{ "id": "02bb5f2b-58ce-4f53-b601-d7d4b568f758", "created_at": "2026-04-06T00:07:17.617497Z", "updated_at": "2026-04-10T03:38:20.12079Z", "deleted_at": null, "sha1_hash": "b765e0289a2e35fe4b1f0cbf850b7ca2977d967c", "title": "DeceptiveDevelopment targets freelance developers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1479511, "plain_text": "DeceptiveDevelopment targets freelance developers\r\nBy Matěj Havránek\r\nArchived: 2026-04-05 14:47:54 UTC\r\nCybercriminals have been known to approach their targets under the guise of company recruiters, enticing them\r\nwith fake employment offers. After all, what better time to strike than when the potential victim is distracted by\r\nthe possibility of getting a job? Since early 2024, ESET researchers have observed a series of malicious North\r\nKorea-aligned activities, where the operators, posing as headhunters, try to serve their targets with software\r\nprojects that conceal infostealing malware. We call this activity cluster DeceptiveDevelopment.\r\nAs part of a fake job interview process, the DeceptiveDevelopment operators ask their targets to do a coding test,\r\nsuch as adding a feature to an existing project, with the files necessary for the task usually hosted on private\r\nrepositories on GitHub or other similar platforms. Unfortunately for the eager work candidate, these files are\r\ntrojanized: once they download and execute the project, the victim’s computer gets compromised with the\r\noperation’s first-stage malware, BeaverTail.\r\nDeceptiveDevelopment was first publicly described by Phylum and Unit 42 in 2023, and has already been\r\npartially documented under the names Contagious Interview and DEV#POPPER. We have conducted further\r\nanalysis of this activity cluster and its operator’s initial access methods, network infrastructure, and toolset,\r\nincluding new versions of the two malware families used by DeceptiveDevelopment – InvisibleFerret, and the\r\naforementioned BeaverTail.\r\nKey points of this blogpost:\r\nDeceptiveDevelopment targets freelance software developers through spearphishing on job-hunting and freelancing sites, aiming to steal cryptocurrency wallets and login information from\r\nbrowsers and password managers.\r\nActive since at least November 2023, this operation primarily uses two malware families –\r\nBeaverTail (infostealer, downloader) and InvisibleFerret (infostealer, RAT).\r\nDeceptiveDevelopment’s tactics, techniques, and procedures (TTPs) are similar to several other\r\nknown North Korea-aligned operations.\r\nWe first observed this DeceptiveDevelopment campaign in early 2024, when we discovered trojanized projects\r\nhosted on GitHub with malicious code hidden at the end of long comments, effectively moving the code off-screen. These projects delivered the BeaverTail and InvisibleFerret malware. In addition to analyzing the two\r\nmalware families, we also started investigating the C\u0026C infrastructure behind the campaign. Since then, we have\r\nbeen tracking this cluster and its advances in strategy and tooling used in these ongoing attacks. This blogpost\r\ndescribes the TTPs of this campaign, as well as the malware it uses.\r\nDeceptiveDevelopment profile\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 1 of 28\n\nDeceptiveDevelopment is a North Korea-aligned activity cluster that we currently do not attribute to any known\r\nthreat actor. Operators behind DeceptiveDevelopment target software developers on Windows, Linux, and macOS.\r\nThey primarily steal cryptocurrency for financial gain, with a possible secondary objective of cyberespionage.\r\nTo approach their targets, these operators use fake recruiter profiles on social media, not unlike the Lazarus group\r\nin Operation DreamJob (as described in this WeLiveSecurity blogpost). However, while Operation DreamJob\r\ntargeted defense and aerospace engineers, DeceptiveDevelopment reaches out to freelance software developers,\r\noften those involved in cryptocurrency projects. To compromise its victims’ computers, DeceptiveDevelopment\r\nprovides its targets with trojanized codebases that deploy backdoors as part of a faux job interview process.\r\nVictimology\r\nThe primary targets of this DeceptiveDevelopment campaign are software developers, mainly those involved in\r\ncryptocurrency and decentralized finance projects. The attackers don’t distinguish based on geographical location\r\nand aim to compromise as many victims as possible to increase the likelihood of successfully extracting funds and\r\ninformation.\r\nWe have observed hundreds of different victims around the world, using all three major operating systems –\r\nWindows, Linux, and macOS. They ranged from junior developers just starting their freelance careers to highly\r\nexperienced professionals in the field. We only observed attacker–victim conversations in English, but cannot say\r\nwith certainty that the attackers will not use translation tools to communicate with victims who don’t speak that\r\nlanguage. A map showing the global distribution of victims can be seen in Figure 1.\r\nFigure 1. Heatmap of different victims of DeceptiveDevelopment\r\nAttribution\r\nWe consider DeceptiveDevelopment to be a North Korea-aligned activity cluster with high confidence based on\r\nseveral elements:\r\nWe observed connections between GitHub accounts controlled by the attackers and accounts containing\r\nfake CVs used by North Korean IT workers. These people apply for jobs in foreign companies under false\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 2 of 28\n\nidentities in order to collect salaries to help fund the regime. The observed connections were mutual\r\nfollows between GitHub profiles where one side was associated with DeceptiveDevelopment, and the other\r\ncontained fake CVs and other material related to North Korean IT worker activity. Similar connections\r\nwere also observed by Unit42. Unfortunately, the GitHub pages were taken down before we were able to\r\nrecord all the evidence.\r\nThe TTPs (use of fake recruiters, trojanized job challenges, and software used during interviews) are\r\nsimilar to other North Korea-aligned activity (Moonstone Sleet, and Lazarus’s DreamJob and\r\nDangerousPassword campaigns).