoor.\r\nSource: https://www.welivesecurity.com/en/eset-research/deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-decepti\r\non/\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.welivesecurity.com/en/eset-research/deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception/" ], "report_names": [ "deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception" ], "threat_actors": [ { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "9041c438-4bc0-4863-b89c-a32bba33903c", "created_at": "2023-01-06T13:46:38.232751Z", "updated_at": "2026-04-10T02:00:02.888195Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove" ], "source_name": "MISPGALAXY:Nitro", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b44a04-a080-4465-973d-976ce53777de", "created_at": "2022-10-25T16:07:23.911791Z", "updated_at": "2026-04-10T02:00:04.786538Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove", "Nitro" ], "source_name": "ETDA:Nitro", "tools": [ "AngryRebel", "Backdoor.Apocalipto", "Chymine", "Darkmoon", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Moudour", "Mydoor", "PCClient", "PCRat", "Poison Ivy", "SPIVY", "Spindest", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ef59a0d9-c556-4448-8553-ed28f315d352", "created_at": "2025-06-29T02:01:57.047978Z", "updated_at": "2026-04-10T02:00:04.744218Z", "deleted_at": null, "main_name": "Operation Contagious Interview", "aliases": [ "Jasper Sleet", "Nickel Tapestry", "Operation Contagious Interview", "PurpleBravo", "Storm-0287", "Tenacious Pungsan", "UNC5267", "Wagemole", "WaterPlum" ], "source_name": "ETDA:Operation Contagious Interview", "tools": [ "BeaverTail", "InvisibleFerret", "OtterCookie", "PylangGhost" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434812, "ts_updated_at": 1775792177, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6931934cb76ada666412bcfb38ae02adbcb084d6.pdf", "text": "https://archive.orkl.eu/6931934cb76ada666412bcfb38ae02adbcb084d6.txt", "img": "https://archive.orkl.eu/6931934cb76ada666412bcfb38ae02adbcb084d6.jpg" } }