{"id":237,"date":"2026-03-19T14:36:57","date_gmt":"2026-03-19T14:36:57","guid":{"rendered":"https:\/\/escudodigital.uy\/index.php\/2026\/03\/19\/from-primitive-crypto-theft-to-sophisticated-ai-based-deception\/"},"modified":"2026-03-19T14:36:57","modified_gmt":"2026-03-19T14:36:57","slug":"from-primitive-crypto-theft-to-sophisticated-ai-based-deception","status":"publish","type":"post","link":"https:\/\/escudodigital.uy\/index.php\/2026\/03\/19\/from-primitive-crypto-theft-to-sophisticated-ai-based-deception\/","title":{"rendered":"From primitive crypto theft to sophisticated AI-based deception"},"content":{"rendered":"<div>\n<p>This blogpost introduces our latest white paper, presented at <a href=\"https:\/\/www.virusbulletin.com\/uploads\/pdf\/conference\/vb2025\/papers\/DeceptiveDevelopment-and-North-Korean-IT-workers-from-primitive-crypto-theft-to-sophisticated-AI-based-deception.pdf\">Virus Bulletin 2025<\/a>, where we detail the operations of the North Korea-aligned threat actor we call DeceptiveDevelopment and its connections to North Korean IT worker campaigns. The white paper provides full technical details, including malware analysis, infrastructure, and OSINT findings. Here, we summarize the key insights and highlight the broader implications of this hybrid threat.<\/p>\n<blockquote>\n<p><strong>Key points of this blogpost:<\/strong><\/p>\n<ul>\n<li>The invention and focus of the operations are on the social-engineering methods.<\/li>\n<li>DeceptiveDevelopment\u2019s toolset is mostly multiplatform and consists of initial obfuscated malicious scripts in Python and JavaScript, basic backdoors in Python and Go, and a dark web project in .NET.<\/li>\n<li>We provide insights into operational details of North Korean IT workers, like work assignments, schedules, communication with clients, etc., gathered from public sources.<\/li>\n<li>Native, more complex Windows backdoors are an occasional addition in the execution chain and are likely shared by other North Korea-aligned actors.<\/li>\n<li>DeceptiveDevelopment and North Korean IT workers have different objectives and means, but we consider them as tightly connected.<\/li>\n<\/ul>\n<\/blockquote>\n<h2>Introduction<\/h2>\n<p>In this blogpost, we examine the DeceptiveDevelopment group and the WageMole activity cluster as two tightly connected North Korea-aligned entities. WageMole is a label that we have adopted for activities associated with North Korean IT workers. While the campaigns of both are driven by financial gain, each plays a distinct and complementary role in relation to the other:<\/p>\n<ul>\n<li>DeceptiveDevelopment operators pose as recruiters, using fraudulent job offers to compromise the systems of job seekers.<\/li>\n<li>North Korean IT workers then use the information gained by the DeceptiveDevelopment operators to pose as job seekers. To secure a real job position, they may employ several tactics, including proxy interviewing, using stolen identities, and fabricating synthetic identities with AI-driven tools.<\/li>\n<\/ul>\n<p>First, we provide a catalogue of multiplatform tools used by DeceptiveDevelopment, from simple but obfuscated scripts like BeaverTail and InvisibleFerret to a complex toolkit, TsunamiKit, centered around a .NET backdoor. We also disclose specific links between more complex backdoors used by DeceptiveDevelopment, AkdoorTea and Tropidoor, and other, more APT-oriented North Korea-aligned operations. Next, we describe interesting aspects of North Korean IT workers\u2019 modus operandi, obtained from public sources, mostly from unintentionally exposed data, testimonials of victims, and investigations of independent researchers..<\/p>\n<h2>DeceptiveDevelopment\u00a0<\/h2>\n<p>DeceptiveDevelopment is a North Korea-aligned group active since at least 2023, focused on financial gain. Its activities overlap with <a href=\"https:\/\/unit42.paloaltonetworks.com\/two-campaigns-by-north-korea-bad-actors-target-job-hunters\/\">Contagious Interview<\/a>, <a href=\"https:\/\/www.securonix.com\/blog\/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors\/\">DEV#POPPER<\/a>, and <a href=\"https:\/\/www.trendmicro.com\/en_nz\/research\/25\/d\/russian-infrastructure-north-korean-cybercrime.html\">Void Dokkaebi<\/a>. The group targets software developers on all major systems \u2013 Windows, Linux, and macOS \u2013 and especially those in cryptocurrency and Web3 projects. Initial access is achieved exclusively via various social engineering techniques like ClickFix, and fake recruiter profiles similar to Lazarus\u2019s Operation DreamJob, to deliver trojanized codebases during staged job interviews. Its most typical payloads are the BeaverTail, OtterCookie, and WeaselStore infostealers, and the InvisibleFerret modular RAT.<\/p>\n<h3>Targeting strategy<\/h3>\n<p>DeceptiveDevelopment operators use various methods to compromise their victims, relying on clever social engineering tricks. Via both fake and hijacked profiles, they pose as recruiters on platforms like LinkedIn, Upwork, Freelancer, and Crypto Jobs List. They offer fake lucrative job opportunities to attract their targets\u2019 interest. Victims are requested to participate in a coding challenge or a pre-interview task. The task involves downloading a project from private GitHub, GitLab, or Bitbucket repositories. These repositories contain trojanized code, often hidden cleverly in long comments displayed well beyond the right-hand edge of a code browser or editor window. Participation in the task triggers the execution of BeaverTail, the first-stage malware.<\/p>\n<p>Besides these fake recruiter accounts, the addition of a new social engineering technique known as ClickFix was observed. ClickFix in relation to DeceptiveDevelopment was first reported by <a href=\"https:\/\/blog.sekoia.io\/clickfake-interview-campaign-by-lazarus\/\">Sekoia.io<\/a> in March 2025, when it was used by the group as the initial access method on macOS and Windows systems; in September 2025, <a href=\"https:\/\/gitlab-com.gitlab.io\/gl-security\/security-tech-notes\/threat-intelligence-tech-notes\/north-korean-malware-sept-2025\/\">GitLab<\/a> spotted it being used on Linux systems too. The attackers direct the victim to a fake job interview website, containing an application form that they are asked to complete. The application form contains a few lengthy questions related to the applicant\u2019s identity and qualifications, leading the victim to put significant time and effort into filling in the form and making them feel like they are almost done, and therefore more likely to fall for the trap. In the final step of the application, the victim is asked to record a video of them answering the final question. The site triggers a pop-up asking the victim to allow camera access, but the camera is never actually accessed. Instead, an error message appears saying that access to the camera or microphone is currently blocked and offers a \u201cHow to fix\u201d link. That link leads to a pop-up employing the ClickFix social engineering technique. The victim is instructed, based on their operating system, to open a terminal and copy and paste a command that should solve the issue. However, instead of enabling the victim\u2019s camera, the command downloads and executes malware.