Cybersecurity researchers have uncovered two malicious cyber campaigns believed to be connected to a long running North Korea linked threat cluster known as Contagious Interview, also tracked under aliases including Famous Chollima, HexagonalRodent, and Void Dokkaebi. According to a report published by cybersecurity company Proofpoint, the campaigns targeted nearly 100 organizations operating across finance, cryptocurrency, education, technology, and other sectors through phishing activity disguised as developer recruitment opportunities and software code review requests. Researchers identified the activity cluster under the name UNK_DeadDrop and observed threat actors distributing malicious GitHub repositories that impersonated technical assessments or cryptocurrency related projects. The campaign reportedly involved more than 250 phishing emails sent over a six week period, with over 75 percent of targeted organizations based in United States, followed by United Kingdom, Australia, France, Brazil, Germany, India, Israel, Japan, and Netherlands. Researchers stated that the campaign highlights an increasing focus on developers as targets for credential theft and access to sensitive digital assets.
According to Proofpoint, the attack chain begins with phishing emails containing links to actor controlled GitHub repositories that host malicious scripts intended to infect macOS, Linux, and Windows systems. Recipients were instructed to clone repositories and open them using Microsoft Visual Studio Code, commonly known as VS Code, or the Cursor development platform. Once opened, the projects silently executed malicious code through a technique called “runOn: folderOpen,” which automatically launches malware whenever a repository is opened without requiring additional user interaction. Researchers noted that Contagious Interview operators have reportedly used this approach since December 2025. The malware delivery mechanism involved shell scripts for Linux and macOS devices and VBScript loaders for Windows environments. These components were designed to install malicious VS Code extensions disguised as legitimate Google related services while enabling remote command execution, system reconnaissance, and theft of information from browser wallet extensions, stored credentials, and desktop cryptocurrency wallets. Researchers explained that Linux and macOS infections also deployed a customized version of an open source Go framework called Overlord and attempted to trick victims into entering system passwords through fake security prompts. On Windows systems, the VBScript component downloaded additional files that facilitated malware installation and credential harvesting.
Proofpoint stated that although the campaign shares several operational similarities with Contagious Interview, including recruitment themed social engineering and malware delivery targeting developers, researchers are tracking UNK_DeadDrop separately because of differences in initial access methods and tooling. Unlike previous campaigns that heavily relied on LinkedIn based fake job interviews, the newer activity shifted toward large scale phishing emails distributing GitHub repository links. Researchers suggested this shift may indicate efforts to scale operations more efficiently. The primary objective remained consistent with prior North Korea linked financially motivated operations, focusing on theft of credentials, cryptocurrency wallet information, and sensitive data. Stolen information was reportedly transmitted to command and control infrastructure through HTTP POST requests directed to an external server. Researchers further observed that Windows infections behaved differently from Linux and macOS variants by uploading collected files, removing traces, and terminating activity without maintaining a persistent connection.
Additional findings published by cybersecurity firms including Yeeth Security, Trend Micro, OpenSourceMalware, Panther, Microsoft, and Expel revealed broader malicious activity connected to North Korea linked cyber groups targeting software developers through developer tools, npm packages, GitHub repositories, VS Code extensions, and compromised software supply chains. Researchers discovered malicious VS Code extensions disguised as Jupyter Notebook productivity tools on official marketplaces that functioned as multi stage backdoors capable of command execution, data theft, and remote access through Microsoft Graph API and SharePoint infrastructure. Other investigations documented campaigns involving malicious npm packages distributing malware families such as BeaverTail, OtterCookie, PromptMink, ClipViper, InvisibleFerret, and DEV#POPPER RAT while targeting developers in cryptocurrency and Web3 sectors. According to Expel, North Korea linked campaigns during the first quarter of 2026 reportedly resulted in the theft of approximately $12 million in cryptocurrency and exfiltration of more than 26,000 cryptocurrency wallets from over 2,700 compromised developer systems. Researchers stated that the increasing use of developer tools and open source ecosystems as malware delivery channels reflects an evolving approach to financially motivated cyber operations aimed at compromising software environments and digital financial assets.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
