• DeceptiveDevelopment targets freelance software developers through spearphishing on job-hunting and freelancing sites, aiming to steal cryptocurrency wallets and login information from browsers and password managers.
• This operation primarily uses two malware families – BeaverTail (infostealer, downloader) and InvisibleFerret (infostealer, Remote Access Trojan – RAT).
• DeceptiveDevelopment’s techniques are similar to several other known North Korea-aligned operations.

PRAGUE, BRATISLAVA — February 20, 2025 — Since 2024, ESET researchers have observed a series of malicious North Korea-aligned activities, where the operators, posing as software development  recruiters, entice the victims with fake employment offers. Subsequently, they try to serve their targets with software projects that conceal infostealing malware. ESET Research calls this activity cluster DeceptiveDevelopment. This North Korea-aligned activity is currently not attributed by ESET to any known threat actor. It targets freelance software developers through spearphishing on job-hunting and freelancing sites, aiming to steal cryptocurrency wallets and login information from browsers and password managers.

“As part of a fake job interview process, the DeceptiveDevelopment operators ask their targets to take a coding test, such as adding a feature to an existing project, with the files necessary for the task usually hosted on private repositories on GitHub or other similar platforms. Unfortunately for the eager work candidate, these files are trojanized: Once they download and execute the project, the victim’s computer gets compromised,” explains ESET researcher Matěj Havránek, who made the discovery and analyzed DeceptiveDevelopment.

DeceptiveDevelopment’s tactics, techniques, and procedures are similar to several other known North Korea-aligned operations. Operators behind DeceptiveDevelopment target software developers on Windows, Linux, and macOS. They steal cryptocurrency primarily for financial gain, with a possible secondary objective of cyberespionage. To approach their targets, these operators use fake recruiter profiles on social media. The attackers don’t distinguish based on geographical location, instead aiming to compromise as many victims as possible to increase the likelihood of successfully extracting funds and information.

DeceptiveDevelopment primarily uses two malware families as part of its activities, delivered in two stages. In the first stage, BeaverTail (infostealer, downloader) acts as a simple login stealer, extracting browser databases containing saved logins, and as a downloader for the second stage, InvisibleFerret (infostealer, RAT), which includes spyware and backdoor components, and is also capable of downloading the legitimate AnyDesk remote management and monitoring software for post-compromise activities.

In order to pose as recruiters, the attackers copy profiles of existing people or even construct new personas. They then either directly approach their potential victims on job-hunting and freelancing platforms, or post fake job listings there. While some of these profiles are set up by the attackers themselves, others are potentially compromised profiles of real people on the platform, modified by the attackers.

Some of the platforms where these interactions occur are generic job-hunting ones, while others focus primarily on cryptocurrency and blockchain projects and are thus more in line with the attackers’ goals. The platforms include LinkedIn, Upwork, Freelancer.com, We Work Remotely, Moonlight, and Crypto Jobs List.

Victims receive the project files either directly via file transfer on the site, or through a link to a repository like GitHub, GitLab, or Bitbucket. They are asked to download the files, add features or fix bugs, and report back to the recruiter. Additionally, they are instructed to build and execute the project in order to test it, which is where the initial compromise happens. The attackers often use a clever trick to hide their malicious code: They place it in an otherwise benign component of the project, usually within backend code unrelated to the task given to the developer, where they append it as a single line behind a long comment. This way, it is moved off-screen and stays mostly hidden.

“The DeceptiveDevelopment cluster is an addition to an already large collection of money-making schemes employed by North Korea-aligned actors and conforms to an ongoing trend of shifting focus from traditional money to cryptocurrencies,” concludes Havránek.

For a more detailed analysis and technical breakdown of DeceptiveDevelopment, check out the latest ESET Research blogpost, “DeceptiveDevelopment targets freelance developers,” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

Heatmap of different victims of DeceptiveDevelopment

全球網絡安全解決方案領導品牌 ESET 宣布，其 ESET HOME Security Essential 榮膺 AV-Comparatives 「2024 年度產品大獎」。這項備受推崇的獎項，表彰了 ESET HOME Security Essential 在 Windows 平台上的卓越效能與可靠性，致力於保護消費者免受多元網絡威脅的侵害。

2024 年，AV-Comparatives 對 16 款 Windows 消費級安全產品進行了嚴苛評測，檢驗它們在抵禦真實網絡威脅、識別最新惡意軟件、防禦進階針對性攻擊，以及在不影響電腦運作速度的前提下提供保護的能力。ESET HOME Security Essential 以出色的表現脫穎而出，在全年七項測試中均榮獲最高等級的 Advanced+ 獎項，穩坐最佳產品寶座。