<\/p>\n<h3>Toolset<\/h3>\n<h4>BeaverTail and InvisibleFerret<\/h4>\n<p>The first indication of DeceptiveDevelopment activity came in November 2023, when <a href=\"https:\/\/unit42.paloaltonetworks.com\/two-campaigns-by-north-korea-bad-actors-target-job-hunters\/\" target=\"_blank\" rel=\"noopener\">Unit 42<\/a> reported the Contagious Interview campaign; we later associated this campaign with the group. Unit 42 coined the names BeaverTail and InvisibleFerret for the two malware families used in this campaign. We documented this campaign in more detail in our WeLiveSecurity blogpost from February 2025, dissecting how the threat actor makes use of these two malware families.<\/p>\n<p>BeaverTail is a simple infostealer and downloader that collects data from cryptocurrency wallets, keychains, and saved browser logins. We have observed variants of this malware written in JavaScript, hidden in fake job challenges, and also in C++, using the Qt framework and disguised as conferencing software. Its primary function is downloading the second-stage malware InvisibleFerret. At the end of 2024, a new malware family with functionality similar to BeaverTail emerged \u2013 it was named OtterCookie by <a href=\"https:\/\/jp.security.ntt\/insights_resources\/tech_blog\/en-waterplum-ottercookie\/\" target=\"_blank\" rel=\"noopener\">NTT Security<\/a>. OtterCookie is written in JavaScript and uses very similar obfuscation techniques. We believe that OtterCookie is an evolution of BeaverTail and is used by some teams within DeceptiveDevelopment instead of the older BeaverTail, while other teams continue using and modifying the original codebase.<\/p>\n<p>InvisibleFerret is modular malware written in Python with more information-stealing capabilities than BeaverTail, also capable of providing remote control to attackers. It usually comes with the following four modules:<\/p>\n<ul>\n<li>a browser-data stealer module (extracts and exfiltrates data saved by browsers and cryptocurrency wallets),<\/li>\n<li>a payload module (remote access trojan),<\/li>\n<li>a clipboard module (containing keylogging and clipboard logging capabilities) \u2013 in some cases distributed as part of the payload module, and<\/li>\n<li>an AnyDesk module (which deploys the AnyDesk remote access tool to allow direct attacker access to the compromised machine).<\/li>\n<\/ul>\n<h4>WeaselStore<\/h4>\n<p>As DeceptiveDevelopment evolved and started to include more teams in its operations, those teams started modifying the codebase to meet their own needs and introduced new malware tooling. One such example is a campaign that ESET researchers investigated in August 2024. In addition to the conventional BeaverTail and InvisibleFerret malware, the team responsible for the campaign deployed what we believe is its own new malware \u2013 which we named WeaselStore.<\/p>\n<p>WeaselStore (also called <a href=\"https:\/\/blog.sekoia.io\/clickfake-interview-campaign-by-lazarus\/\">GolangGhost<\/a> and <a href=\"https:\/\/www.sentinelone.com\/blog\/macos-flexibleferret-further-variants-of-dprk-malware-family-unearthed\/\">FlexibleFerret<\/a>) is a multiplatform infostealer written in Go, though in May 2025, Cisco Talos reported about WeaselStore being rewritten in Python; they called that malware <a href=\"https:\/\/blog.talosintelligence.com\/python-version-of-golangghost-rat\/\">PylangGhost<\/a>. As the implementation is identical, for simplicity, we refer to both implementations as WeaselStore in this blogpost.<\/p>\n<p>WeaselStore\u2019s functionality is quite similar to both BeaverTail and InvisibleFerret, with the main focus being exfiltration of sensitive data from browsers and cryptocurrency wallets. Once the data has been exfiltrated, WeaselStore, unlike traditional infostealers, continues to communicate with its C&amp;C server, serving as a RAT capable of executing various commands.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 1. Execution chain of WeaselStore\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/deceptivedevelopment\/figure-1.png\" alt=\"Figure 1. Execution chain of WeaselStore\" width=\"\" height=\"\"\/><figcaption><em>Figure 1. Execution chain of WeaselStore<\/em><\/figcaption><\/figure>\n<p>The most interesting aspect of WeaselStore in Go is that it is delivered to the victim\u2019s system in the form of Go source code, along with the Go environment binaries necessary to build and execute it, allowing the malware to target three main operating systems \u2013 Windows, Linux, and macOS (see Figure 1). The installation mechanism differs based on the victim\u2019s operating system, but in all cases the chain ends with downloading the WeaselStore Go source code and then compiling and executing it using a Go build environment, which is also provided alongside.<\/p>\n<h4>TsunamiKit<\/h4>\n<p>In November 2024, a new version of the InvisibleFerret malware delivered a modified browser-data stealer module. This module, in addition to its normal functionality, contains a previously unseen, large, encoded block with the first stage of the execution chain deploying a completely new malware toolkit, also intended for information and cryptocurrency theft. We named this toolkit TsunamiKit, based on the developer\u2019s repeated use of \u201cTsunami\u201d in the names of its components (see Table 1). The threat being publicly reported by <a href=\"https:\/\/arxiv.org\/pdf\/2505.21725\">Alessio Di Santo<\/a><a name=\"_Hlt209104868\"\/><a name=\"_Hlt209104867\"\/> in November 2024 and by <a href=\"https:\/\/www.bitdefender.com\/en-us\/blog\/labs\/lazarus-group-targets-organizations-with-sophisticated-linkedin-recruiting-scam\">Bitdefender<\/a> in February 2025; our white paper adds context by placing it in the overall DeceptiveDevelopment modus operandi. The paper also dives into the details of TsunamiKit\u2019s complex execution chain.<\/p>\n<p style=\"break-after: avoid; text-align: center;\"><a name=\"_Ref208237532\"\/><em>Table 1. Components of the TsunamiKit execution chain<\/em><\/p>\n<table style=\"height: 198px;\" border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"151\"><strong>Component name<\/strong><\/td>\n<td style=\"height: 18px;\" width=\"492\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px;\" width=\"151\">TsunamiLoader<\/td>\n<td style=\"height: 54px;\" width=\"492\">The initial stage, obfuscating and dropping TsunamiInjector. It contains a quote <em>Sometimes you never know the value of a moment until it becomes a memory<\/em>, often attributed to Dr. Seuss.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"151\">TsunamiInjector<\/td>\n<td style=\"height: 18px;\" width=\"492\">Downloader of TsunamiInstaller. Also drops TsunamiHardener.<\/td>\n<\/tr>\n<tr style=\"height: 54px;\">\n<td style=\"height: 54px;\" width=\"151\">TsunamiHardener*<\/td>\n<td style=\"height: 54px;\" width=\"492\">Referred to as TsunamiPayload in the code. Sets up persistence for TsunamiClient, and Microsoft Defender exclusions for TsunamiClient and the XMRig miner (one of TsunamiClient\u2019s components).