Verify a decision

{"actor":"system:backfill","investigation_id":"fc05647c-8e8f-4369-815f-eb4ea6b5fbba","kind":"publish","page_slug":"unk-deaddrop","published_at":"2026-06-14T23:03:24.040Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"UNK_DeadDrop","sections":[{"content":"UNK_DeadDrop is a Proofpoint-designated threat cluster believed to be operated by or aligned with North Korean state-sponsored actors. The designation 'UNK' indicates the cluster had not been fully attributed to a known named group at the time of initial publication. Proofpoint researchers observed that the campaign's victim targeting, social-engineering techniques, and focus on cryptocurrency wallet theft and credential harvesting overlap substantially with the previously documented Contagious Interview campaign (also tracked as DeceptiveDevelopment, PurpleBravo, and TAG-121 by other vendors). However, Proofpoint continues to track UNK_DeadDrop as an independent cluster due to distinct differences in delivery mechanism, communication channel, and malware tooling. No official government attribution or OFAC sanctions designation had been issued against UNK_DeadDrop as of the date of this report.","heading":"Threat Actor Overview","severity":"critical","sources":[{"credibility":1,"name":"Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency — Proofpoint","type":"research","url":"https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal"},{"credibility":2,"name":"North Korean Hackers Use Fake Coding Tasks to Steal Crypto — Infosecurity Magazine","type":"news_article","url":"https://www.infosecurity-magazine.com/news/north-korean-hackers-developers/"},{"credibility":1,"name":"Contagious Interview, DeceptiveDevelopment — MITRE ATT&CK","type":"research","url":"https://attack.mitre.org/groups/G1052/"}]},{"content":"Between April and May 2026, UNK_DeadDrop sent more than 250 highly targeted phishing emails to individuals at approximately 100 organizations over a six-week period. Targeted sectors included technology, finance, cryptocurrency, education, business services, entertainment and media, and telecommunications. The majority of targeted organizations were based in the United States, though targeting was global in scope. The primary intended victims within those organizations were software developers, as the lures were specifically crafted to appeal to developer workflows and professional interests.","heading":"Campaign Scale and Targeting","severity":"critical","sources":[{"credibility":1,"name":"Don't Fear the Repo: UNK_DeadDrop Phishing Campaign — Proofpoint","type":"research","url":"https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal"},{"credibility":2,"name":"Norks blast 250+ fake job offers to developers over 6 weeks to try and snarf creds and crypto — The Register","type":"news_article","url":"https://www.theregister.com/security/2026/06/08/suspected-norks-send-250-fake-dev-job-pitches-to-steal-crypto/5252526"},{"credibility":2,"name":"Suspected North Korean actors use fake coding assignments to steal crypto — SC Media","type":"news_article","url":"https://www.scworld.com/news/suspected-north-korean-actors-use-fake-coding-assignments-to-steal-crypto"}]},{"content":"UNK_DeadDrop employed two primary lure categories. In the first wave, attackers posed as recruiters from legitimate, named organizations offering software development roles and directing candidates to clone a repository as a coding assignment. Impersonated companies include Ondo Finance (a decentralized finance platform), Nourish (a telehealth company), Empower Pharmacy, NXLog, OnePlan, Hypen Connect (a Web3 and AI talent agency), and Valon. In later May 2026 emails, attackers shifted to peer code-review lures, masquerading as representatives of fictional cryptocurrency trading or AI prediction companies named Pulsynk and Trixauvex. These fictitious companies were presented with professional Python project structures to add credibility. In some variants, lures posed as requests to test an ERC-4626 smart-contract vault using the Foundry framework, or to build AI payment agents. Contact with victims occurred via email rather than through social media platforms such as LinkedIn or Telegram, which distinguishes UNK_DeadDrop from the Contagious Interview