AV-Comparatives 2024 年總結報告指出：「評審團對其簡潔直觀、專為非專業用戶設計的介面讚譽有加，同時也肯定其為進階用戶提供的豐富自訂功能與掃描選項，令人印象深刻。」

儘管多數供應商將自動續訂設為強制條件，報告特別讚揚 ESET 是少數不強迫用戶接受自動續訂的廠商，令人稱道。報告進一步強調，ESET HOME Security Essential 是一款設計精良且操作友善的安全產品，提供安全的預設設定，並確保所有用戶都能輕鬆掌握其核心功能。

AV-Comparatives 創辦人暨行政總裁 Andreas Clementi 評論說：「ESET 在 2024 年測試中展現了一貫的優異表現，在多項評比中均獲得高分肯定。這項殊榮充分體現產品在惡意軟件防護、易用性與系統效能上的可靠性。ESET HOME Security Essential 以平衡的設計，提供高效保護同時不拖累系統效能，這無疑是許多用戶所期待的優勢。」

ESET 消費者與物聯網部門副總裁 Viktória Ivanová 表示：「能獲 AV-Comparatives 評選為 2024 年度產品，我們深感榮幸。」

• ESET has been included among knowledgeable respondents in an independent Best Practice report: How To Measure The Effectiveness And Value Of Threat Intelligence.
• ESET Threat Intelligence (ETI) offerings are ideally suited to meet the needs described in the report of the CART model.

BRATISLAVA — February 26, 2025 — ESET, a global leader in cybersecurity solutions, is proud to announce its participation among knowledgeable respondents whom Forrester surveyed in its Best Practice report: How To Measure The Effectiveness And Value Of Threat Intelligence. Forrester, a respected research firm, highlighted the essential characteristics of credible threat intelligence, summarized in the CART model: Complete, Accurate, Relevant, and Timely. ESET Threat Intelligence offerings align closely with these principles, empowering organizations to strengthen their security posture and stay ahead of advanced threats.

“For us, our inclusion in Forrester’s report reinforces our commitment to delivering actionable, high-quality threat intelligence that meets the evolving needs of today’s organizations,” said Juraj Knapec, Product Manager for ESET Threat Intelligence. “By focusing on clarity, accuracy, and timeliness, we enable our clients to make critical decisions faster, reduce exposure, and bolster their defenses against advanced threat actors.”

Forrester’s CART framework underscores the needs for threat intelligence that is:

• Complete: Covering a wide range of sources and threat vectors.
• Accurate: Offering curated and verified insights from practical experience.
• Relevant: Delivering tailored, actionable information that aligns with organizational needs.
• Timely: Enabling proactive decisions by anticipating emerging threats.

ESET Threat Intelligence solutions were designed with these principles in mind. By prioritizing quantitative metrics and providing clarity in threat analysis, ESET ensures its clients receive reliable, actionable data to help mitigate risks effectively.

The report also highlights a critical challenge. Many security and risk professionals struggle to measure the value and effectiveness of their threat intelligence, leading to wasted resources and missed opportunities. Forrester emphasizes the importance of using robust quantitative and qualitative metrics to demonstrate the impact of threat intelligence within an organization, which ESET addresses by providing clear threat intelligence metrics to simplify decision-making, as well as quantitative insights that showcase measurable value and drive strategic outcomes.

As further stated in Forrester´s Best Practice report: How To Measure The Effectiveness And Value Of Threat Intelligence: “Metrics are essential for you to demonstrate the effectiveness of threat intelligence, but resist the temptation to rely solely on consumption-based metrics… more does not necessarily mean better. The right target value for a given metric is unique to each organization’s cybersecurity maturity and risk profile.” Built on the robust CART framework, ETI allows us to customize each threat intelligence solution to meet the unique needs of our clients, ensuring they receive the most targeted and relevant information.

ESET Threat Intelligence provides real-time data on malicious files, domains, IPs, URLs, botnets, and APT activity to help organizations act swiftly. Its Advanced Persistent Threat (APT) Reports offer in-depth analyses of advanced threats, with the PREMIUM packages including direct analyst consultations. Curated, actionable insights enhance detection and response, while seamless SIEM and TIP integration maximizes efficiency. With these offerings, ESET empowers clients to automate threat searches, stay ahead of emerging risks, and reduce incident response times, ultimately strengthening their cybersecurity architecture.

For more information about ESET Threat Intelligence, please visit our website.