- ESET Research released a deep dive report into the activities of the DeceptiveDevelopment threat group and North Korean IT workers, which are considered tightly bound.
- The analyzed campaigns rely heavily on sophisticated social engineering tactics, including fake job interviews and the ClickFix technique, to deliver malware and exfiltrate cryptocurrency with a possible secondary objective of cyberespionage.
- ESET also analyzed OSINT data that sheds light on the operations of North Korean IT workers involved in fraudulent employment schemes.
PRAGUE and BRATISLAVA, Slovakia, Sept. 25, 2025 (GLOBE NEWSWIRE) — ESET Research has released new findings on DeceptiveDevelopment, also known as Contagious Interview – a threat group aligned with North Korea that has grown increasingly active in recent years. The group is primarily focused on cryptocurrency theft, targeting freelance developers across Windows, Linux, and macOS platforms. The newly published research paper traces the group’s evolution from early malware families to more advanced toolsets. These campaigns rely heavily on sophisticated social engineering tactics, including fake job interviews and the ClickFix technique, to deliver malware and exfiltrate cryptocurrency. ESET also analyzed open-source intelligence (OSINT) data that sheds light on the operations of North Korean IT workers involved in fraudulent employment schemes and their ties to DeceptiveDevelopment. These findings are being presented today at the annual Virus Bulletin (VB) Conference.
DeceptiveDevelopment is a North Korea-aligned group active since at least 2023, focused on financial gain. The group targets software developers on all major systems – Windows, Linux, and macOS – and especially those in cryptocurrency and Web3 projects. Initial access is achieved exclusively via various social engineering techniques like ClickFix, and fake recruiter profiles similar to Lazarus’s Operation DreamJob to deliver trojanized codebases during staged job interviews. Its most typical payloads are the BeaverTail, OtterCookie, and WeaselStore infostealers, and the InvisibleFerret modular RAT.
“DeceptiveDevelopment operators use fake recruiter profiles on social media, in a fashion similar to Lazarus’s Operation DreamJob. However, in this case, they specifically reached out to software developers, often those involved in cryptocurrency projects, providing potential victims with trojanized codebases that deploy backdoors as part of a faux job …