Freelance developers around the world are being targeted by North Korean bad actors posing as job recruiters who as part of the fake application process entice them to run software jobs that actually compromise their systems with infostealer malware.

Hundreds of developers, ranging from junior programmers to long-time, experienced professionals, have fallen victim to the scam over the past year to an operation that researchers with cybersecurity firm ESET are calling DeceptiveDevelopment.

The unknown bad actors behind the activity cluster target developers working on Windows, Linux, and macOS and are primarily involved in cryptocurrency and decentralized finance projects, ESET malware researcher Matěj Harvánek wrote in a report. The hackers are mostly stealing crypto wallets, though there could be cyberespionage involved as well as they grab login information from browsers and password managers.

“As part of a fake job interview process, the DeceptiveDevelopment operators ask their targets to do a coding test, such as adding a feature to an existing project, with the files necessary for the task usually hosted on private repositories on GitHub or other similar platforms,” Harvánek wrote. “Unfortunately for the eager work candidate, these files are trojanized: Once they download and execute the project, the victim’s computer gets compromised with the operation’s first-stage malware, BeaverTail.”

BeaverTail, a downloader and infostealer malware, is one of two the bad actors use. The other is InvisibleFerret, another infostealer and remote access trojan (RAT).

Long History of IT Worker Scams

DeceptiveDevelopment, which has been active since at least November 2023 and which ESET first picked up on last year, is one in a broad array of money-making operations run by threat actors aligned with the North Korean regime that involves fake job offers and IT workers, either luring them into similar schemes or convincing IT companies to inadvertently hire one of their operatives as a remote IT worker.

Many of these and other threat campaigns North Korean operatives run are aimed at sending back stolen information and money that allows the rogue nation to bypass international sanctions and help pay for its nuclear and other weapons programs. They’ve been successful, having stolen $1.34 billion in crypto last year, according to blockchain analysis firm Chainalysis.

ESET first came across DeceptiveDevelopment after discovering trojanized projects in GitHub. The projects hid the malicious code at the end of long comments, which ensured the code stayed off the screen. They deliver both BeaverTail and Invisible Ferret and are connected to a command-and-control (C2) server.

Finding Victims on Social Media

The bad actors use fake recruiter profiles – either profiles they created or ones of existing people they modified – on social media, including LinkedIn, Upwork, Freelancer.com and Crypto Jobs List. The tactics echo another fake job offer scam, Operation DreamJob, run by the high-profile North Korean Lazarus Group and targeting defense and aerospace engineers.

“The most commonly observed compromise vector consists of the fake recruiter providing the victim with a trojanized project under the guise of a hiring challenge or helping the ‘recruiter’ fix a bug for a financial reward,” Harvánek wrote.

Victims accessed project files either through a file transfer on the site or via a link to a repository, including GitHub, GitLab, or Bitbucket, and after downloading the files, are asked to complete tasks, such as add features or fix bugs, and report back to the recruiter. They also told to build and execute the project to test it, which launched the first compromise.

The repositories used are private and the recruiters ask victims to provide their account ID or email address to access them.

The trojanized projects are either hiring challenges, crypto projects, games with blockchain functionality, and gambling, also with blockchain and crypto features.

Malicious Code in Conferencing Software

“Another compromise vector we observed consisted of the fake recruiter inviting the victim to a job interview using an online conferencing platform and providing a link to a website from which the necessary conferencing software can be downloaded,” the researcher wrote. “The website is usually a clone of an existing conferencing platform’s website.”

BeaverTail steals login information from browser databases and downloads InvisibleFerret, a Python-based malware that includes spyware and backdoor components. It also can download legitimate AnyDesk remote management and monitoring software. Both have been documented by other cybersecurity firms, including Zscaler, Palo Alto Networks’ Unit 42, and Group-IB.

Harvánek said ESET also discovered an updated version of InvisibleFerret, used since August 2024 and now presented as a single large script file – rather than being separated into individual modules – and with some code modifications to enhance support for macOS, such as collecting the username as well as the hostname of the system.

“We observed [DeceptiveDevelopment] go from primitive tools and techniques to more advanced and capable malware, as well as more polished techniques to lure in victims and deploy the malware,” he wrote. “Any online job-hunting and freelancing platform can be at risk of being abused for malware distribution by fake recruiters.”

He expects the activity to continue, and DeceptiveDevelopment to continue developing its tools and finding additional ways to target cryptocurrency users.