<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"151\">TsunamiInstaller<\/td>\n<td style=\"height: 18px;\" width=\"492\">.NET dropper of TsunamiClientInstaller and a Tor proxy.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"151\">TsunamiClientInstaller*<\/td>\n<td style=\"height: 18px;\" width=\"492\">Fingerprints the system; downloads and executes TsunamiClient.<\/td>\n<\/tr>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"151\">TsunamiClient<\/td>\n<td style=\"height: 18px;\" width=\"492\">Complex .NET spyware; drops XMRig and NBMiner.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"font-size: 80%;\">* These components were originally both named TsunamiPayload; we have renamed them to avoid any confusion.<\/p>\n<h4>PostNapTea and Tropidoor<\/h4>\n<p>Over the course of our research, we spotted an interesting piece of evidence, further linking DeceptiveDevelopment to North Korea. In April 2025, <a href=\"https:\/\/asec.ahnlab.com\/en\/87299\/\" target=\"_blank\" rel=\"noopener\">Ahnlab<\/a> researchers reported about trojanized Bitbucket projects containing BeaverTail and a 64\u2011bit downloader named <span style=\"font-family: courier new, courier, monospace;\">car.dll<\/span> or <span style=\"font-family: courier new, courier, monospace;\">img_layer_generate.dll<\/span>. While BeaverTail, as expected, downloaded InvisibleFerret, this new downloader retrieved an in-memory payload that was named Tropidoor by Ahnlab. We realized that Tropidoor shares large portions of code with <a href=\"https:\/\/www.virusbulletin.com\/uploads\/pdf\/conference\/vb2023\/papers\/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf\" target=\"_blank\" rel=\"noopener\">PostNapTea<\/a>, a Lazarus RAT distributed via exploitation against South Korean targets in 2022. Table 2 contains a comparison of both payloads.<\/p>\n<p style=\"break-after: avoid; text-align: center;\"><em>Table 2. Comparison of Tropidoor (DeceptiveDevelopment) and PostNapTea (Lazarus) payloads (asterisks indicate the country of a VirusTotal submission)<\/em><\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"140\">\u00a0<\/td>\n<td width=\"251\"><strong>Tropidoor<\/strong><\/td>\n<td width=\"251\"><strong>PostNapTea<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"140\"><strong>First seen<\/strong><\/td>\n<td width=\"251\">2024-11-28<\/td>\n<td width=\"251\">2022-02-25<\/td>\n<\/tr>\n<tr>\n<td width=\"140\"><strong>Targeted countries<\/strong><\/td>\n<td width=\"251\">Kenya*, Colombia*, Canada*<\/td>\n<td width=\"251\">South Korea<\/td>\n<\/tr>\n<tr>\n<td width=\"140\"><strong>Initial Access<\/strong><\/td>\n<td width=\"251\">Social engineering<\/td>\n<td width=\"251\">Exploitation<\/td>\n<\/tr>\n<tr>\n<td width=\"140\"><strong>Hash-based resolution of Windows APIs<\/strong><\/td>\n<td width=\"251\">Fowler\u2013Noll\u2013Vo<\/td>\n<td width=\"251\">Fowler\u2013Noll\u2013Vo<\/td>\n<\/tr>\n<tr>\n<td width=\"140\"><strong>String encryption<\/strong><\/td>\n<td width=\"251\">Plain + XOR-based<\/td>\n<td width=\"251\">XOR-based<\/td>\n<\/tr>\n<tr>\n<td width=\"140\"><strong>Encryption for network communication<\/strong><\/td>\n<td width=\"251\">Base64 + AES-128<\/td>\n<td width=\"251\">Base64 + AES-128<\/td>\n<\/tr>\n<tr>\n<td width=\"140\"><strong>Project<\/strong><\/td>\n<td width=\"251\">C DLL<\/td>\n<td width=\"251\">MFC C++ DLL<\/td>\n<\/tr>\n<tr>\n<td width=\"140\"><strong>Type of commands<\/strong><\/td>\n<td width=\"251\">Internal implementation of Windows commands<\/td>\n<td width=\"251\">Internal implementation of Windows commands<\/td>\n<\/tr>\n<tr>\n<td width=\"140\"><strong>Building environment<\/strong><\/td>\n<td width=\"251\">Visual Studio 2019, v16.11<\/td>\n<td width=\"251\">Visual Studio 2017, v15.9<\/td>\n<\/tr>\n<tr>\n<td width=\"140\"><strong>Configuration format<\/strong><\/td>\n<td width=\"251\">Binary<\/td>\n<td width=\"251\">JSON<\/td>\n<\/tr>\n<tr>\n<td width=\"140\"><strong>User-Agent (differences in reversed color)<\/strong><\/td>\n<td width=\"251\"><span style=\"font-family: 'Courier New', Courier, monospace;\"><span style=\"background-color: white; color: #0096a1;\">Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/<\/span><span style=\"background-color: #0096a1; color: white;\">112.0.0.0<\/span> <span style=\"background-color: white; color: #0096a1;\">Safari\/537.36<\/span> <span style=\"background-color: #0096a1; color: white;\">Edg\/112.0.1722.64<\/span><\/span><\/td>\n<td width=\"251\"><span style=\"font-family: 'Courier New', Courier, monospace;\"><span style=\"background-color: white; color: #0096a1;\">Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/<\/span><span style=\"background-color: #0096a1; color: white;\">91.0.4472.114<\/span> <span style=\"background-color: white; color: #0096a1;\">Safari\/537.36<\/span><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Tropidoor is the most sophisticated payload yet linked to the DeceptiveDevelopment group, probably because it is based on malware developed by the more technically advanced threat actors under the Lazarus umbrella. Some of the supported commands are shown in Figure 2.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 2. Some Windows commands implemented internally in the Tropidoor code\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/deceptivedevelopment\/figure-2.png\" alt=\"Figure 2. Some Windows commands implemented internally in the Tropidoor code\" width=\"\" height=\"\"\/><figcaption><em>Figure 2. Some Windows commands implemented internally in the Tropidoor code<\/em><\/figcaption><\/figure>\n<h3>New findings<\/h3>\n<p>Since our white paper\u2019s submission, we have uncovered new findings that further strengthen the link between the activity of DeceptiveDevelopment and other North Korea-aligned cyberattacks.<\/p>\n<p>We discovered that the TsunamiKit project dates back at least to December 2021, when it was submitted to VirusTotal under the name <span style=\"font-family: courier new, courier, monospace;\"><span class=\"Code\"><span lang=\"EN-US\">Nitro Labs.zip<\/span><\/span><\/span><span lang=\"EN-US\">. One of the components contains the PDB path <\/span><span style=\"font-family: courier new, courier, monospace;\"><span class=\"Code\"><span lang=\"EN-US\">E:\\Programming\\The Tsunami Project\\Malware\\C#\\C# Tsunami Dist Version 3.0.0\\CTsunami\\obj\\Release\\netcoreapp3.1\\win-x64\\\\System Runtime Monitor.pdb<\/span><\/span><\/span><span lang=\"EN-US\">. We conclude that TsunamiKit is likely a modification of a dark web project rather than a new creation by the attackers, based on TsunamiKit largely predating the approximate start of DeceptiveDevelopment activity in 2023, similar TsunamiKit payloads without any signs of BeaverTail having been observed in ESET telemetry, and cryptocurrency mining being a core feature of TsunamiKit.<\/span><\/p>\n<h4>AkdoorTea<\/h4>\n<p>In August 2025, a BAT file named <span style=\"font-family: courier new, courier, monospace;\">ClickFix-1.bat<\/span> and a ZIP archive named <span style=\"font-family: courier new, courier, monospace;\">nvidiaRelease.zip<\/span> were uploaded to VirusTotal. The BAT file just downloads the archive and executes <span style=\"font-family: courier new, courier, monospace;\">run.vbs<\/span> from it. The archive contains various legitimate JAR packages for the NVIDIA CUDA Toolkit, together with the following malicious files:<\/p>\n<ul>\n<li><span style=\"font-family: courier new, courier, monospace;\">shell.bat<\/span>, a trojanized installer for Node.js, which is executed afterward.