惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Register - Security
The Register - Security
云风的 BLOG
云风的 BLOG
U
Unit 42
F
Fortinet All Blogs
The GitHub Blog
The GitHub Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
D
Docker
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
S
Secure Thoughts
Hacker News: Ask HN
Hacker News: Ask HN
Vercel News
Vercel News
S
Security @ Cisco Blogs
GbyAI
GbyAI
Stack Overflow Blog
Stack Overflow Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
I
Intezer
MongoDB | Blog
MongoDB | Blog
AI
AI
MyScale Blog
MyScale Blog
Engineering at Meta
Engineering at Meta
Y
Y Combinator Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Proofpoint News Feed
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
W
WeLiveSecurity
博客园 - 叶小钗
S
SegmentFault 最新的问题
N
News | PayPal Newsroom
WordPress大学
WordPress大学
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
D
DataBreaches.Net
小众软件
小众软件
Microsoft Azure Blog
Microsoft Azure Blog
Spread Privacy
Spread Privacy
H
Help Net Security
美团技术团队
博客园 - 司徒正美
T
Threat Research - Cisco Blogs
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
K
Kaspersky official blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
V
Vulnerabilities – Threatpost
TaoSecurity Blog
TaoSecurity Blog
N
Netflix TechBlog - Medium
L
Lohrmann on Cybersecurity
J
Java Code Geeks
量子位
Martin Fowler
Martin Fowler
博客园_首页

Proofpoint News Feed

New Cargo Theft Surge: From Lobster Heists To Bourbon Warehouse Scams Defending the Authentication Flow: Device Code Phishing with Selena Larson Proofpoint Joins the OpenAI Daybreak Cyber Partner Program to Advance Responsible AI-Powered Cyber Defense | Proofpoint US OpenAI Lets Cyber Vendors Embed GPT-5.5 in Defenses China-Linked TA4922 Expands Phishing Attacks to U.K., Germany, Italy, and South Africa Proofpoint Introduces Active Exploits Protection to Help Organizations Prioritize Vulnerability Patching for Real-World Attacks in the AI Era | Proofpoint US Verizon DBIR: Healthcare Fends Off Increased Social Engineering Attacks Proofpoint Integrates with the Claude Compliance API to Extend Data Security and Governance to Claude | Proofpoint US Proofpoint Launches Dedicated MSP Business Unit and Introduces 365 Total Protection for North America | Proofpoint US The spy who logged me in. - YouTube Proofpoint Establishes Innovation Precedent for Source-Agnostic Modern Enterprise Investigations | Proofpoint US The Most Powerful Women Of The Channel 2026: Power 100 AI Security Gaps Create New MSSP Opportunity: Proofpoint Claude Mythos Fears Startle Japan's Financial Services Sector Proofpoint Research Reveals Half of Global Organizations Experienced AI Incidents Despite Having AI Security Controls in Place | Proofpoint US AI-Era Threats Spread Beyond Email Into SaaS, Collaboration Apps, and AI Assistants Clear market trend for software providers to help with AI: Proofpoint CEO - YouTube Cargo thieving hackers running sophisticated remote access campaigns, researchers find Freight Hacker Wields Code-Signing Service to Evade Defenses - YouTube FIFA World Cup 2026: More than One-Third of Official Partners Expose the Public to the Risk of Email Fraud | Proofpoint US Microsoft 365 mailbox rules abused for exfiltration, persistence AI Security Risks: Proofpoint CSO Ryan Kalember, Live at RSAC 2026 Axios Future of Cybersecurity: Russians suspected of using iPhone spyware 15 Top Cybersecurity CEOs On The Future Of AI Agents: RSAC 2026 How AI Agents Are Redefining the Insider Risk Threat Model 5 Ways To Protect Enterprise Value During A Merger Or Acquisition CUBE Events 20 Coolest AI And Security Products At RSAC 2026 Proofpoint Redefines Email and Data Security for the Agentic Workspace | Proofpoint US Proofpoint Pursues FedRAMP High Authorization Process for Collaboration Security | Proofpoint US Proofpoint Unveils Industry’s Newest Intent-Based AI Security Solution to Protect Enterprise AI Agents | Proofpoint US
Suspected North Korean actors use fake ‘coding assignments’ to steal crypto
Laura French · 2026-06-09 · via Proofpoint News Feed

Phishing

Suspected North Korean threat actors are targeting developers with fake job offers and “coding assignments” that lead to the deployment of cross-platform malware for cryptocurrency and credential theft, Proofpoint reported Monday.

