Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors

2024-04-25 • Securonix •

https://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors/

#NPM #DevPopper #T1082 #T1059.003 #T1070.004 #T1041 #T1560 #T1059.006 #T1059.001 #T1027.010 #T1033 #T1132

Thumbnail for Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors

Securonix tracks DEV#POPPER as an ongoing social engineering campaign likely tied to North Korean threat actors and aimed at software developers. Attackers pose as interviewers, send GitHub-hosted coding tasks, and rely on the target running a malicious NPM package during the fake interview process. The first-stage JavaScript downloads an archive from 147.124.214[.]131:1244, extracts a hidden Python payload, and runs follow-on Python code that contains hard-coded C2 infrastructure.

Indicators of Compromise

Type	Value	First Seen	Last Seen
IPv4	147.124.214.131	2024-04-25	2026-01-21
IPv4	173.211.106.101	2024-04-25	2025-07-26
HASH	33617f0ac01a0f7fa5f64bd8edef737…	2024-04-25	2024-08-26
HASH	977a9024962102b02128d391c0543c6…	2024-04-25	2024-04-25
HASH	f9ca12321fb91157cce8513e935810d…	2024-04-25	2024-04-25
HASH	45c991529a421104f2edf03d92e01d9…	2024-04-25	2024-04-25

Related Reports

2024-07-31 • 55% Match

Research Update: Threat Actors Behind the DEV#POPPER Campaign Have Retooled and are Continuing to Target Software Developers via Social Engineering

Securonix

#NPM #DevPopper #T1082 #T1059.003 #T1070.004 #T1041 #T1560 #T1059.006 #T1059.001 #T1027.010 #T1033 #T1132

Shares tags: NPM, DevPopper, T1082 • Same author: Securonix

2024-05-21 • 53% Match

Analysis and Detection of CLOUD#REVERSER: An Attack Involving Threat Actors Compromising Systems Using A Sophisticated Cloud-Based Malware

Securonix

#Phishing #T1082 #T1059.003 #T1070.004 #T1041 #T1560 #T1555.003 #T1547.001 #T1059.001 #T1027.010 #CloudReverser

Shares tags: T1082, T1059.003, T1070.004 • Same author: Securonix • Published within a month

2024-10-03 • 38% Match

SHROUDED#SLEEP: A Deep Dive into North Korea’s Ongoing Campaign Against Southeast Asia

Securonix

#APT37 #VeilShell #ShroudedSleep #T1082 #T1070.004 #T1041 #T1555 #T1560 #T1112 #T1204.001 #T1059.007 #T1027 #T1204.002 #T1057 #T1566.001 #T1547.001 #T1059.001 #T1053 #T1003 #T1033 #T1132 #T1069 #T1574.014

Shares tags: T1082, T1070.004, T1041 • Same author: Securonix

2024-04-03 • 36% Match

Analysis of ROKRAT Malware inside LNK Malicious file from North Korea

Plainbit

#RokRAT #LNK #T1102.002 #T1082 #T1059.003 #T1005 #T1113 #T1083 #T1204.002 #T1566.001 #T1059.001 #T1055 #T1622 #T1027.010 #T1106 #T1027.009 #T1033

Shares tags: T1082, T1059.003, T1059.001 • Published within a month

2024-03-18 • 36% Match

Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy Malware

Securonix

#Kimsuky #LNK #DeepGosu #T1082 #T1567.002 #T1140 #T1070.004 #T1041 #T1115 #T1083 #T1056.001 #T1204.001 #T1027 #T1204.002 #T1057 #T1059.005 #T1059.001 #T1053 #T1132.001 #T1102 #T1059 #T1219 #T1027.010 #T1573 #T1047

Shares tags: T1082, T1070.004, T1041 • Same author: Securonix

2024-07-19 • 33% Match

APT Quarterly Highlights : Q2 2024

Cyfirma

#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584

Shares tags: T1082, T1059.003, T1070.004

« Back