\r\nIn addition to the connections between the GitHub profiles, the malware used in DeceptiveDevelopment is rather\r\nsimple. This tracks with the reporting done by Mandiant claiming that the IT workers’ work is usually of poor\r\nquality.\r\nWhile monitoring DeceptiveDevelopment activity, we saw numerous cases showing a lack of attention to detail on\r\nthe part of the threat actors. In some of them, the authors failed to remove development notes or commented-out\r\nlocal IP addresses used for development and testing. We also saw samples where they seem to have forgotten to\r\nobfuscate the C\u0026C address after changing it; this can be seen in Figure 2. Furthermore, the malware uses freely\r\navailable obfuscation tools with links to them sometimes left in code comments.\r\nFigure 2. Examples of comments and obfuscation forgotten in the code\r\nTechnical analysis\r\nInitial access\r\nIn order to pose as recruiters, the attackers copy profiles of existing people or even construct new personas. They\r\nthen either directly approach their potential victims on job-hunting and freelancing platforms or post fake job\r\nlistings there. At first, the threat actors used brand new profiles and would simply send links to malicious GitHub\r\nprojects via LinkedIn to their intended targets. Later, they started using profiles that appear established, with many\r\nfollowers and connections, to look more trustworthy, and branched out to more job-hunting and code-hosting\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 3 of 28\n\nwebsites. While some of these profiles are set up by the attackers themselves, others are potentially compromised\r\nprofiles of real people on the platform, modified by the attackers.\r\nSome of the platforms where these interactions occur are generic job-hunting ones, while others focus primarily\r\non cryptocurrency and blockchain projects and are thus more in line with the attackers’ goals. The platforms\r\ninclude:\r\nLinkedIn,\r\nUpwork,\r\nFreelancer.com,\r\nWe Work Remotely,\r\nMoonlight, and\r\nCrypto Jobs List.\r\nThe most commonly observed compromise vector consists of the fake recruiter providing the victim with a\r\ntrojanized project under the guise of a hiring challenge or helping the “recruiter” fix a bug for a financial reward.\r\nVictims receive the project files either directly via file transfer on the site or through a link to a repository like\r\nGitHub, GitLab, or Bitbucket. They are asked to download the files, add features or fix bugs, and report back to\r\nthe recruiter. Additionally, they are instructed to build and execute the project in order to test it, which is where the\r\ninitial compromise happens. The repositories used are usually private, so the victim is first asked to provide their\r\naccount ID or email address to be granted access to them, most likely to conceal the malicious activity from\r\nresearchers.\r\nDespite that, we observed many cases where these repositories were publicly available, but realized that these\r\nbelong mostly to victims who, after completing their tasks, uploaded them to their own repositories. Figure 3\r\nshows an example of a trojanized project hosted on GitHub. We have reported all observed malicious code to the\r\naffected services.\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 4 of 28\n\nFigure 3. README of a trojanized GitHub project\r\nThe trojanized projects fall into one of four categories:\r\nhiring challenges,\r\ncryptocurrency projects,\r\ngames (usually with blockchain functionality), and\r\ngambling with blockchain/cryptocurrency features.\r\nThese repositories are often duplicates of existing open-source projects or demos, with little to no change aside\r\nfrom adding the malicious code and changing the README file. Some of the malicious project names and names\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 5 of 28\n\nof attacker-controlled accounts operating them (where we could assess them) are listed in Table 1.\r\nTable 1. Observed project names and repository/commit authors\r\nProject Author Project Author\r\nWebsite-Test Hiring-Main-Support casino-template-paid bmstore\r\nguru-challenge Chiliz-Guru casino-demo casinogamedev\r\nbaseswap_ver_4 artemreinv point freebling-v3\r\nmetaverse-backend metaverse-ritech Blockchain-game N/A\r\nlisk-parknetwork MariaMar1809 3DWorld-tectera-beta N/A\r\nWe also observed the attackers impersonating existing projects and companies by using similar names or\r\nappending LLC, Ag, or Inc (abbreviations of legal company types) to the names, as seen in Table 2.\r\nTable 2. Observed project names and repository/commit authors impersonating legitimate projects\r\nProject Author\r\nLumanagi-Dex LUMANAGI-LLC\r\nDARKROOM-NFT DarkRoomAg\r\nDarkRoom WonderKiln-Inc\r\nThe attackers often use a clever trick to hide their malicious code: they place it in an otherwise benign component\r\nof the project, usually within backend code unrelated to the task given to the developer, where they append it as a\r\nsingle line behind a long comment. This way, it is moved off-screen and stays hidden unless the victim scrolls to it\r\nor has the word wrap feature of their code editor enabled. Interestingly, GitHub’s own code editor does not enable\r\nword wrap, so the malicious code is easy to miss even when looking at code in the repository, as shown in Figure\r\n4.\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 6 of 28\n\nFigure 4. Malicious code appended after a long comment pushing it off-screen in GitHub’s code\r\neditor (top) and the page source of just line #1 as seen in a code editor with word wrapping enabled\r\n(bottom)\r\nAnother compromise vector we observed consisted of the fake recruiter inviting the victim to a job interview\r\nusing an online conferencing platform and providing a link to a website from which the necessary conferencing\r\nsoftware can be downloaded. The website is usually a clone of an existing conferencing platform’s website, as\r\nseen in Figure 5, and the downloaded software contains the first stage of the malware.