<\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">main.js<\/span>, an obfuscated BeaverTail script, automatically loaded by Node.js.<\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">drvUpdate.exe<\/span>, a TCP RAT, to which we assign the codename AkdoorTea, as it is similar to Akdoor reported by <a href=\"https:\/\/web.archive.org\/web\/20180615184435\/https:\/www.alienvault.com\/blogs\/labs-research\/more-details-on-the-activex-vulnerability-recently-used-to-target-users-in-south-korea\" target=\"_blank\" rel=\"noopener\">AlienVault<\/a> in 2018 (see Table 3). Akdoor is a detection root name by <a href=\"https:\/\/download.ahnlab.com\/kr\/site\/library\/%5BAnalysis_Report%5DOperation_Kabar_Cobra.pdf\" target=\"_blank\" rel=\"noopener\">Ahnlab<\/a> and usually identifies a North Korea-aligned payload.<\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">run.vbs<\/span>, a VBScript that executes the trojanized installer and AkdoorTea.<\/li>\n<\/ul>\n<p style=\"break-after: avoid; text-align: center;\"><a name=\"_Ref209435246\"\/><em>Table 3. Comparison of variants of AkdoorTea and Akdoor<\/em><\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"214\">\u00a0<\/td>\n<td width=\"214\"><strong>AkdoorTea 2025<\/strong><\/td>\n<td width=\"214\"><strong>Akdoor 2018<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"214\"><strong>Distribution name<\/strong><\/td>\n<td width=\"214\"><span style=\"font-family: courier new, courier, monospace;\">drvUpdate.exe<\/span><\/td>\n<td width=\"214\"><span style=\"font-family: courier new, courier, monospace;\">splwow32.exe<\/span>, <span style=\"font-family: courier new, courier, monospace;\">MMDx64Fx.exe<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"214\"><strong>Encryption<\/strong><\/td>\n<td width=\"214\">Base64 + XOR with <span style=\"font-family: courier new, courier, monospace;\">0x49<\/span><\/td>\n<td width=\"214\">Base64 + RC4<\/td>\n<\/tr>\n<tr>\n<td width=\"214\"><strong>Number of supported commands<\/strong><\/td>\n<td width=\"214\">5<\/td>\n<td width=\"214\">4<\/td>\n<\/tr>\n<tr>\n<td width=\"214\"><strong>C&amp;C<\/strong><\/td>\n<td width=\"214\"><span style=\"font-family: courier new, courier, monospace;\">103.231.75[.]101<\/span><\/td>\n<td width=\"214\"><span style=\"font-family: courier new, courier, monospace;\">176.223.112[.]74<\/span><br \/><span style=\"font-family: courier new, courier, monospace;\">164.132.209[.]191<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"214\"><strong>Version<\/strong><\/td>\n<td width=\"214\">01.01<\/td>\n<td width=\"214\">01.01<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>One of the differences between AkdoorTea from 2025 and Akdoor from 2018 is the numbering of commands; see Figure 3. Also, the command name \u201cversion\u201d is called \u201cshi\u201d now.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 3. Version parsing in Akdoor from 2018 and AkdoorTea from 2025\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/09-25\/deceptivedevelopment\/figure-3.png\" alt=\"Figure 3. Version parsing in Akdoor from 2018 and AkdoorTea from 2025\" width=\"\" height=\"\"\/><figcaption><em>Figure 3. Version parsing in Akdoor from 2018 and AkdoorTea from 2025<\/em><\/figcaption><\/figure>\n<h2>North Korean IT workers (aka WageMole)<\/h2>\n<p>While our research into DeceptiveDevelopment is primarily based on data from our telemetry and reverse-engineering the group\u2019s toolset, it is interesting to point out DeceptiveDevelopment\u2019s relations to fraud operations by North Korean IT workers, overlapping with the activity of the <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/mitigating-dprk-it-worker-threat\" target=\"_blank\" rel=\"noopener\">UNC5267<\/a> and <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/06\/30\/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations\/\" target=\"_blank\" rel=\"noopener\">Jasper Sleet<\/a> threat groups.<\/p>\n<p>IT worker campaigns have been ongoing since at least April 2017, according to an <a href=\"https:\/\/www.fbi.gov\/wanted\/cyber\/dprk-it-workers\/dprk-wanted-8-5x11.pdf\" target=\"_blank\" rel=\"noopener\">FBI wanted poster<\/a>, and have been increasingly prominent in recent years. A <a href=\"https:\/\/ofac.treasury.gov\/media\/923126\/download?inline\">joint advisory<\/a> released in May 2022 describes IT worker campaigns as a coordinated effort by North Korea-aligned individuals to gain employment at overseas companies, whose salaries are then used to help fund the country. They have also been known to steal internal company data and use it to extort companies, as stated in an <a href=\"https:\/\/www.ic3.gov\/PSA\/2025\/PSA250123\" target=\"_blank\" rel=\"noopener\">announcement by the FBI<\/a> in January 2025.<\/p>\n<p class=\"MsoNormal\"><span lang=\"EN-US\">In addition to using AI to perform their job tasks, they rely heavily on AI for manipulating photos in their profile pictures and CVs, and even perform face swaps in real-time video interviews to look like the persona they are currently using, as described in more detail in a <a href=\"https:\/\/unit42.paloaltonetworks.com\/north-korean-synthetic-identity-creation\/\" target=\"_blank\" rel=\"noopener\">blogpost by Unit 42<\/a> in April 2025.<\/span><\/p>\n<p>A methodological insight was provided by a <a href=\"https:\/\/reports.dtexsystems.com\/DTEX-Exposing+DPRK+Cyber+Syndicate+and+Hidden+IT+Workforce.pdf\">DTEX report<\/a> in May 2025. The IT workers reportedly operate in a scattered manner, with numerous teams of workers, usually based in foreign countries like China, Russia, and countries in Southeast Asia. Each team works in a slightly different manner, but their end goals and modus operandi are the same \u2013 posing as foreign remote workers with fake documents and CVs, and looking for remote employment or freelance work to gather funds from the salaries.<\/p>\n<h3>Analyzing OSINT data<\/h3>\n<p>Multiple researchers have observed ties and instances of information exchange between these IT workers and DeceptiveDevelopment. In August 2024, the cybersecurity researcher <a href=\"https:\/\/medium.com\/coinmonks\/suspicious-activity-in-github-associated-with-lazarus-group-200868dff910\" target=\"_blank\" rel=\"noopener\">Heiner Garc\u00eda<\/a> published an investigation of how both groups share email accounts or are mutually followed between the GitHub profiles of fake recruiters and IT workers. In November 2024, <a href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/pyongyang-your-payroll-rise-north-korean-remote-workers-west\">Zscaler<\/a> confirmed that identities stolen from compromised victims are used by scammers to secure remote jobs. This leads us to assert with medium confidence that although these activities are conducted by two different groups, they are most likely connected and collaborating.