The threat cluster, tracked as UNK_DeadDrop, shows similarities to Contagious Interview and sent more than 250 emails across nearly 100 target companies over a six-week period between April and May 2026. The emails mostly targeted technology, education, business services, financial services, entertainment/media companies and telecommunications companies in the United States, with a particular focus on the cryptocurrency industry.

In the emails, the attackers pose as recruiters from legitimate companies such as the decentralized finance company Ondo Finance, the telehealth company Nourish and the Web3 and AI talent agency Hypen Connect, offering the target to apply for a software development role and complete a coding assignment.

In some cases, the attackers also presented as fake cryptocurrency and AI startups, with names like Pulsynk and Trixauvex, requesting the target for a peer-review of their code. In either case, the attacker included a link to a GitHub or GitLab repository with instructions to clone the repo to Visual Studio Code (VS Code) or Cursor code editors.

The repositories include a hidden tasks.json file that abuses VS Code and Cursor’s task automation abilities to automatically execute malicious files when a certain project folder is open in the editor. VS Code will prompt the user to approve the task execution while Cursor does not display a prompt, Proofpoint noted.

Related reading:

The malware acts differently depending on whether the victim is using Windows, Linux or macOS.

On Linux and macOS systems, the attacker leverages an open-source command-and-control (C2) framework called Overlord, deploying Go binaries with remote access trojan (RAT) capabilities that establish a persistent WebSocket connection to the attacker’s servers.

On Windows systems, the attack chain runs as JavaScript within the code editor’s Electron process and performs a single infostealer operation without persistence, Proofpoint said.

The Overlord RAT first extracts browser wallet extensions and standalone wallet directories and transmits them as a ZIP archive to the C2 server. Five minutes later, it displays a fake system dialog prompt for the user to enter their system password, leveraging a Mach-O binary on macOS systems and the Zenity tool on Linux systems. If the user enters their password, the malware leverages the password to extract browser credentials from Keychain and GNOME Keyring and subsequently relaunches itself as root to perform further Keychain and GNOME Keyring dumps.

On Windows, the malicious task launches a VBScript that calls a CMD file, which then decodes an additional embedded script that stages three encrypted payloads. These payloads are decrypted at runtime and serve to facilitate infostealing capabilities.

The malware scans for 35 Chromium browser wallet extensions and 18 standalone wallet applications and also uses a Python-based stealer to extract passwords from Chromium and Firefox browsers, and cookies from Chrome, Edge and Brave browsers. The stolen data is sent to the C2 server via an HTTP POST request.

The malicious task also installs a malicious VSIX extension that enables persistence on Linux and macOS machines, causing the malware processes to be relaunched every time VS Code or Cursor are opened. This extension is installed on Windows machines but does not re-execute the malicious operation on these machines.

Proofpoint found that UNK_DeadDrop mainly emailed victims from domains registered via Namecheap set up with MailHostBox mailservers. Some of the domains were hosted on Vercel and included websites promoting the fake startups that were likely AI-generated, the researchers said.

UNK_DeadDrop’s victim targeting, social-engineering techniques and theft of cryptocurrency wallets and credentials overlap with the North Korean Contagious Interview campaign. However, this cluster shows some distinct techniques such as the use of email rather than social media channels like  LinkedIn to contact victims, the abuse of task.json auto-execution rather than npm installation, and the use of Overlord Go binaries rather than other malware known to be used by Contagious Interview, such as OtterCookie and FlexibleFerret.

“The consistent creation of new GitHub repositories as well as a new malware framework with iterative builds and a stealthy new execution and persistence technique through VSIX extensions demonstrates dedicated resourcing and active development of tooling,” the researchers concluded.

Laura French

Related

Shopify was considered one of the more innovative companies in 2020 for the way it emerged at a go-to ecommerce brand during the pandemic. Today’s columnist, Alex Moiseev of Kaspersky, says companies need to focus on innovation to survive and thrive in the year ahead. (Credit: CC 0 1.0)

AI hacker holding a glowing red chip symbolizing artificial intelligence in cybercrime, darkweb, and digital technology threat for cybersecurity and malware protection.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news