\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 7 of 28\n\nFigure 5. Malicious website at mirotalk[.]net, a copy of the legitimate MiroTalk site\r\n(sfu.mirotalk.com), serving malware disguised as conferencing software via a click of the\r\nJoin Room button\r\nToolset\r\nDeceptiveDevelopment primarily uses two malware families as part of its activities, delivered in two stages. The\r\nfirst stage, BeaverTail, has both a JavaScript and a native variant (written in C++ using the Qt platform), and is\r\ndelivered to the victim, disguised as a part of a project the victim is asked to work on, a hiring challenge, or inside\r\ntrojanized remote conferencing software such as MiroTalk or FreeConference.\r\nBeaverTail acts as a simple login stealer, extracting browser databases containing saved logins, and as a\r\ndownloader for the second stage, InvisibleFerret. This is modular Python-based malware that includes spyware\r\nand backdoor components, and is also capable of downloading the legitimate AnyDesk remote management and\r\nmonitoring software for post-compromise activities. Figure 6 shows the full compromise chain from initial\r\ncompromise, through data exfiltration, to the deployment of AnyDesk.\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 8 of 28\n\nFigure 6. DeceptiveDevelopment compromise chain\r\nBoth BeaverTail and InvisibleFerret have been previously documented by Unit 42, Group-IB, and Objective-See.\r\nA parallel investigation was also published by Zscaler, whose findings we can independently confirm. Our\r\nanalysis contains details that have not been publicly reported before and presents a comprehensive overview of the\r\nmalicious activity.\r\nBeaverTail\r\nBeaverTail is the name for the infostealer and downloader malware used by DeceptiveDevelopment. There are\r\ntwo different versions – one written in JavaScript and placed directly into the trojanized projects with simple\r\nobfuscation, and native versions, built using the Qt platform, that are disguised as conferencing software and were\r\ninitially described by Objective-See. Both versions have strong similarities in their functionalities.\r\nThis malware targets Windows, Linux, and macOS systems, with the aim of collecting saved login information\r\nand cryptocurrency wallet data.\r\nIt starts by getting the C\u0026C IP address and port. While the IP addresses vary, the ports used are usually either\r\n1224 or 1244, making the malicious network activity easily identifiable. In the JavaScript version, the IP address\r\nand port are obfuscated using base64 encoding, split into three parts, and swapped around to prevent automatic\r\ndecoding. Other strings are also encoded with base64, often with one dummy character prepended to the resulting\r\nstring to thwart simple decoding attempts. The native version has the IP, port, and other strings all stored in\r\nplaintext. The obfuscated JavaScript code can be seen in Figure 7, and the deobfuscated code in Figure 8.\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 9 of 28\n\nFigure 7. Obfuscated BeaverTail code\r\nFigure 8. Deobfuscated BeaverTail code\r\nBeaverTail then looks for browser extensions installed in the Google Chrome, Microsoft Edge, Opera, and Brave\r\nbrowsers and checks whether any of them match extension names from a hardcoded list from Chrome Web Store\r\nor Microsoft Edge Add-ons, shown below. The browser listed in parentheses is the source of the extension; note\r\nthat both Opera and Brave also use extensions from Chrome Web Store, as they are Chromium-based.\r\nnkbihfbeogaeaoehlefnkodbefgpgknn – MetaMask (Chrome)\r\nejbalbakoplchlghecdalmeeeajnimhm – MetaMask (Edge)\r\nfhbohimaelbohpjbbldcngcnapndodjp – BNB Chain Wallet (Chrome)\r\nhnfanknocfeofbddgcijnmhnfnkdnaad – Coinbase Wallet (Chrome)\r\nibnejdfjmmkpcnlpebklmnkoeoihofec – TronLink (Chrome)\r\nbfnaelmomeimhlpmgjnjophhpkkoljpa – Phantom (Chrome)\r\nfnjhmkhhmkbjkkabndcnnogagogbneec – Ronin Wallet (Chrome)\r\naeachknmefphepccionboohckonoeemg – Coin98 Wallet (Chrome)\r\nhifafgmccdpekplomjjkcfgodnhcellj – Crypto.com Wallet (Chrome)\r\nIf they are found, any .ldb and .log files from the extensions’ directories are collected and exfiltrated.\r\nApart from these files, the malware also targets a file containing the Solana keys stored in the user’s home\r\ndirectory in .config/solana/id.json. BeaverTail then looks for saved login information in /Library/Keychains/\r\nlogin.keychain (for macOS) or /.local/share/keyrings/ (for Linux). If they exist, the Firefox login databases\r\nkey3.db, key4.db, and logins.json from /.mozilla/firefox/ are also exfiltrated during this time.\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 10 of 28\n\nEach BeaverTail sample contains a victim ID used for identification. These IDs are used throughout the whole\r\ncompromise chain as identifiers in all downloads and uploads. We suspect that these IDs are unique to each victim\r\nand are used to connect the stolen information to the victim’s public profile.\r\nThe collected data along with the computer hostname and current timestamp is uploaded to the /uploads API\r\nendpoint on the C\u0026C server. Then, a standalone Python environment is downloaded in an archive called p2.zip,\r\nhosted on the C\u0026C server, to enable execution of the next stage. Finally, the next stage is downloaded from the\r\nC\u0026C server (API endpoint /client/\u003ccampaign_ID\u003e) into the user’s home directory under the name .npl and\r\nexecuted using the downloaded Python environment.\r\nIn August 2024, we observed a new version of the JavaScript BeaverTail, where the code placed in the trojanized\r\nproject acted only as a loader and downloaded and executed the actual payload code from a remote server. This\r\nversion also used a different obfuscation technique and added four new cryptocurrency wallet extensions to the list\r\nof targets:\r\njblndlipeogpafnldhgmapagcccfchpi – Kaia Wallet (Chrome)\r\nacmacodkjbdgmoleebolmdjonilkdbch – Rabby Wallet (Chrome)\r\ndlcobpjiigpikoobohmabehhmhfoodbb – Argent X - Starknet Wallet (Chrome)\r\naholpfdialjgjfhomihkjbmgjidlcdno – Exodus Web3 Wallet (Chrome)\r\nWhen investigating the ipcheck[.]cloud website, we noticed that the homepage is a mirror of the malicious\r\nmirotalk[.]net website, serving native BeaverTail malware disguised as remote conferencing software, indicating a\r\ndirect connection between the new JavaScript and the native versions of BeaverTail.