Cybersecurity researchers have identified two malicious campaigns that bear similarities to the North Korean threat group known as Contagious Interview, also referred to as Famous Chollima, HexagonalRodent, and Void Dokkaebi. These campaigns, collectively dubbed UNK_DeadDrop, involve phishing attacks targeting nearly 100 organizations across sectors such as finance, cryptocurrency, education, and technology.
The attackers initiate their schemes by sending emails that appear to be recruitment offers for developer roles or requests for code reviews. These emails contain links to GitHub repositories controlled by the attackers, which host malicious scripts. When victims clone these repositories and open them in code editors like Visual Studio Code (VS Code) or Cursor, the scripts execute cross-platform malware designed for macOS, Linux, and Windows systems. A notable aspect of this attack is the use of the “runOn: folderOpen” feature in VS Code projects, which allows the execution of malicious code upon opening the project folder, requiring no further user interaction.
Once the repository is opened, the malware loader installs a malicious VS Code extension disguised as a legitimate Google service. This extension communicates with an external server, enabling remote command execution, system reconnaissance, and data exfiltration. The primary targets are credentials and data from browser wallet extensions and desktop wallet applications. The attackers aim to steal cryptocurrency and sensitive information by exploiting the trust developers place in their tools and workflows.
These campaigns have been active over a six-week period, with over 250 phishing emails sent to individuals in nearly 100 organizations. More than 75% of the targeted entities are located in the United States, with others in the United Kingdom, Australia, France, Brazil, Germany, India, Israel, Japan, and the Netherlands. The attackers have also evolved their tactics by requesting targets to review their open-source projects, further embedding themselves into the software development process.
The Linux and macOS infection chains lead to a customized version of the open-source Overlord framework, which facilitates data theft and prompts users to enter their system passwords through fake security pop-ups. On Windows systems, the attack chain involves a VBScript payload that installs the malicious extension. The ultimate goal remains consistent: to exfiltrate credentials and data from wallet browser extensions and applications to an external server.
These developments underscore a significant shift in cyber threat tactics, where attackers are increasingly targeting the tools and environments that developers rely on. By compromising these trusted platforms, they can infiltrate organizations more effectively and with greater stealth. This trend highlights the need for heightened vigilance and robust security measures within the software development community to protect against such sophisticated attacks.