<\/p>\n<p>Additionally, we managed to gather publicly available data detailing the inner workings of some of the IT worker teams. We gathered this information from multiple sources (with significant help from <span style=\"font-family: courier new, courier, monospace;\"><span class=\"Code\"><span lang=\"EN-US\">@browsercookies<\/span><\/span><\/span><span lang=\"EN-US\"> on X), among them GitHub profiles belonging to the IT workers, containing publicly accessible internal data and content shared publicly by researchers. These include details of their work assignments, schedules, communication with clients and each other, emails, various pictures used for online profiles (both real and fake), fake CVs, and text templates used when job hunting; due to information sharing agreements, we are not disclosing the specific sources of the data used in our analysis. We dive into these details in our white paper, and provide a compact summary below.<\/span><\/p>\n<p>Analysis of fake CVs and internal materials shows that IT workers initially targeted jobs in the US, but have recently shifted focus to Europe, including France, Poland, Ukraine, and Albania.<\/p>\n<p>Each team is led by a \u201cboss\u201d who sets quotas and coordinates work. Members spend 10\u201316 hours daily acquiring jobs, completing tasks, and self-educating \u2013 mainly in web programming, blockchain, English, and AI integration.<\/p>\n<p>They meticulously track their work and use fake identities, CVs, and portfolios to apply for jobs. Communication with employers follows scripted responses to appear qualified.<\/p>\n<p>Additionally, they use premade scripts to recruit real people as proxies, offering them a share of the salary to attend interviews or host work devices in less suspicious countries. In one case, Ukrainian developers were targeted due to perceived hiring advantages.<\/p>\n<h2>Conclusion<\/h2>\n<p>DeceptiveDevelopment\u2019s TTPs illustrate a more distributed, volume-driven model of its operations. Despite often lacking technical sophistication, the group compensates through scale and creative social engineering. Its campaigns demonstrate a pragmatic approach, exploiting open-source tooling, reusing available dark web projects, adapting malware probably rented from other North Korea-aligned groups, and leveraging human vulnerabilities through fake job offers and interview platforms.<\/p>\n<p>The activities of North Korean IT workers constitute a hybrid threat. This fraud-for-hire scheme combines classical criminal operations, such as identity theft and synthetic identity fraud, with digital tools, which classify it as both a traditional crime and a cybercrime (or eCrime). Proxy interviewing poses a severe risk to employers, since an illegitimate employee hired from a sanctioned country may not only be irresponsible or underperforming, but could also evolve into a dangerous insider threat.<\/p>\n<p>Our findings also highlight the blurred lines between targeted APT activity and cybercrime, particularly in the overlap between malware campaigns by DeceptiveDevelopment and the operations of North Korean IT workers. These dual-use tactics \u2013 combining cybertheft and cyberespionage with non-cyberspace employment-fraud schemes \u2013 underscore the need for defenders to consider broader threat ecosystems rather than isolated campaigns..<\/p>\n<blockquote>\n<div><em>For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\u00a0<\/em><\/div>\n<div><em>ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the <a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\">ESET Threat Intelligence<\/a> page.<\/em><\/div>\n<\/blockquote>\n<h2>IoCs<\/h2>\n<h3>Files<\/h3>\n<p>A comprehensive list of indicators of compromise (IoCs) and samples can be found in <a href=\"https:\/\/github.com\/eset\/malware-ioc\/tree\/master\/deceptivedevelopment\" target=\"_blank\" rel=\"noopener\">our GitHub repository<\/a>.<\/p>\n<table style=\"height: 2722px; width: 781.625px;\" border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr style=\"height: 50px;\">\n<td style=\"height: 50px; width: 170px;\"><strong>SHA-1<\/strong><\/td>\n<td style=\"height: 50px; width: 156px;\"><strong>Filename<\/strong><\/td>\n<td style=\"height: 50px; width: 156px;\"><strong>Detection<\/strong><\/td>\n<td style=\"height: 50px; width: 295.625px;\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"height: 104px;\">\n<td style=\"height: 104px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">E34A43ACEF5AF1E5197D<wbr\/>940B94FC37BC4EFF0B2A<\/span><\/td>\n<td style=\"height: 104px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">nvidiadrivers<wbr\/>.zip<\/span><\/td>\n<td style=\"height: 104px; width: 156px;\">WinGo\/DeceptiveDeve<wbr\/>lopment.F<\/td>\n<td style=\"height: 104px; width: 295.625px;\">A trojanized project containing WeaselStore.<\/td>\n<\/tr>\n<tr style=\"height: 104px;\">\n<td style=\"height: 104px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">3405469811BAE511E62C<wbr\/>B0A4062AADB523CAD263<\/span><\/td>\n<td style=\"height: 104px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">VCam1.update<\/span><\/td>\n<td style=\"height: 104px; width: 156px;\">WinGo\/DeceptiveDeve<wbr\/>lopment.F<\/td>\n<td style=\"height: 104px; width: 295.625px;\">A trojanized project containing WeaselStore.<\/td>\n<\/tr>\n<tr style=\"height: 104px;\">\n<td style=\"height: 104px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">C0BAA450C5F3B6AACDE2<wbr\/>807642222F6D22D5B4BB<\/span><\/td>\n<td style=\"height: 104px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">VCam2.update<\/span><\/td>\n<td style=\"height: 104px; width: 156px;\">WinGo\/DeceptiveDeve<wbr\/>lopment.F<\/td>\n<td style=\"height: 104px; width: 295.625px;\">A trojanized project containing WeaselStore.<\/td>\n<\/tr>\n<tr style=\"height: 86px;\">\n<td style=\"height: 86px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">DAFB44DA364926BDAFC7<wbr\/>2D72DBD9DD728067EFBD<\/span><\/td>\n<td style=\"height: 86px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">nvidia.js<\/span><\/td>\n<td style=\"height: 86px; width: 156px;\">JS\/Spy.DeceptiveDeve<wbr\/>lopment.Q<\/td>\n<td style=\"height: 86px; width: 295.625px;\">WeaselStore downloader for Windows.<\/td>\n<\/tr>\n<tr style=\"height: 86px;\">\n<td style=\"height: 86px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">015583535D2C8AB710D1<wbr\/>232AA8A72136485DB4EC<\/span><\/td>\n<td style=\"height: 86px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">ffmpeg.sh<\/span><\/td>\n<td style=\"height: 86px; width: 156px;\">OSX\/DeceptiveDeve<wbr\/>lopment.B<\/td>\n<td style=\"height: 86px; width: 295.625px;\">WeaselStore downloader for OSX\/Linux.<\/td>\n<\/tr>\n<tr style=\"height: 86px;\">\n<td style=\"height: 86px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">CDA0F15C9430B6E0FF1A<wbr\/>CDA4D44DA065D547AF1C<\/span><\/td>\n<td style=\"height: 86px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">DriverMinUpdate<\/span><\/td>\n<td style=\"height: 86px; width: 156px;\">OSX\/DeceptiveDeve<wbr\/>lopment.B<\/td>\n<td style=\"height: 86px; width: 295.625px;\">Fake prompt requesting user&#8217;s login on macOS.