\r\nInvisibleFerret\r\nInvisibleFerret is modular Python malware with capabilities for information theft and remote attacker control. It\r\nconsists of four modules – main (the .npl file), payload (pay), browser (bow), and AnyDesk (adc). The malware\r\nhas no persistence mechanism in place aside from the AnyDesk client deployed at the end of the compromise\r\nchain. After gaining persistence via AnyDesk, the attackers can execute InvisibleFerret at will.\r\nInterestingly, most of its backdoor functionality requires an operator (or scripted behavior) at the other side\r\nsending commands, deciding what data to exfiltrate and how to propagate the attack. In all versions of\r\nInvisibleFerret that we observed, the backdoor components are activated upon operator command. The only\r\nfunctionality not executed by the operator is the initial fingerprinting, which is done automatically.\r\nMain module\r\nThe main module, originally named main, is the .npl file that BeaverTail downloaded from the C\u0026C server and\r\nsaved into the home directory. It is responsible for downloading and executing individual payload modules. All\r\nmodules contain an XOR-encrypted and base64-encoded payload, preceded by four bytes representing the XOR\r\nkey, followed by code to decrypt and execute it via exec, as seen in Figure 9. Each module also contains the sType\r\nvariable, containing the current victim ID. This ID is a copy of the ID specified in the download request. When a\r\nrequest is made to download the script file, the given ID is placed as the sType value into the final script file by\r\nthe C\u0026C server’s API.\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 11 of 28\n\nFigure 9. Decrypting and executing the InvisibleFerret payload\r\nThis module contains a hardcoded C\u0026C address encoded with base64 and split into two halves that have been\r\nswapped to make decoding harder. In most cases that we observed, this address was identical to the one used in\r\nthe preceding BeaverTail sample. The main module downloads the payload module from\r\n/payload/\u003ccampaign_ID\u003e to .n2/pay in the user’s home directory and executes it. Afterwards, if running on\r\nmacOS (determined by checking whether a call to the platform.system function returns Darwin), it exits. On other\r\noperating systems it also downloads the browser module from /brow/\u003ccampaign_ID\u003e to .n2/bow in the user’s\r\nhome directory and executes that in a separate Python instance.\r\nPayload module\r\nThe pay module consists of two parts – one collects information and the other serves as a backdoor. The first part\r\ncontains a hardcoded C\u0026C URL, usually similar to the previously used ones, and collects the following:\r\nthe user’s UUID,\r\nOS type,\r\nPC name,\r\nusername,\r\nsystem version (release),\r\nlocal IP address, and\r\npublic IP address and geolocation information (region name, country, city, ZIP code, ISP, latitude and\r\nlongitude) parsed from http://ip-api.com/json.\r\nThis information, illustrated in Figure 10, is then uploaded to the /keys API endpoint using HTTP POST.\r\nFigure 10. System information submitted by the payload module to the C\u0026C server\r\nThe second part acts as a TCP backdoor, and a TCP reverse shell, accepting remote commands from the C\u0026C\r\nserver and communicating via a socket connection. It usually uses port 1245, but we also observed ports 80, 2245,\r\n3001, and 5000. Notably, the C\u0026C IP address hardcoded in this part was different from the previous ones\r\nsometimes, probably to separate the more suspicious final network activity from the initial deployment.\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 12 of 28\n\nThe second payload checks whether it is executing under Windows – if it is, it enables a keylogger implemented\r\nusing pyWinHook and a clipboard stealer using pyperclip, shown in Figure 11. These collect and store any\r\nkeypresses and clipboard changes in a global buffer and run in a dedicated thread for as long as the script itself is\r\nrunning.\r\nFigure 11. Clipboard stealer and keylogger code\r\nAfterwards, it executes the backdoor functionality, which consists of eight commands, described in Table 3.\r\nTable 3. Commands implemented in InvisibleFerret\r\nID Command Function Description\r\n1 ssh_cmd\r\nRemoves the\r\ncompromise\r\n· Only supports the delete argument.\r\n· Terminates operation and removes the compromise.\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 13 of 28\n\nID Command Function Description\r\n2 ssh_obj\r\nExecutes shell\r\ncommands\r\n· Executes the given argument[s] using the system shell via\r\nPython’s subprocess module and returns any output generated by\r\nthe command.\r\n3 ssh_clip\r\nExfiltrates\r\nkeylogger and\r\nclipboard stealer\r\ndata\r\n· Sends the contents of the keylogger and clipboard stealer buffer to\r\nthe C\u0026C server and clears the buffer.\r\n· On operating systems other than Windows, an empty response is\r\nsent, as the keylogging functionality is not enabled.\r\n4 ssh_run\r\nInstalls the\r\nbrowser module\r\n· Downloads the browser module to .n2/bow in the user’s home\r\ndirectory and executes it in a new Python instance (with the\r\nCREATE_NO_WINDOW and\r\nCREATE_NEW_PROCESS_GROUP flags set on Windows)\r\n· Replies to the server with the OS name and get browse.\r\n5 ssh_upload Exfiltrates files\r\nor directories,\r\nusing FTP\r\n· Uploads files to a given FTP server with server address and\r\ncredentials specified in arguments.\r\n· Has six subcommands: · sdira, sdir, sfile, sfinda, sfindr, and sfind.