campaign.","heading":"Social Engineering and Lure Techniques","severity":"critical","sources":[{"credibility":1,"name":"Don't Fear the Repo: UNK_DeadDrop Phishing Campaign — Proofpoint","type":"research","url":"https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal"},{"credibility":2,"name":"North Korea-Aligned Hackers Abuse GitHub Repositories to Infect Developers — Cybersecurity News","type":"news_article","url":"https://cybersecuritynews.com/north-korea-aligned-hackers-abuse-github-repositories/"},{"credibility":2,"name":"North Korea-Linked Hackers Infect Developers via GitHub — CyberPress","type":"news_article","url":"https://cyberpress.org/north-korean-hackers-weaponize-github/"}]},{"content":"Each phishing email directed victims to an actor-controlled GitHub or GitLab repository formatted to resemble a legitimate coding assignment or open-source project. Victims were instructed to clone the repository and open the folder in Visual Studio Code or the Cursor editor. The infection exploited VS Code's tasks.json auto-execution feature: a hidden folder within the repository contained a configuration file that automatically ran pre-configured tasks when the workspace was opened in the editor, requiring no further user action beyond opening the folder. The tasks deployed a malicious Visual Studio Extension (VSIX) masquerading as a Google service, establishing persistence with minimal user interaction. For macOS and Linux systems, the infection chain deployed a modified version of the open-source Overlord remote access framework written in Go. On Windows systems, platform-specific launchers were used to decode embedded payloads. The malware implemented a persistent remote access trojan (RAT) with modules for browser credential harvesting, targeted cryptocurrency wallet collection, and anti-forensics cleanup. The final stage of the infection removed malicious repository files and directories while leaving the VSIX extension in place to maintain persistence.","heading":"Technical Attack Chain and Malware","severity":"critical","sources":[{"credibility":1,"name":"Don't Fear the Repo: UNK_DeadDrop Phishing Campaign — Proofpoint","type":"research","url":"https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal"},{"credibility":2,"name":"North Korean hackers phishing scheme targets hundreds of workers to steal crypto — TechRadar","type":"news_article","url":"https://www.techradar.com/pro/security/north-korean-hackers-are-at-it-again-phishing-scheme-targets-hundreds-of-workers-to-try-and-steal-crypto-and-more"},{"credibility":2,"name":"North Korea Hackers Weaponize GitHub to Target Developers — GBHackers","type":"news_article","url":"https://gbhackers.com/north-korea-hackers-weaponize-github/"}]},{"content":"The stated objectives of the UNK_DeadDrop campaign as identified by Proofpoint are the theft of browser-based cryptocurrency wallets, desktop cryptocurrency wallets, decrypted passwords, and valuable API tokens. The targeting of software developers in the cryptocurrency and DeFi sectors is consistent with a broader pattern of alleged North Korea-aligned operations focused on generating hard-currency revenue through digital asset theft. Proofpoint's broader tracking of related North Korean campaigns, including Contagious Interview and DangerousPassword, noted that those two campaigns alone had collectively netted an alleged $37.5 million since January 1, 2026, though this figure was not attributed exclusively to UNK_DeadDrop. No specific cryptocurrency theft amount has been attributed to the UNK_DeadDrop cluster specifically as of the date of this report.","heading":"Theft Objectives and Cryptocurrency Focus","severity":"critical","sources":[{"credibility":1,"name":"Don't Fear the Repo: UNK_DeadDrop Phishing Campaign — Proofpoint","type":"research","url":"https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal"},{"credibility":2,"name":"North Korea-Tied Operators Sustain Aggressive Crypto Targeting Campaign — CyberPress","type":"news_article","url":"https://cyberpress.org/dprk-hackers-target-crypto/"},{"credibility":2,"name":"Suspected North Korean actors use fake coding assignments to steal crypto — SC Media","type":"news_article","url":"https://www.scworld.com/news/suspected-north-korean-actors-use-fake-coding-assignments-to-steal-crypto"}]},{"content":"Proofpoint