2024-07-31 • Securonix •
Securonix reports that the North Korea-linked DEV#POPPER operators continued targeting software developers with fake interview lures and a ZIP package containing hidden malicious JavaScript. The updated samples added support for Windows, Linux, and macOS, with obfuscated code that decodes a C2 endpoint at 67.203.7[.]171:1244. The malware identifies the host platform, builds paths and variables for each operating system, collects system information, and sends the data to the remote server over HTTP POST. Victim telemetry was geographically broad, with observed activity across South Korea, North America, Europe, and the Middle East.
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | ip-api.com | 2022-11-14 | 2026-01-21 |
| URL | http://ip-api.com/json | 2024-07-31 | 2026-01-20 |
| IPv4 | 67.203.7.171 | 2024-05-10 | 2025-11-13 |
| IPv4 | 67.203.123.171 | 2024-07-31 | 2024-10-23 |
| IPv4 | 77.37.37.81 | 2024-07-31 | 2024-10-23 |
| HASH | 63238b8d083553a8341bf6599d3d601… | 2024-07-31 | 2024-08-26 |
| HASH | bc4a082e2b999d18ef2d7de1948b2bf… | 2024-07-31 | 2024-08-26 |
| HASH | 2d10b48454537a8977affde99f6edcb… | 2024-07-31 | 2024-08-26 |
| HASH | b31f5bde1bdbc2dfd453b91bab2e9be… | 2024-07-31 | 2024-07-31 |
| HASH | eff2a9fca46425063dca08046642735… | 2024-07-31 | 2024-07-31 |
| HASH | 0639d8eaad9df842d6f358831b0d4c6… | 2024-07-31 | 2024-07-31 |
| HASH | 6263b94884726751bf4de6f1a4dc309… | 2024-07-31 | 2024-07-31 |
| HASH | 7e5828382c9ef9cd7a643bc329154a3… | 2024-07-31 | 2024-07-31 |
| URL | http://de.ztec.store:8000/www/r… | 2024-07-31 | 2024-07-31 |
| URL | http://de.ztec.store:8000 | 2024-07-31 | 2024-07-31 |
| DOMAIN | de.ztec.store | 2024-07-31 | 2024-07-31 |