\r\n· sdira – uploads everything in a directory specified in args,\r\nskipping directories matching the first five elements in the ex_dirs\r\narray (listed below). Sends \u003e\u003e upload all start: followed by the\r\ndirectory name to the server when the upload starts, ‑counts:\r\nfollowed by the number of files selected for upload when directory\r\ntraversal finishes, and uploaded success once everything is\r\nuploaded.\r\n· sdir – similar to sdira, but exfiltrates only files smaller than\r\n104,857,600 bytes (100 MB) with extensions not excluded by\r\nex_files and directories not excluded by ex_dirs. The initial\r\nmessage to the server is \u003e\u003e upload start: followed by the directory\r\nname.\r\n· sfile – similar to sdir, but exfiltrates only a single file. If the\r\nextension is .zip, .rar, .pdf, or is in the ex_files list (in this case not\r\nbeing used to exclude files for upload, but from encryption), it gets\r\ndirectly uploaded. Otherwise the file is encrypted using XOR with\r\nthe hardcoded key G01d*8@( before uploading.\r\n· sfinda – searches the given directory and all its subdirectories\r\n(excluding those in the ex_dirs list) for files matching a provided\r\npattern, and uploads those not matching items in the ex_files list.\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 14 of 28\n\nID Command Function Description\r\nWhen starting, sends \u003e\u003e ufind start: followed by the starting\r\ndirectory to the server, followed by ufind success after it finishes.\r\n· sfindr – similar to sfinda, but without the recursive search.\r\nSearches only the specified directory.\r\n· sfind – similar to sfinda, but starts the search in the current\r\ndirectory.\r\n6 ssh_kill\r\nTerminates the\r\nChrome and\r\nBrave browsers\r\n· Termination is done via the taskkill command on Windows or\r\nkillall on other systems, as shown in Figure 12.\r\n· Replies to the server with Chrome \u0026 Browser are terminated.\r\n7 ssh_any\r\nInstalls the\r\nAnyDesk module\r\n· This works identically to the ssh_run command, downloading the\r\nAnyDesk module to and executing it from the .n2 folder in the\r\nuser’s home directory.\r\n· Replies to the server with the OS name and get anydesk.\r\n8 ssh_env\r\nUploads data\r\nfrom the user’s\r\nhome directory\r\nand mounted\r\ndrives, using FTP\r\n· Sends --- uenv start to the server.\r\n· Establishes an FTP connection using the server address and\r\ncredentials provided in the arguments.\r\n· On Windows, uploads the directory structure and contents of the\r\nDocuments and Downloads folders, as well as the contents of\r\ndrives D to I.\r\n· On other systems, uploads the entirety of the user’s home\r\ndirectory and the /Volumes directory containing all mounted drives.\r\n· Only uploads files smaller than 20,971,520 bytes (20 MB) and\r\nexcludes directories matching the ex_dir list and files matching the\r\nex_files, ex_files1, and ex_files2 lists described in Figure 13.\r\n· Finishes by sending --- uenv success to the server.\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 15 of 28\n\nFigure 12. Implementation of the ssh_kill command\r\nEach command is named with the prefix ssh_ and assigned a numerical value to be used when communicating\r\nwith the server. For each command received, a new thread is spawned to execute it and the client immediately\r\nstarts listening for the next command. Replies to commands are sent asynchronously as the commands finish\r\nexecuting. The two-way communication is done over sockets, in JSON format, with two fields:\r\ncommand – denoting the numerical command ID.\r\nargs – containing any additional data sent between the server and client.\r\nThe script also contains lists of excluded file and directory names (such as cache and temporary directories for\r\nsoftware projects and repositories) to be skipped when exfiltrating data, and a list of interesting name patterns to\r\nexfiltrate (environment and configuration files; documents, spreadsheets, and other files containing the words\r\nsecret, wallet, private, password, etc.)\r\nBrowser module\r\nThe bow module is responsible for stealing login data, autofill data, and payment information saved by web\r\nbrowsers. The targeted browsers are Chrome, Brave, Opera, Yandex, and Edge, all Chromium-based, with\r\nmultiple versions listed for each of the three major operating systems (Windows, Linux, macOS) as shown in\r\nFigure 13.\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 16 of 28\n\nFigure 13. Targeted browsers and their versions\r\nIt searches through the browser’s local storage folders (an example is shown in Figure 14) and copies the\r\ndatabases containing login and payment information to the %Temp% folder on Windows or the /tmp folder on\r\nother systems, into two files:\r\nLoginData.db containing user login information, and\r\nwebdata.db containing saved payment information (credit cards).\r\nFigure 14. Hardcoded local browser paths on Windows\r\nBecause the saved passwords and credit card numbers are stored in an encrypted format using AES, they need to\r\nbe decrypted before exfiltration. The encryption keys used for this are obtained based on the operating system in\r\nuse. On Windows, they are extracted from the browser’s Local State file, on Linux they are obtained through the\r\nsecretstorage package, and on macOS they are obtained through the security utility, as illustrated in Figure 15.\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 17 of 28\n\nFigure 15. Extracting the encryption keys for browser databases on Windows, Linux, and macOS\r\nThe collected information (see Figure 16) is then sent to the C\u0026C server via an HTTP POST request to the /keys\r\nAPI endpoint.\r\nFigure 16. Information submitted by the browser module to the C\u0026C server\r\nAnyDesk module\r\nThe adc module is the only persistence mechanism found in this compromise chain, setting up AnyDesk access to\r\nthe victim’s computer using a configuration file containing hardcoded login credentials.\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 18 of 28\n\nOn Windows, it checks whether the C:/Program Files (x86)/AnyDesk/AnyDesk.exe exists. If not, it downloads\r\nanydesk.exe from the C\u0026C server (http://\u003cC\u0026C_IP\u003e:\u003cC\u0026C_port\u003e/anydesk.exe) into the user’s home directory.