researchers noted that UNK_DeadDrop shares significant overlap with the Contagious Interview campaign in terms of victim targeting (developers at cryptocurrency and finance organizations), social-engineering themes (fake job offers and coding assignments), and theft objectives (cryptocurrency wallets and credentials). However, several technical distinctions led Proofpoint to track UNK_DeadDrop as a separate cluster: the use of email as the primary contact channel rather than LinkedIn or Telegram; the abuse of tasks.json auto-execution in VS Code rather than malicious npm package installation; and the deployment of a modified Overlord Go binary rather than the BeaverTail and InvisibleFerret tooling associated with Contagious Interview. Contagious Interview is also tracked by other vendors as DeceptiveDevelopment (ESET), PurpleBravo, TAG-121, and DEV#POPPER, and is indexed by MITRE ATT&CK as Group G1052. GitLab's Threat Intelligence Team has also published analysis on North Korean developer-targeting tradecraft with overlapping characteristics. The broader North Korean developer-targeting ecosystem has been highly active in 2026, with the Contagious Interview campaign expanding to over 1,700 malicious packages across npm, PyPI, and other registries.","heading":"Relationship to Known North Korean Threat Clusters","severity":"high","sources":[{"credibility":1,"name":"Don't Fear the Repo: UNK_DeadDrop Phishing Campaign — Proofpoint","type":"research","url":"https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal"},{"credibility":1,"name":"Contagious Interview — MITRE ATT&CK Group G1052","type":"research","url":"https://attack.mitre.org/groups/G1052/"},{"credibility":2,"name":"GitLab Threat Intelligence Team reveals North Korean tradecraft — GitLab","type":"research","url":"https://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/"},{"credibility":2,"name":"The 1,700-Package Blitz: North Korea's Contagious Interview Infiltrates Every Major Dev Registry — Security Online","type":"news_article","url":"https://securityonline.info/contagious-interview-north-korea-malicious-packages-dev-registries/"}]},{"content":"No official U.S. government attribution, OFAC sanctions designation, DOJ indictment, or FBI advisory had been issued specifically naming UNK_DeadDrop as of the date of this report. The attribution to North Korea remains at the level of private-sector threat intelligence assessed as 'likely' by Proofpoint. The U.S. government has previously issued indictments and sanctions against North Korean state-sponsored hacking groups and individual actors associated with cryptocurrency theft, including members of the Lazarus Group and associated sub-clusters, but those actions have not been linked to UNK_DeadDrop specifically in available public records. This should be treated as a gap in the public record rather than an indicator of lower severity.","heading":"Government Attribution and Regulatory Status","severity":"high","sources":[{"credibility":1,"name":"Don't Fear the Repo: UNK_DeadDrop Phishing Campaign — Proofpoint","type":"research","url":"https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal"},{"credibility":1,"name":"OFAC Recent Actions — U.S. Treasury","type":"regulatory","url":"https://ofac.treasury.gov/recent-actions"}]}],"sources_used":[{"credibility":1,"name":"Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency — Proofpoint","type":"research","url":"https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal"},{"credibility":2,"name":"Norks blast 250+ fake job offers to developers over 6 weeks to try and snarf creds and crypto — The Register","type":"news_article","url":"https://www.theregister.com/security/2026/06/08/suspected-norks-send-250-fake-dev-job-pitches-to-steal-crypto/5252526"},{"credibility":2,"name":"North Korean Hackers Use Fake Coding Tasks to Steal Crypto — Infosecurity Magazine","type":"news_article","url":"https://www.infosecurity-magazine.com/news/north-korean-hackers-developers/"},{"credibility":2,"name":"Suspected North Korean actors use fake coding assignments to steal crypto — SC Media","type":"news_article","url":"https://www.scworld.com/news/suspected-north-korean-actors-use-fake-coding-assignments-to-steal-crypto"},{"credibility":2,"name":"North