<\/td>\n<\/tr>\n<tr style=\"height: 104px;\">\n<td style=\"height: 104px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">214F0B10E9474F0F5D32<wbr\/>0158FB71995AF852B216<\/span><\/td>\n<td style=\"height: 104px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">nvidiaupdate<wbr\/>.exe<\/span><\/td>\n<td style=\"height: 104px; width: 156px;\">WinGo\/DeceptiveDeve<wbr\/>lopment.B<\/td>\n<td style=\"height: 104px; width: 295.625px;\">Compiled WeaselStore binary for Windows.<\/td>\n<\/tr>\n<tr style=\"height: 50px;\">\n<td style=\"height: 50px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">4499C80DDA6DBB492F86<wbr\/>67D11D3FFBFEEC7A3926<\/span><\/td>\n<td style=\"height: 50px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">bow<\/span><\/td>\n<td style=\"height: 50px; width: 156px;\">Python\/DeceptiveDeve<wbr\/>lopment.C<\/td>\n<td style=\"height: 50px; width: 295.625px;\">InvisibleFerret.<\/td>\n<\/tr>\n<tr style=\"height: 86px;\">\n<td style=\"height: 86px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">B20BFBAB8BA732D428AF<wbr\/>BA7A688E6367232B9430<\/span><\/td>\n<td style=\"height: 86px; width: 156px;\">N\/A<\/td>\n<td style=\"height: 86px; width: 156px;\">Python\/DeceptiveDeve<wbr\/>lopment.C<\/td>\n<td style=\"height: 86px; width: 295.625px;\">Browser-data stealer module of InvisibleFerret.<\/td>\n<\/tr>\n<tr style=\"height: 68px;\">\n<td style=\"height: 68px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">C6888FB1DE8423D9AEF9<wbr\/>DDEA6B1C96C939A06CF5<\/span><\/td>\n<td style=\"height: 68px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">Windows Update <wbr\/>Script.pyw<\/span><\/td>\n<td style=\"height: 68px; width: 156px;\">Python\/TsunamiKit.A<\/td>\n<td style=\"height: 68px; width: 295.625px;\">TsunamiInjector.<\/td>\n<\/tr>\n<tr style=\"height: 50px;\">\n<td style=\"height: 50px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">4AAF0473599D7E3A5038<wbr\/>41ED10281FDC186633D2<\/span><\/td>\n<td style=\"height: 50px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">Runtime Broker<wbr\/>.exe<\/span><\/td>\n<td style=\"height: 50px; width: 156px;\">MSIL\/DeceptiveDeve<wbr\/>lopment.A<\/td>\n<td style=\"height: 50px; width: 295.625px;\">TsunamiInstaller.<\/td>\n<\/tr>\n<tr style=\"height: 68px;\">\n<td style=\"height: 68px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">251CF5F4A8E73F8C5F91<wbr\/>071BB043B4AA7F29D519<\/span><\/td>\n<td style=\"height: 68px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">Tsunami Payload<wbr\/>.exe<\/span><\/td>\n<td style=\"height: 68px; width: 156px;\">MSIL\/DeceptiveDeve<wbr\/>lopment.A<\/td>\n<td style=\"height: 68px; width: 295.625px;\">TsunamiClientInstaller.<\/td>\n<\/tr>\n<tr style=\"height: 50px;\">\n<td style=\"height: 50px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">D469D1BAA3417080DED7<wbr\/>4CCB9CFB5324BDB88209<\/span><\/td>\n<td style=\"height: 50px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">Tsunami Payload<wbr\/>.dll<\/span><\/td>\n<td style=\"height: 50px; width: 156px;\">MSIL\/DeceptiveDeve<wbr\/>lopment.A<\/td>\n<td style=\"height: 50px; width: 295.625px;\">TsunamiClient.<\/td>\n<\/tr>\n<tr style=\"height: 50px;\">\n<td style=\"height: 50px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">0C0F8152F3462B662318<wbr\/>566CDD2F62D8E350A15E<\/span><\/td>\n<td style=\"height: 50px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">Runtime Broker<wbr\/>.exe<\/span><\/td>\n<td style=\"height: 50px; width: 156px;\">Win64\/Riskware.Tor.A<\/td>\n<td style=\"height: 50px; width: 295.625px;\">Tor Proxy.<\/td>\n<\/tr>\n<tr style=\"height: 140px;\">\n<td style=\"height: 140px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">F42CC34C1CFAA826B962<wbr\/>91E9AF81F1A67620E631<\/span><\/td>\n<td style=\"height: 140px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">autopart.zip<\/span><\/td>\n<td style=\"height: 140px; width: 156px;\">\n<p><span style=\"margin-right: 5px;\">Win64\/DeceptiveDeve<wbr\/>lopment.C<\/span><\/p>\n<p><span style=\"margin-right: 5px;\">JS\/Spy.DeceptiveDeve<wbr\/>lopment.A<\/span><\/p>\n<\/td>\n<td style=\"height: 140px; width: 295.625px;\">A trojanized project containing BeaverTail and a downloader of Tropidoor.<\/td>\n<\/tr>\n<tr style=\"height: 140px;\">\n<td style=\"height: 140px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">02A2CD54948BC0E2F696<wbr\/>DE412266DD59D150D8C5<\/span><\/td>\n<td style=\"height: 140px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">hoodygang.zip<\/span><\/td>\n<td style=\"height: 140px; width: 156px;\">\n<p><span style=\"margin-right: 5px;\">Win64\/DDeceptiveDeve<wbr\/>lopment.C<\/span><\/p>\n<p><span style=\"margin-right: 5px;\">JS\/Spy.DeceptiveDeve<wbr\/>lopment.A<\/span><\/p>\n<\/td>\n<td style=\"height: 140px; width: 295.625px;\">A trojanized project containing BeaverTail and a downloader of Tropidoor.<\/td>\n<\/tr>\n<tr style=\"height: 104px;\">\n<td style=\"height: 104px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">6E787E129215AC153F3A<wbr\/>4C05A3B5198586D32C9A<\/span><\/td>\n<td style=\"height: 104px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">tailwind.con<wbr\/>fig.js<\/span><\/td>\n<td style=\"height: 104px; width: 156px;\">JS\/Spy.DeceptiveDeve<wbr\/>lopment.A<\/td>\n<td style=\"height: 104px; width: 295.625px;\">A trojanized JavaScript containing BeaverTail.<\/td>\n<\/tr>\n<tr style=\"height: 104px;\">\n<td style=\"height: 104px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">FE786EAC26B61743560A<wbr\/>39BFB905E6FB3BB3DA17<\/span><\/td>\n<td style=\"height: 104px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">tailwind.con<wbr\/>fig.js<\/span><\/td>\n<td style=\"height: 104px; width: 156px;\">JS\/Spy.DeceptiveDeve<wbr\/>lopment.A<\/td>\n<td style=\"height: 104px; width: 295.625px;\">A trojanized JavaScript containing BeaverTail.<\/td>\n<\/tr>\n<tr style=\"height: 86px;\">\n<td style=\"height: 86px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">86784A31A2709932FF10<wbr\/>FDC40818B655C68C7215<\/span><\/td>\n<td style=\"height: 86px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">img_layer_gen<wbr\/>erate<wbr\/>.dll<\/span><\/td>\n<td style=\"height: 86px; width: 156px;\">Win64\/DeceptiveDeve<wbr\/>lopment.C<\/td>\n<td style=\"height: 86px; width: 295.625px;\">A downloader of the Tropidoor RAT.<\/td>\n<\/tr>\n<tr style=\"height: 50px;\">\n<td style=\"height: 50px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">90378EBD8DB757100A83<wbr\/>3EB8D00CCE13F6C68E64<\/span><\/td>\n<td style=\"height: 50px; width: 156px;\">N\/A<\/td>\n<td style=\"height: 50px; width: 156px;\">Win64\/DeceptiveDeve<wbr\/>lopment.D<\/td>\n<td style=\"height: 50px; width: 295.625px;\">Tropidoor RAT.<\/td>\n<\/tr>\n<tr style=\"height: 104px;\">\n<td style=\"height: 104px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">C86EEDF02B73ADCE0816<wbr\/>4F5C871E643E6A32056B<\/span><\/td>\n<td style=\"height: 104px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">drivfixer.sh<\/span><\/td>\n<td style=\"height: 104px; width: 156px;\">OSX\/DeceptiveDeve<wbr\/>lopment.C<\/td>\n<td style=\"height: 104px; width: 295.625px;\">A trojanized macOS installer and launcher of Node.js.