\r\nThen it attempts to set up AnyDesk for access by the attacker by entering hardcoded password hash, password\r\nsalt, and token salt values into the configuration files. If the configuration files don’t exist or don’t contain a given\r\nattacker-specified password salt value, the module attempts to modify them to add the hardcoded login\r\ninformation. If that fails, it creates a PowerShell script in the user’s home directory named conf.ps1, containing\r\ncode to modify the configuration files (shown in Figure 17) and attempts to launch it.\r\nFigure 17. PowerShell script to modify AnyDesk configuration, adding hardcoded password hash\r\nand salt, and token salt\r\nAfter these actions complete, the AnyDesk process is killed and then started again to load the new configuration.\r\nLastly, the adc module attempts to delete itself by calling the os.remove function on itself.\r\nInvisibleFerret update\r\nWe later discovered an updated version of InvisibleFerret with major changes, used since at least August 2024. It\r\nis no longer separated into individual modules, but rather exists as a single large script file (but still retaining the\r\nbackdoor commands to selectively install the browser and AnyDesk modules). There are also slight code\r\nmodifications for increased support of macOS, for example collecting the username along with the hostname of\r\nthe computer.\r\nAnother modification we observed is the addition of an identifier named gType, in addition to sType. It acts as a\r\nsecondary victim/campaign identifier in addition to sType when downloading modules from the C\u0026C server (e.g.,\r\n\u003cC\u0026C_IP\u003e:\u003cport\u003e/\u003cmodule\u003e/\u003csType\u003e/\u003cgType\u003e). We haven’t seen it used to label the exfiltrated data.\r\nThis new version of InvisibleFerret has also implemented an additional backdoor command, ssh_zcp, capable of\r\nexfiltrating data from browser extensions and password managers via Telegram and FTP.\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 19 of 28\n\nWith the new command, InvisibleFerret first looks for and, if present, collects data from 88 browser extensions for\r\nthe Chrome, Brave, and Edge browsers and then places it into a staging folder in the system’s temporary directory.\r\nThe complete list of extensions can be found in the Appendix and the code for collecting the data is shown in\r\nFigure 18.\r\nFigure 18. Collection of data from browser extensions in the new version of InvisibleFerret\r\nApart from the extension data, the command can also exfiltrate information from the Atomic and Exodus\r\ncryptocurrency wallets on all systems, in addition to 1Password, Electrum, WinAuth, Proxifier4, and Dashlane on\r\nWindows. This is illustrated in Figure 19.\r\nFigure 19. Collection of data from various applications in the new version of InvisibleFerret\r\nThe data is then archived and uploaded to a Telegram chat using the Telegram API with a bot token, as well as to\r\nan FTP server. Once the upload is done, InvisibleFerret removes both the staging folder and the archive.\r\nClipboard stealer module\r\nIn December 2024 we discovered yet another version of InvisibleFerret, containing an additional module named\r\nmlip, downloaded from the C\u0026C endpoint /mclip/\u003ccampaign_ID\u003e to .n2/mlip. This module contains the\r\nkeylogging and clipboard-stealing functionality that was separated from the rest of the payload module.\r\nShowing an advancement in technical capabilities of the operators, the keylogging and clipboard stealing\r\nfunctionality of this module has been limited to two processes only, chrome.exe and brave.exe, while the earlier\r\nversions of InvisibleFerret logged any and all keystrokes. The collected data is uploaded to a new API endpoint,\r\n/api/clip.\r\nNetwork infrastructure\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 20 of 28\n\nDeceptiveDevelopment’s network infrastructure is composed of dedicated servers hosted by commercial hosting\r\nproviders, with the three most commonly used providers being RouterHosting (now known as Cloudzy), Stark\r\nIndustries Solutions, and Pier7ASN. The server API is written in Node.js and consists of nine endpoints, listed in\r\nTable 4.\r\nTable 4. DeceptiveDevelopment C\u0026C API endpoints\r\nAPI endpoint Description\r\n/pdown Downloading the Python environment.\r\n/uploads BeaverTail data upload.\r\n/client/\u003ccampaign_ID\u003e InvisibleFerret loader.\r\n/payload/\u003ccampaign_ID\u003e InvisibleFerret payload module.\r\n/brow/\u003ccampaign_ID\u003e InvisibleFerret browser module.\r\n/adc/\u003ccampaign_ID\u003e InvisibleFerret AnyDesk module.\r\n/mclip/\u003ccampaign_ID\u003e InvisibleFerret keylogger module.\r\n/keys InvisibleFerret data upload.\r\n/api/clip InvisibleFerret keylogger module data upload.\r\nMost C\u0026C communication we observed was done over ports 1224 or 1244 (occasionally 80 or 3000) for C\u0026C\r\ncommunication over HTTP, and 1245 (occasionally 80, 2245, 3001, 5000, or 5001) for backdoor C\u0026C\r\ncommunication over TCP sockets. All communication from the client to the C\u0026C server, except downloading the\r\nPython environment, contains the campaign ID. For InvisibleFerret downloads, the ID is added to the end of the\r\nURL in the GET request. For data exfiltration, the ID is sent as part of the POST request in the type field. This is\r\nuseful for identifying network traffic and determining what specific sample and campaign it belongs to.\r\nThe campaign IDs (sType and gType values) we observed are alphanumeric and don’t seem to bear any direct\r\nrelation to the campaign. Before the introduction of gType, some of the sType values were base64 strings\r\ncontaining variants of the word team and numbers, such as 5Team9 and 7tEaM;. After gType was introduced,\r\nmost observed values for both values were purely numeric, without the use of base64.\r\nConclusion\r\nThe DeceptiveDevelopment cluster is an addition to an already large collection of money-making schemes\r\nemployed by North Korea-aligned actors and conforms to an ongoing trend of shifting focus from traditional\r\nmoney to cryptocurrencies. During our research, we observed it go from primitive tools and techniques to more\r\nadvanced and capable malware, as well as more polished techniques to lure in victims and deploy the malware.