Korea-Aligned Hackers Abuse GitHub Repositories to Infect Developers — Cybersecurity News","type":"news_article","url":"https://cybersecuritynews.com/north-korea-aligned-hackers-abuse-github-repositories/"},{"credibility":2,"name":"North Korean hackers phishing scheme targets hundreds of workers to steal crypto — TechRadar","type":"news_article","url":"https://www.techradar.com/pro/security/north-korean-hackers-are-at-it-again-phishing-scheme-targets-hundreds-of-workers-to-try-and-steal-crypto-and-more"},{"credibility":2,"name":"North Korea-Linked Hackers Infect Developers via GitHub — CyberPress","type":"news_article","url":"https://cyberpress.org/north-korean-hackers-weaponize-github/"},{"credibility":2,"name":"North Korea Hackers Weaponize GitHub to Target Developers — GBHackers","type":"news_article","url":"https://gbhackers.com/north-korea-hackers-weaponize-github/"},{"credibility":2,"name":"North Korea-linked hackers target developers via GitHub — Security Brief","type":"news_article","url":"https://securitybrief.com.au/story/north-korea-linked-hackers-target-developers-via-github"},{"credibility":1,"name":"Contagious Interview, DeceptiveDevelopment — MITRE ATT&CK Group G1052","type":"research","url":"https://attack.mitre.org/groups/G1052/"},{"credibility":2,"name":"GitLab Threat Intelligence Team reveals North Korean tradecraft — GitLab","type":"research","url":"https://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/"},{"credibility":2,"name":"North Korea-Tied Operators Sustain Aggressive Crypto Targeting Campaign — CyberPress","type":"news_article","url":"https://cyberpress.org/dprk-hackers-target-crypto/"},{"credibility":2,"name":"The 1,700-Package Blitz: North Korea's Contagious Interview Infiltrates Every Major Dev Registry — Security Online","type":"news_article","url":"https://securityonline.info/contagious-interview-north-korea-malicious-packages-dev-registries/"},{"credibility":1,"name":"OFAC Recent Actions — U.S. Department of the Treasury","type":"regulatory","url":"https://ofac.treasury.gov/recent-actions"}],"summary":"UNK_DeadDrop is a threat cluster designation assigned by Proofpoint Threat Research to a likely North Korea-aligned cyber threat actor that conducted a sustained phishing campaign targeting software developers between April and May 2026. The campaign used fake job offers and code-review requests linked to malicious GitHub and GitLab repositories to deliver cross-platform malware designed to steal cryptocurrency wallets and developer credentials. The actor is tracked as a distinct cluster from the previously documented Contagious Interview operation, though significant tactical and objective overlap is noted.","timeline":[{"date":"2026-04-01","event":"UNK_DeadDrop campaign begins. Proofpoint observes the first phishing emails using fake developer job offer lures linking to malicious GitHub repositories. Exact start date within April 2026 not publicly specified.","source":"Proofpoint Threat Research","source_url":"https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal"},{"date":"2026-05-01","event":"Campaign lures shift in later May 2026 to peer code-review requests, with attackers posing as representatives of fictional cryptocurrency and AI firms Pulsynk and Trixauvex, as well as ERC-4626 smart-contract testing and AI payment agent project themes.","source":"Proofpoint Threat Research","source_url":"https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal"},{"date":"2026-05-31","event":"By the end of May 2026, UNK_DeadDrop had sent more than 250 phishing emails targeting individuals at approximately 100 organizations over the six-week campaign window.","source":"The Register","source_url":"https://www.theregister.com/security/2026/06/08/suspected-norks-send-250-fake-dev-job-pitches-to-steal-crypto/5252526"},{"date":"2026-06-08","event":"Proofpoint publishes public threat intelligence report disclosing the UNK_DeadDrop campaign, its techniques, impersonated companies, and likely North Korean attribution. Coverage follows from The Register, Infosecurity Magazine, SC Media, TechRadar, and other outlets.","source":"Proofpoint Threat Research","source_url":"https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal"}]},"v":1}