The theft of cryptocurrencies remains one of the most profitable engines for cyber -and -a -north Korea groups has returned to the center of the scene. During the annual Bulletin virus (VB) conference, Eset Research presented new findings about Diseceptivedevelopment, also known as Contagious Interview, an actor who has perfected his methods to deceive freelance developers and appropriate his digital assets.

The report explains that this group, active at least since 2023, has evolved from the use of basic malware to the construction of more elaborate toolkits, although always with a common pattern: intensive use of social engineering. The main tactics consists in creating profiles of false recruiters on platforms such as LinkedIn, Upwork or Crypto Jobs List and offer fictitious job interviews to professionals in the cryptography and web3 sector.

“Individuals behind these activities sacrifice a high level of technical sophistication in exchange for a wide operational scale and highly creative social engineering. Its malware is mostly simple, and yet they can deceive even objectives with solid technical knowledge,” explains Peter Kálnai, a researcher at ESET and co -author of the report.

The clickfix method and malware distribution

The deception is articulated in several phases. First, attackers attract victims with attractive job offers and seemingly legitimate selection processes. Once their interest is achieved, they are asked to participate in a technical test: a programming challenge that, in reality, includes fragments of troyanized code.

The final step comes with the technique known as clickfix. After asking the candidates to participate in a video call, the page shows an alleged camera or microphone error and offers a “to solve” link. The candidate receives instructions to copy a command in the terminal of his computer, convinced that it is a minor adjustment. However, that command download and installs a malware that gives access to the system.

The theft of cryptocurrencies remains one of the most profitable engines for cyber -and -alamus groups and North Korea has returned to the center of the scene

The tools detected most frequently in these campaigns include infostealers such as Beavertail, Ottercookie and Weasersoretore, in addition to the InvisibleFerret modular rat, which allows you to maintain control of the machine at a distance. According to ESET, the group has also developed new kits, such as Tsunamikit, which even document the API of their command and control servers.

Connections with Lazarus and the labor dimension

The technical analysis does not remain in malicious loads. The report emphasizes that Diseceptivedevelopment maintains connections with Lazarus, the historic North Korean group behind some of the most lucrative cyberattacks of the last decade. The Backdoor Tropidor and the Rat Postnaptea share direct links in their code, which reinforces the collaboration hypothesis or, at least, of reuse of tools between groups.

But the most disturbing is the labor dimension of the scheme. ESET, based on intelligence data from open sources (OSINT), has identified the participation of North Korean IT workers looking for remote employment abroad for more than a five years. Their CVS and profile photos are usually manipulated with artificial intelligence and, in some cases, they get to use “face change in real time” during video call interviews.

The FBI had already warned of this phenomenon in 2017 and in several subsequent notices, warning that these fraudulent employees not only channel their salaries towards the Pyongyang regime, but also take advantage of their access to steal corporate information and extort companies.

Europe at the point of view

Although the United States has traditionally been the main objective, the latest ESET data shows a turn towards Europe. Countries such as France, Poland, Ukraine or Albania have become new focuses of interest to attackers, probably due to the growing adoption of Blockchain and Startup Web3 projects in the region.

The combination of social engineering techniques, simulated interviews and malicious software turns disappointment into a hybrid threat, capable of operating both in the field of cybercrime and that of labor fraud. “This scheme combines classical criminal operations, such as identity theft and synthetic identity fraud, with digital tools, which classifies it as much as a traditional crime as a cybercrime,” adds Kálnai.

Risks and recommendations

The risk not only affects independent developers. Companies that hire Freelance workers can also become indirect victims, by giving access to people who actually act as Proxy for the North Korean regime. The use of accounts committed to videoconferences and the practice of “proxy interviewing” even more raised the threat level.

To reduce exposure, ESET recommends that hiring teams rigorously verify the identity of the candidates, that developers execute any technical evidence in isolated environments and that social engineering education processes are reinforced within organizations. The key, they insist, is to assume that the human vector will continue to be the main objective of the attackers.

Alex Chen
Alex Chen

Alex Chen serves as the chief editor of Asia Tech Journal, bringing over a decade of experience in technology journalism. Previously writing for several globally renowned publications, Alex is celebrated for his insightful analyses and in-depth reporting on tech trends across Asia. Passionate about innovation, Alex specializes in the dynamic technology ecosystem of China and its global impacts.