<\/td>\n<\/tr>\n<tr style=\"height: 158px;\">\n<td style=\"height: 158px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">4E4D31C559CA16F8B7D4<wbr\/>9B467AA5D057897AB121<\/span><\/td>\n<td style=\"height: 158px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">ClickFix-1<wbr\/>.bat<\/span><\/td>\n<td style=\"height: 158px; width: 156px;\">PowerShell\/Decepti<wbr\/>veDevelopment.B<\/td>\n<td style=\"height: 158px; width: 295.625px;\">An initial stage on Windows: BAT downloading a malicious <span style=\"font-family: courier new, courier, monospace;\">nvidiaRelease.zip<\/span> archive.<\/td>\n<\/tr>\n<tr style=\"height: 86px;\">\n<td style=\"height: 86px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">A9C94486161C07AE6935<wbr\/>F62CFCC285CD342CDB35<\/span><\/td>\n<td style=\"height: 86px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">driv.zip<\/span><\/td>\n<td style=\"height: 86px; width: 156px;\">\n<p>JS\/Spy.DeceptiveDeve<wbr\/>lopment.A<\/p>\n<p>OSX\/DeceptiveDeve<wbr\/>lopment.C<\/p>\n<\/td>\n<td style=\"height: 86px; width: 295.625px;\">A ZIP archive containing BeaverTail.<\/td>\n<\/tr>\n<tr style=\"height: 152px;\">\n<td style=\"height: 152px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">F01932343D7F13FF1094<wbr\/>9BC0EA27C6516F901325<\/span><\/td>\n<td style=\"height: 152px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">nvidiaRelease<wbr\/>.zip<\/span><\/td>\n<td style=\"height: 152px; width: 156px;\">\n<p>JS\/Spy.DeceptiveDeve<wbr\/>lopment.A<\/p>\n<p>Win32\/DeceptiveDeve<wbr\/>lopment.A<\/p>\n<p>VBS\/DeceptiveDeve<wbr\/>lopment.B<\/p>\n<p>BAT\/DeceptiveDeve<wbr\/>lopment.A<\/p>\n<\/td>\n<td style=\"height: 152px; width: 295.625px;\">A ZIP archive containing BeaverTail and AkdoorTea.<\/td>\n<\/tr>\n<tr style=\"height: 140px;\">\n<td style=\"height: 140px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">BD63D5B0E4F2C72CCFBF<wbr\/>318AF291F7E578FB0D90<\/span><\/td>\n<td style=\"height: 140px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">mac-v-j1722<wbr\/>.fixer<\/span><\/td>\n<td style=\"height: 140px; width: 156px;\">OSX\/DeceptiveDeve<wbr\/>lopment.D<\/td>\n<td style=\"height: 140px; width: 295.625px;\">An initial stage on macOS: a bash script that downloads a malicious <span style=\"font-family: courier new, courier, monospace;\">driv.zip<\/span> archive.<\/td>\n<\/tr>\n<tr style=\"height: 140px;\">\n<td style=\"height: 140px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">10C967386460027E7492<wbr\/>B6138502AB61CA828E37<\/span><\/td>\n<td style=\"height: 140px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">main.js<\/span><\/td>\n<td style=\"height: 140px; width: 156px;\">JS\/Spy.DeceptiveDeve<wbr\/>lopment.A<\/td>\n<td style=\"height: 140px; width: 295.625px;\">An obfuscated BeaverTail script, automatically loaded by Node.js.<\/td>\n<\/tr>\n<tr style=\"height: 104px;\">\n<td style=\"height: 104px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">59BA52C644370B4D627F<wbr\/>0B84C48BDA73D97F1610<\/span><\/td>\n<td style=\"height: 104px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">run.vbs<\/span><\/td>\n<td style=\"height: 104px; width: 156px;\">VBS\/DeceptiveDeve<wbr\/>lopment.B<\/td>\n<td style=\"height: 104px; width: 295.625px;\">A VBScript that executes AkdoorTea and <span style=\"font-family: courier new, courier, monospace;\">shell.bat.<\/span><\/td>\n<\/tr>\n<tr style=\"height: 68px;\">\n<td style=\"height: 68px; width: 170px;\"><span style=\"font-family: courier new, courier, monospace;\">792AFE735D6D356FD30D<wbr\/>2E7D0A693E3906DECCA7<\/span><\/td>\n<td style=\"height: 68px; width: 156px;\"><span style=\"font-family: courier new, courier, monospace;\">drvUpdate.exe<\/span><\/td>\n<td style=\"height: 68px; width: 156px;\">Win32\/DeceptiveDeve<wbr\/>lopment.A<\/td>\n<td style=\"height: 68px; width: 295.625px;\">AkdoorTea, a TCP RAT.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Network<\/h3>\n<table style=\"width: 781px;\" border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr style=\"height: 21.5px;\">\n<td style=\"width: 162px; height: 21.5px;\"><strong>IP<\/strong><\/td>\n<td style=\"width: 248.625px; height: 21.5px;\"><strong>Domain<\/strong><\/td>\n<td style=\"width: 312.375px; height: 21.5px;\"><strong>Hosting provider<\/strong><\/td>\n<td style=\"width: 54px; height: 21.5px;\"><strong>First seen<\/strong><\/td>\n<td style=\"width: 235px; height: 21.5px;\"><strong>Details<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"height: 41px;\">\n<td style=\"width: 162px; height: 41px;\"><span style=\"font-family: courier new, courier, monospace;\">199.188.200[.]147<\/span><\/td>\n<td style=\"width: 248.625px; height: 41px;\"><span style=\"font-family: courier new, courier, monospace;\">driverservice<wbr\/>s[.]store<\/span><\/td>\n<td style=\"width: 312.375px; height: 41px;\">Namecheap, Inc.<\/td>\n<td style=\"width: 54px; height: 41px;\">2025\u201108\u201108<\/td>\n<td style=\"width: 235px; height: 41px;\">Remote storage for DeceptiveDevelopment.<\/td>\n<\/tr>\n<tr style=\"height: 41px;\">\n<td style=\"width: 162px; height: 41px;\"><span style=\"font-family: courier new, courier, monospace;\">116.125.126[.]38<\/span><\/td>\n<td style=\"width: 248.625px; height: 41px;\"><span style=\"font-family: courier new, courier, monospace;\">www.royalsevr<wbr\/>es[.]com<\/span><\/td>\n<td style=\"width: 312.375px; height: 41px;\">SK Broadband Co Ltd<\/td>\n<td style=\"width: 54px; height: 41px;\">2024\u201106\u201125<\/td>\n<td style=\"width: 235px; height: 41px;\">Remote storage for DeceptiveDevelopment.<\/td>\n<\/tr>\n<tr style=\"height: 106px;\">\n<td style=\"width: 162px; height: 106px;\">N\/A<\/td>\n<td style=\"width: 248.625px; height: 106px;\"><span style=\"font-family: courier new, courier, monospace;\">n34kr3z26f3jz<wbr\/>p4ckmwuv5ipqy<wbr\/>atumdxhgjgsmu<wbr\/>cc65jac56khdy<wbr\/>5zqd[.]onion<\/span><\/td>\n<td style=\"width: 312.375px; height: 106px;\">N\/A<\/td>\n<td style=\"width: 54px; height: 106px;\">2023\u201110\u201106<\/td>\n<td style=\"width: 235px; height: 106px;\">TsunamiClient C&amp;C server.<\/td>\n<\/tr>\n<tr style=\"height: 22px;\">\n<td style=\"width: 162px; height: 22px;\"><span style=\"font-family: courier new, courier, monospace;\">103.231.75[.]101<\/span><\/td>\n<td style=\"width: 248.625px; height: 22px;\">N\/A<\/td>\n<td style=\"width: 312.375px; height: 22px;\">THE-HOSTING-MNT<\/td>\n<td style=\"width: 54px; height: 22px;\">2025\u201108\u201110<\/td>\n<td style=\"width: 235px; height: 22px;\">AkdoorTea C&amp;C server.<\/td>\n<\/tr>\n<tr style=\"height: 22px;\">\n<td style=\"width: 162px; height: 22px;\"><span style=\"font-family: courier new, courier, monospace;\">45.159.248[.]110<\/span><\/td>\n<td style=\"width: 248.625px; height: 22px;\">N\/A<\/td>\n<td style=\"width: 312.375px; height: 22px;\">THE-HOSTING-MNT<\/td>\n<td style=\"width: 54px; height: 22px;\">2025\u201106\u201129<\/td>\n<td style=\"width: 235px; height: 22px;\">BeaverTail C&amp;C server.<\/td>\n<\/tr>\n<tr style=\"height: 41px;\">\n<td style=\"width: 162px; height: 41px;\"><span style=\"font-family: courier new, courier, monospace;\">45.8.146[.]93<\/span><\/td>\n<td style=\"width: 248.625px; height: 41px;\">N\/A<\/td>\n<td style=\"width: 312.375px; height: 41px;\">STARK INDUSTRIES SOLUTIONS LTD<\/td>\n<td style=\"width: 54px; height: 41px;\">2024\u201110\u201126<\/td>\n<td style=\"width: 235px; height: 41px;\">Tropidoor C&amp;C server.