• UNK_DeadDrop targets developers with email‑based fake job lures
• Campaign mirrors Lazarus tactics but uses new self‑contained payloads
• Proofpoint says shift to mass phishing shows industrialized NK ops

Lazarus is not the only North Korean threat actor that is luring software developers with fake jobs - there is also a hacking group called UNK_DeadDrop now doing a similar thing, but with notable differences.

Security researchers at Proofpoint published an in-depth report looking into an ongoing campaign not unlike the Contagious Interview one.

For those unaware of Contagious Interview, it is one of two major Lazarus campaigns, the second one being Operation DreamJob. The crooks would fake everything - a company, its employees, as well as projects, and then go to LinkedIn for a “hiring spree.” They would reach out to software developers working in high-profile AI and Web 3 organizations and would offer high-paying jobs and a chance to work on exciting new projects.

Similarities and differences

The hiring process, however, would include a trial assignment, which often required the victims to run malicious code from GitHub. After infecting their targets with infostealers, the crooks would access company profiles, exfiltrate crypto wallet information, and then steal as many tokens as possible.

According to some sources, Lazarus alone was able to steal billions of dollars in crypto throughout the years.

While UNK_DeadDrop is more-or-less doing the same thing, its approach is somewhat different. Instead of using LinkedIn for initial contact, these attackers rely mostly on email. They don’t arrange fake interviews, but rather just send unsolicited job offers or code review requests. And finally, they use a new, self-contained payload distinct from what was previously seen in Contagious Interview campaigns.

“UNK_DeadDrop activity suggests North Korea-aligned operations targeting developers for financial gain are maturing and evolving,” Proofpoint’s researchers concluded.

“The shift from active social engineering over social media platforms to conduct fake interviews to large campaigns of recruitment-themed phishing emails distributing links to malicious repositories could indicate an actor industrializing and scaling operations.”

Via The Register

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.