\r\nAny online job-hunting and freelancing platform can be at risk of being abused for malware distribution by fake\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 21 of 28\n\nrecruiters. We continue to observe significant activity related to this campaign and expect DeceptiveDevelopment\r\nto continue innovating and searching for more ways to target cryptocurrency users.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at\r\nthreatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nIoCs\r\nA comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.\r\nFiles\r\nSHA-1 Filename Detection Description\r\n48E75D6E2BDB2B00ECBF\r\n4801A98F96732E397858\r\nFCCCall.exe Win64/DeceptiveDevelopment.A\r\nTrojanized\r\nconferencing\r\napp – native\r\nBeaverTail.\r\nEC8B6A0A7A7407CA3CD1\r\n8DE5F93489166996116C\r\npay.py Python/DeceptiveDevelopment.B\r\nInvisibleFerret\r\npayload\r\nmodule.\r\n3F8EF8649E6B9162CFB0\r\nC739F01043A19E9538E7\r\nbow.py Python/DeceptiveDevelopment.C\r\nInvisibleFerret\r\nbrowser\r\nmodule.\r\nF6517B68F8317504FDCD\r\n415653CF46530E19D94A\r\npay_u2GgOA8.py Python/DeceptiveDevelopment.B\r\nInvisibleFerret\r\nnew payload\r\nmodule.\r\n01C0D61BFB4C8269CA56\r\nE0F1F666CBF36ABE69AD\r\nsetupTest.js JS/Spy.DeceptiveDevelopment.A BeaverTail.\r\n2E3E1B95E22E4A8F4C75\r\n334BA5FC30D6A54C34C1\r\ntailwind.config.js JS/Spy.DeceptiveDevelopment.A BeaverTail.\r\n7C8724B75BF7A9B8F27F\r\n5E86AAC9445AAFCCB6AC\r\nconf.ps1 PowerShell/DeceptiveDevelopment.A\r\nAnyDesk\r\nconfiguration\r\nPowerShell\r\nscript.\r\n5F5D3A86437082FA512B\r\n5C93A6B4E39397E1ADC8\r\nadc.py Python/DeceptiveDevelopment.A InvisibleFerret\r\nAnyDesk\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 22 of 28\n\nSHA-1 Filename Detection Description\r\nmodule.\r\n7C5B2CAFAEABBCEB9765\r\nD20C6A323A07FA928624\r\nbow.py Python/DeceptiveDevelopment.A\r\nInvisibleFerret\r\nbrowser\r\nmodule.\r\nBA1A54F4FFA42765232B\r\nA094AAAFAEE5D3BB2B8C\r\npay.py Python/DeceptiveDevelopment.A\r\nInvisibleFerret\r\npayload\r\nmodule.\r\n6F049D8A0723DF10144C\r\nB51A43CE15147634FAFE\r\n.npl Python/DeceptiveDevelopment.A\r\nInvisibleFerret\r\nloader\r\nmodule.\r\n8FECA3F5143D15437025\r\n777285D8E2E3AA9D6CAA\r\nadmin.model.js JS/Spy.DeceptiveDevelopment.A BeaverTail.\r\n380BD7EDA453487CF115\r\n09D548EF5E5A666ACD95\r\nrun.js JS/Spy.DeceptiveDevelopment.A BeaverTail.\r\nNetwork\r\nIP Domain Hosting provider First seen Details\r\n95.164.17[.]24 N/A\r\nSTARK INDUSTRIES\r\nSOLUTIONS LTD\r\n2024‑06‑06\r\nBeaverTail/InvisibleFerret C\u0026C\r\nand staging server.\r\n185.235.241[.]208 N/A\r\nSTARK INDUSTRIES\r\nSOLUTIONS LTD\r\n2021‑04‑12\r\nBeaverTail/InvisibleFerret C\u0026C\r\nand staging server.\r\n147.124.214[.]129 N/A\r\nMajestic Hosting\r\nSolutions, LLC\r\n2024‑03‑22\r\nBeaverTail/InvisibleFerret C\u0026C\r\nand staging server.\r\n23.106.253[.]194 N/A\r\nLEASEWEB\r\nSINGAPORE PTE.\r\nLTD.\r\n2024‑05‑28\r\nBeaverTail/InvisibleFerret C\u0026C\r\nand staging server.\r\n147.124.214[.]237 N/A\r\nMajestic Hosting\r\nSolutions, LLC\r\n2023‑01‑28\r\nBeaverTail/InvisibleFerret C\u0026C\r\nand staging server.\r\n67.203.7[.]171 N/A\r\nAmaze Internet\r\nServices\r\n2024‑02‑14\r\nBeaverTail/InvisibleFerret C\u0026C\r\nand staging server.\r\n45.61.131[.]218 N/A RouterHosting LLC 2024‑01‑22\r\nBeaverTail/InvisibleFerret C\u0026C\r\nand staging server.\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 23 of 28\n\nIP Domain Hosting provider First seen Details\r\n135.125.248[.]56 N/A OVH SAS 2023‑06‑30\r\nBeaverTail/InvisibleFerret C\u0026C\r\nand staging server.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 16 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.003\r\nAcquire Infrastructure:\r\nVirtual Private Server\r\nThe attackers rent out infrastructure for\r\nC\u0026C and staging servers.\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nThe attackers develop the BeaverTail and\r\nInvisibleFerret malware.\r\nT1585.001\r\nEstablish Accounts: Social\r\nMedia Accounts\r\nThe attackers create fake social media\r\naccounts, pretending to be recruiters.\r\nT1608.001\r\nStage Capabilities: Upload\r\nMalware\r\nInvisibleFerret modules are uploaded to\r\nstaging servers, from where they are\r\ndownloaded to victimized systems.\r\nInitial Access T1566.003\r\nPhishing: Spearphishing via\r\nService\r\nSpearphishing via job-hunting and\r\nfreelancing platforms.\r\nExecution\r\nT1059.006\r\nCommand-Line Interface:\r\nPython\r\nInvisibleFerret is written in Python.\r\nT1059.007\r\nCommand-Line Interface:\r\nJavaScript/JScript\r\nBeaverTail has a variant written in\r\nJavaScript.\r\nT1204.002\r\nUser Execution: Malicious\r\nFile\r\nInitial compromise is triggered by the victim\r\nexecuting a trojanized project containing the\r\nBeaverTail malware.\r\nT1059.003\r\nCommand-Line Interface:\r\nWindows Command Shell\r\nInvisibleFerret’s remote shell functionality\r\nallows access to the Windows Command\r\nShell.\r\nPersistence T1133 External Remote Services\r\nPersistence is achieved by installing and\r\nconfiguring the AnyDesk remote access\r\ntool.\r\nDefense\r\nEvasion\r\nT1140 Deobfuscate/Decode Files\r\nor Information\r\nThe JavaScript variant of BeaverTail uses\r\ncode obfuscation. C\u0026C server addresses and\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 24 of 28\n\nTactic ID Name Description\r\nother configuration data are also\r\nencrypted/encoded.\r\nT1564.001\r\nHide Artifacts: Hidden\r\nFiles and Directories\r\nInvisibleFerret files are dropped to disk with\r\nthe hidden attribute.\r\nT1564.003\r\nHide Artifacts: Hidden\r\nWindow\r\nInvisibleFerret creates new processes with\r\ntheir windows hidden.\r\nT1027.013\r\nObfuscated Files or\r\nInformation:\r\nEncrypted/Encoded File\r\nInvisibleFerret payloads are encrypted and\r\nhave to be decrypted before execution.\r\nCredential\r\nAccess\r\nT1555.001\r\nCredentials from Password\r\nStores: Keychain\r\nKeychain data is exfiltrated by both\r\nBeaverTail and InvisibleFerret.