<\/td>\n<\/tr>\n<tr style=\"height: 41px;\">\n<td style=\"width: 162px; height: 41px;\"><span style=\"font-family: courier new, courier, monospace;\">86.104.72[.]247<\/span><\/td>\n<td style=\"width: 248.625px; height: 41px;\">N\/A<\/td>\n<td style=\"width: 312.375px; height: 41px;\">STARK INDUSTRIES SOLUTIONS LTD<\/td>\n<td style=\"width: 54px; height: 41px;\">2024\u201110\u201131<\/td>\n<td style=\"width: 235px; height: 41px;\">Tropidoor C&amp;C server.<\/td>\n<\/tr>\n<tr style=\"height: 41px;\">\n<td style=\"width: 162px; height: 41px;\"><span style=\"font-family: courier new, courier, monospace;\">103.35.190[.]170<\/span><\/td>\n<td style=\"width: 248.625px; height: 41px;\">N\/A<\/td>\n<td style=\"width: 312.375px; height: 41px;\">STARK INDUSTRIES SOLUTIONS LTD<\/td>\n<td style=\"width: 54px; height: 41px;\">2024\u201106\u201124<\/td>\n<td style=\"width: 235px; height: 41px;\">Tropidoor C&amp;C server.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>MITRE ATT&amp;CK techniques<\/h2>\n<p>This table was built using <a href=\"https:\/\/attack.mitre.org\/resources\/versions\/\">version 17<\/a> of the MITRE ATT&amp;CK framework<strong>.<\/strong><\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"113\"><strong>Tactic<\/strong><\/td>\n<td width=\"113\"><strong>ID<\/strong><\/td>\n<td width=\"151\"><strong>Name<\/strong><\/td>\n<td width=\"265\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"113\"><strong>Reconnaissance<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1589\">T1589<\/a><\/td>\n<td width=\"151\">Gather Victim Identity Information<\/td>\n<td width=\"265\">DeceptiveDevelopment steals victims&#8217; credentials to be used by WageMole in consequent social engineering.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Resource Development<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1585\/001\">T1585.001<\/a><\/td>\n<td width=\"151\">Establish Accounts: Social Media Accounts<\/td>\n<td width=\"265\">Fake recruiter accounts created on LinkedIn, Upwork, Freelancer.com, etc.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\u00a0<\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1586\">T1586<\/a><\/td>\n<td width=\"151\">Compromise Accounts<\/td>\n<td width=\"265\">Hijacked GitHub and social media accounts used to distribute malware.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Initial Access<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1566\/001\">T1566.001<\/a><\/td>\n<td width=\"151\">Phishing: Spearphishing Attachment<\/td>\n<td width=\"265\">Fake job offers include attachments or links to malicious projects.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\u00a0<\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1566\/002\">T1566.002<\/a><\/td>\n<td width=\"151\">Phishing: Spearphishing Link<\/td>\n<td width=\"265\">ClickFix technique uses deceptive links to fake troubleshooting guides.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Execution<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1204\/001\">T1204.001<\/a><\/td>\n<td width=\"151\">User Execution: Malicious Link<\/td>\n<td width=\"265\">Victims are lured to fake job interview sites (e.g., ClickFix) that initiate malware download.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\u00a0<\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1204\/002\">T1204.002<\/a><\/td>\n<td width=\"151\">User Execution: Malicious File<\/td>\n<td width=\"265\">Trojanized coding challenges contain variants of BeaverTail.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\u00a0<\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1059\">T1059<\/a><\/td>\n<td width=\"151\">Command and Scripting Interpreter<\/td>\n<td width=\"265\">DeceptiveDevelopment uses VBS, Python, JavaScript, and shell commands for execution.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Defense Evasion<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1078\">T1078<\/a><\/td>\n<td width=\"151\">Valid Accounts<\/td>\n<td width=\"265\">WageMole reuses stolen identities and credentials, especially for fake recruiter and GitHub accounts.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\u00a0<\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1027\">T1027<\/a><\/td>\n<td width=\"151\">Obfuscated Files or Information<\/td>\n<td width=\"265\">Obfuscated malicious scripts are hidden in long comments or outside IDE view.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\u00a0<\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1055\">T1055<\/a><\/td>\n<td width=\"151\">Process Injection<\/td>\n<td width=\"265\">TsunamiKit uses injection techniques in its execution chain.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\u00a0<\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1036\">T1036<\/a><\/td>\n<td width=\"151\">Masquerading<\/td>\n<td width=\"265\">Malware disguised as legitimate software (e.g., conferencing tools, NVIDIA installers).<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\u00a0<\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1497\">T1497<\/a><\/td>\n<td width=\"151\">Virtualization\/Sandbox Evasion<\/td>\n<td width=\"265\">TsunamiKit includes environment checks and obfuscation to evade analysis.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Collection<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1056\/001\">T1056.001<\/a><\/td>\n<td width=\"151\">Input Capture: Keylogging<\/td>\n<td width=\"265\">InvisibleFerret includes clipboard and keylogging modules.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Command and Control<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1071\/001\">T1071.001<\/a><\/td>\n<td width=\"151\">Application Layer Protocol: Web Protocols<\/td>\n<td width=\"265\">AkdoorTea, BeaverTail, and Tropidoor communicate with C&amp;C servers over HTTP\/S.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\u00a0<\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v17\/techniques\/T1105\">T1105<\/a><\/td>\n<td width=\"151\">Ingress Tool Transfer<\/td>\n<td width=\"265\">BeaverTail downloads second-stage payloads like InvisibleFerret, TsunamiKit, or Tropidoor.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/eti-eset-threat-intelligence.png\" alt=\"\" width=\"915\" height=\"296\"\/><\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>This blogpost introduces our latest white paper, presented at Virus Bulletin 2025, where we detail the operations of<\/p>\n","protected":false},"author":1,"featured_media":238,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-237","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/237","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/comments?post=237"}],"version-history":[{"count":0,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/237\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media\/238"}],"wp:attachment":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media?parent=237"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/categories?post=237"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/tags?post=237"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}