DeceptiveDevelopment.pdf (3 MB)

ESET describes DeceptiveDevelopment as a North Korea-aligned financially motivated group active since at least 2023 and tightly connected to WageMole, the activity cluster associated with North Korean IT workers. Operators pose as recruiters on platforms such as LinkedIn, Upwork, Freelancer, and Crypto Jobs List, then use fake job interviews, coding challenges, private repositories, and ClickFix lures to compromise software developers, especially in cryptocurrency and Web3. The malware set is multiplatform and includes obfuscated Python and JavaScript scripts, BeaverTail and OtterCookie first-stage stealers, InvisibleFerret modular RAT components, WeaselStore infostealer/RAT code delivered with Go build tooling, and the newer TsunamiKit toolkit. The excerpt says DeceptiveDevelopment steals browser, wallet, keychain, and login data and can deploy remote-access tooling such as AnyDesk, while WageMole actors use compromised information, stolen identities, proxy interviewing, and AI-assisted synthetic identities to obtain real jobs. The campaign matters because it links malware-driven developer compromise with broader DPRK revenue-generation operations targeting the software and crypto hiring ecosystem.