\r\nT1555.003\r\nCredentials from Password\r\nStores: Credentials from\r\nWeb Browsers\r\nCredentials stored in web browsers are\r\nexfiltrated by InvisibleFerret.\r\nT1552.001\r\nUnsecured Credentials:\r\nCredentials In Files\r\nPlaintext credentials/keys in certain files are\r\nexfiltrated by both BeaverTail and\r\nInvisibleFerret.\r\nDiscovery\r\nT1010\r\nApplication Window\r\nDiscovery\r\nThe InvisibleFerret keylogger collects the\r\nname of the currently active window.\r\nT1217\r\nBrowser Bookmark\r\nDiscovery\r\nCredentials and other data stored by\r\nbrowsers are exfiltrated by InvisibleFerret.\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nThe InvisibleFerret backdoor can browse\r\nthe filesystem and exfiltrate files.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nSystem information is collected by both\r\nBeaverTail and InvisibleFerret.\r\nT1614 System Location Discovery\r\nInvisibleFerret geolocates the campaign by\r\nquerying the IP address location.\r\nT1016\r\nSystem Network\r\nConfiguration Discovery\r\nInvisibleFerret collects network\r\ninformation, such as private and public IP\r\naddresses.\r\nT1124 System Time Discovery InvisibleFerret collects the system time.\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 25 of 28\n\nTactic ID Name Description\r\nLateral\r\nMovement\r\nT1021.001\r\nRemote Services: Remote\r\nDesktop Protocol\r\nAnyDesk is used by InvisibleFerret to\r\nachieve persistence and allow remote\r\nattacker access.\r\nCollection\r\nT1056.001 Input Capture: Keylogging\r\nInvisibleFerret contains keylogger\r\nfunctionality.\r\nT1560.002\r\nArchive Collected Data:\r\nArchive via Library\r\nData exfiltrated using InvisibleFerret can be\r\narchived using the py7zr and pyzipper\r\nPython packages.\r\nT1119 Automated Collection\r\nBoth BeaverTail and InvisibleFerret\r\nexfiltrate some data automatically.\r\nT1005 Data from Local System\r\nBoth BeaverTail and InvisibleFerret\r\nexfiltrate data from the local system.\r\nT1025\r\nData from Removable\r\nMedia\r\nInvisibleFerret scans removable media for\r\nfiles to exfiltrate.\r\nT1074.001\r\nData Staged: Local Data\r\nStaging\r\nInvisibleFerret copies browser databases to\r\nthe temp folder prior to credential\r\nextraction. When exfiltrating via a ZIP/7z\r\narchive, the file is created locally before\r\nbeing uploaded.\r\nT1115 Clipboard Data\r\nInvisibleFerret contains clipboard stealer\r\nfunctionality.\r\nCommand\r\nand Control\r\nT1071.001\r\nStandard Application Layer\r\nProtocol: Web Protocols\r\nC\u0026C communication is done over HTTP.\r\nT1071.002\r\nStandard Application Layer\r\nProtocol: File Transfer\r\nProtocols\r\nFiles are exfiltrated over FTP by\r\nInvisibleFerret.\r\nT1571 Non-Standard Port\r\nNonstandard ports 1224, 1244, and 1245 are\r\nused by BeaverTail and InvisibleFerret.\r\nT1219 Remote Access Tools\r\nInvisibleFerret can install AnyDesk as a\r\npersistence mechanism.\r\nT1095\r\nNon-Application Layer\r\nProtocol\r\nTCP is used for command and control\r\ncommunication.\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 26 of 28\n\nTactic ID Name Description\r\nExfiltration\r\nT1030 Data Transfer Size Limits\r\nIn some cases, InvisibleFerret exfiltrates\r\nonly files below a certain file size.\r\nT1041\r\nExfiltration Over Command\r\nand Control Channel\r\nSome data is exfiltrated to the C\u0026C server\r\nover HTTP.\r\nT1567.004\r\nExfiltration Over Web\r\nService: Exfiltration Over\r\nWebhook\r\nExfiltrating ZIP/7z files can be done over a\r\nTelegram webhook (InvisibleFerret’s\r\nssh_zcp command).\r\nImpact T1657 Financial Theft\r\nThis campaign’s goal is cryptocurrency theft\r\nand InvisibleFerret has also been seen\r\nexfiltrating saved credit card information.\r\nAppendix\r\nFollowing is a list of browser extensions targeted by the new InvisibleFerret:\r\nArgentX\r\nAurox\r\nBackpack\r\nBinance\r\nBitget\r\nBlade\r\nBlock\r\nBraavos\r\nByBit\r\nCasper\r\nCirus\r\nCoin98\r\nCoinBase\r\nCompass-Sei\r\nCore-Crypto\r\nCosmostation\r\nCrypto.com\r\nDashalane\r\nEnkrypt\r\nEternl\r\nExodus\r\nFewcha-Move\r\nFluent\r\nFrontier\r\nKoala\r\nLastPass\r\nLeapCosmos\r\nLeather\r\nLibonomy\r\nMagicEden\r\nManta\r\nMartian\r\nMath\r\nMetaMask\r\nMetaMask-Edge\r\nMOBOX\r\nMoso\r\nMyTon\r\nNami\r\nOKX\r\nOneKey\r\nOpenMask\r\nOrange\r\nOrdPay\r\nOsmWallet\r\nParagon\r\nPetraAptos\r\nPhantom\r\nSafepal\r\nSender\r\nSenSui\r\nShell\r\nSolflare\r\nStargazer\r\nStation\r\nSub-Polkadot\r\nSui\r\nSuiet\r\nSuku\r\nTaho\r\nTalisman\r\nTermux\r\nTomo\r\nTon\r\nTonkeeper\r\nTronLink\r\nTrust\r\nTwetch\r\nUniSat\r\nVirgo\r\nWigwam\r\nWombat\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 27 of 28\n\nGoogleAuth\r\nHashpack\r\nHAVAH\r\nHBAR\r\nInitia\r\nKeplr\r\nPontem\r\nRabby\r\nRainbow\r\nRamper\r\nRise\r\nRonin\r\nXDEFI\r\nXverse\r\nZapit\r\nZerion\r\n \r\nSource: https://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nhttps://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/\r\nPage 28 of 28", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/" ], "report_names": [ "deceptivedevelopment-targets-freelance-developers" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "45e6e2b3-43fe-44cd-8025-aea18a7f488f", "created_at": "2024-06-20T02:02:09.897489Z", "updated_at": "2026-04-10T02:00:04.769917Z", "deleted_at": null, "main_name": "Moonstone Sleet", "aliases": [ "Storm-1789", "Stressed Pungsan" ], "source_name": "ETDA:Moonstone Sleet", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "28523c53-1944-4ff0-bbdc-89b06e4e3c84", "created_at": "2024-11-01T02:00:52.752463Z", "updated_at": "2026-04-10T02:00:05.359782Z", "deleted_at": null, "main_name": "Moonstone Sleet", "aliases": [ "Moonstone Sleet", "Storm-1789" ], "source_name": "MITRE:Moonstone Sleet", "tools": [ "Qilin" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434037, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b765e0289a2e35fe4b1f0cbf850b7ca2977d967c.pdf", "text": "https://archive.orkl.eu/b765e0289a2e35fe4b1f0cbf850b7ca2977d967c.txt", "img": "https://archive.orkl.eu/b765e0289a2e35fe4b1f0cbf850b7ca2977d967c.jpg" } }