North Korean hackers are posing as software development recruiters to target freelancers

News
By published

North Korea is stealing crypto from freelance developers

North Korean flag with a hooded hacker
(Image credit: Shutterstock)
  • North Korea is hiding malware in GitHub projects
  • The projects are then sent to developers as a coding test
  • BeaverTail malware is then used to steal credentials and crypto

Freelance software developers are the latest target of North Korean hackers looking to spread infostealing malware, experts have warned.

The latest campaign, identified by ESET as DeceptiveDevelopment, involves the hackers posing as recruiters on social media to target freelance developers working on cryptocurrency projects.

The main aim of the attacks is to steal cryptocurrency, likely in an effort to supplement North Korea’s income.

Crypto theft and cyber espionage

The attackers copy or create personas of recruiters, and will reach out to developers through job recruitment platforms such as LinkedIn, Upwork, and Freelancer.com, offering them a job opportunity if they complete a coding test.

The test project is usually either a hiring challenge, cryptocurrency project, a game with some form of blockchain functionality, or a gambling project with cryptocurrency or blockchain involvement. The test files are hosted in private repositories on GitHub or a similar platform, and when downloaded and the project executed, BeaverTail malware is deployed.

The hackers will often copy entire projects, making no changes other than adding their malware and re-writing the README file. The hackers will usually try and hide their malicious code somewhere in the project that wouldn’t attract suspicion or be easily spotted, such as within backend code as a single line behind a comment that pushes it off-screen.

The Beavertail malware will target browser databases to steal credentials, and will also download the second stage of the campaign, InvisibleFerret, which acts as a backdoor allowing the attacker to install the AnyDesk remote management software for additional post-compromise activity.

Windows, Mac, and Linux users are all susceptible to the attack, with victims being observed across the globe. The attackers did not discriminate in targeting everyone from junior developers all the way up to experienced professionals. The campaign shares similarities to Operation DreamJob, which targeted aerospace and defense workers to steal classified information.

You might also like

Benedict Collins
Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Image depicting a hand on a scanner
New Lazarus Group campaign sees North Korean hackers spreading undetectable malware through GitHub and open source packages
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
North Korean Lazarus hackers launch large-scale cyberattack by cloning open source software
A hand reaching out to touch a futuristic rendering of an AI processor.
North Korean fake job hackers are going the extra mile to make sure their scams seem legit
A digital representation of a lock
Looking for a new job? Watch out you don't fall for this new malware scam
An abstract image of digital security.
Hundreds of GitHub repositories hijacked to trick users into downloading malware
Hacker silhouette working on a laptop with North Korean flag on the background
North Korean hackers are targeting LinkedIn jobseekers with new malware - here's how to stay safe
Latest in Security
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple H3C Magic routers hit by critical severity remote command injection, with no fix in sight
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
Latest in News
girl using laptop hoping for good luck with her fingers crossed
Windows 11 24H2 seems to be a massive fail – so Microsoft apparently working on 25H2 fills me with hope... and fear
ChatGPT Advanced Voice mode on a smartphone.
Talking to ChatGPT just got better, and you don’t need to pay to access the new functionality
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple H3C Magic routers hit by critical severity remote command injection, with no fix in sight
Apple Watch Ultra 2 timer
The Apple Watch is getting a sleep alarm upgrade it probably should have had 10 years ago
Nikon Z5
The Nikon Z5 II could land soon – here's what to expect from Nikon's rumored entry-level full-frame camera
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
More about security
An abstract image of a lock against a digital background, denoting cybersecurity.

Critical security flaw in Next.js could spell big trouble for JavaScript users
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol

Multiple H3C Magic routers hit by critical severity remote command injection, with no fix in sight
Collage of tech on offer in the Amazon Big Spring Sale, including a Fire TV, Samsung laptop, Sony headphones, Echo Dot, Kindle, DJI Osmo and Ninja air fryer

The Amazon Spring Sale is here and I've picked the 22 best deals actually worth buying
See more latest
Most Popular
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
girl using laptop hoping for good luck with her fingers crossed
Windows 11 24H2 seems to be a massive fail – so Microsoft apparently working on 25H2 fills me with hope... and fear
ChatGPT Advanced Voice mode on a smartphone.
Talking to ChatGPT just got better, and you don’t need to pay to access the new functionality
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple H3C Magic routers hit by critical severity remote command injection, with no fix in sight
Teenager playing on a gaming PC with two monitors
Samsung's OLED monitors are about to get much cheaper - and it's about time
Apple Watch Ultra 2 timer
The Apple Watch is getting a sleep alarm upgrade it probably should have had 10 years ago
Nikon Z5
The Nikon Z5 II could land soon – here's what to expect from Nikon's rumored entry-level full-frame camera
Google Pixel Watch 3
Google Pixel Watches hit with delayed notifications, crashing, and performance issues following Wear OS 5.1 update
Frank Castle pinning Matt Murdock against a locker in Daredevil: Born Again episode 4
What time is Daredevil: Born Again episode 5 going to be released on Disney+?
AMD Ryzen 9950X
I analyzed 25 AMD Zen 4 and Zen 5 CPUs and the Ryzen 9 9900X is the best of them all right now: Here’s why