deceptivedevelopment
DeceptiveDevelopment is a North Korean state-sponsored threat actor specializing in elaborate fake IT job recruitment scams. The group targets job seekers globally, particularly in the cryptocurrency and finance sectors, using social engineering on platforms such as LinkedIn, Upwork, Freelancer, and Crypto Jobs List. Victims are lured with fake job opportunities and subjected to staged interviews, during which they are tricked into running malicious terminal commands (the 'ClickFix' tactic) or downloading trojanized code from private repositories. The campaign targets Windows, macOS, and Linux systems. DeceptiveDevelopment employs a multi-stage attack chain, deploying payloads such as BeaverTail (and its JavaScript variant OtterCookie) to steal browser credentials and crypto wallet data, InvisibleFerret (a modular Python backdoor with stealer, payload, clipboard, and remote access components), and Tropidoor, a sophisticated backdoor sharing code with Lazarus Group's PostNapTea malware. The group also uses AkdoorTea, a Windows remote-access payload leveraging legitimate Nvidia components and a trojanized Node.js installer. ESET researchers have observed a 500% increase in ClickFix attacks in the first half of the year. DeceptiveDevelopment is tracked as distinct from the Lazarus Group but shares malware code and technical sophistication, indicating collaboration or code sharing within North Korean cyber operations. The group hands off stolen information to a related actor, WageMole, which poses as job seekers to further the campaign's objectives. The campaign is ongoing, with evolving tooling and infrastructure, and is part of broader North Korean efforts to support fraudulent IT worker schemes and financial theft. The U.S. Department of Justice has taken coordinated action against these operations, including indictments, arrests, and asset seizures.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
DeceptiveDevelopment is conducting social engineering campaigns targeting job seekers to steal data and support North Korea’s fraudulent IT worker operations. They use fake recruiter profiles and job offers to lure victims into downloading trojanized code or executing malicious commands.
DeceptiveDevelopment is a North Korean threat actor known for posing as recruiters and using fake job offers to social engineer developers into downloading malware. They target Windows, macOS, and Linux users, primarily through social engineering on LinkedIn and freelance marketplaces. Their campaigns involve staged pre-interviews and technical tests that trick victims into running malicious terminal commands, leading to credential and crypto wallet theft, and remote access.
DeceptiveDevelopment is a North Korean threat actor known for posing as recruiters and using fake job offers to social engineer developers into downloading malware. They target Windows, macOS, and Linux users, primarily through social engineering on LinkedIn and freelance marketplaces. Their campaigns involve staged pre-interviews and technical tests that trick victims into running malicious terminal commands, leading to credential and crypto wallet theft, and remote access.
North Korean group using fake job listings and social engineering to distribute malware targeting cryptocurrency, blockchain, and finance sectors.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.