North Korea-Linked ‘DeceptiveDevelopment’ Targets Freelance Developers with Infostealers

• A new malicious campaign leverages fake job opportunities to disseminate InvisibleFerret and BeaverTail.
• North Korea-connected hackers leverage trusted platforms like LinkedIn and Upwork to lure freelance devs.
• The operation distributes malware strains that act as backdoors, infostealers, downloaders, and spyware. 

A North Korea-aligned campaign, "DeceptiveDevelopment," targets freelance software developers through trojanized coding projects. The campaign deploys InvisibleFerret and BeaverTail to steal cryptocurrency credentials and sensitive login information across Windows, Linux, and macOS platforms.

Active since November 2023, the operation masquerades as recruiters offering roles to freelance developers, particularly within cryptocurrency and decentralized finance (DeFi) projects, according to ESET researchers.

Victims are approached on platforms like LinkedIn, Upwork, Freelancer.com, We Work Remotely, Moonlight, and Crypto Jobs List under the guise of coding challenges, recruitment assessments, or bug fixes. Attackers provide project files, which secretly install malware when executed.  

The core malware includes two distinct tools, one of which is BeaverTail (JavaScript and native variants) – an infostealer and downloader that exfiltrates browser-stored credentials and prepares the system for further compromise.  

The other is Python-based InvisibleFerret, a modular malware functioning as spyware and a backdoor, capable of exfiltrating sensitive data and installing tools for prolonged access.

Analysts noted that DeceptiveDevelopment’s techniques, including the use of fake recruiter personas and trojanized projects, align closely with known North Korea-linked activity clusters such as the Lazarus Group’s “DreamJob” campaigns. 

The group’s goal appears to be financially motivated, focusing heavily on cryptocurrency theft, with possible secondary objectives of cyber espionage.