UNK_DeadDrop blasts 250+ fake developer offers in 6 weeks to steal crypto and credentials

A North Korea-aligned phishing operation dubbed UNK_DeadDrop sent more than 250 emails in just six weeks in April and May, reaching people in almost 100 organizations. And the scam is not subtle. It uses developer recruitment lures, disguised GitHub repositories, and a multi-stage payload to steal both cryptocurrency wallets and developers’ credentials.

Proofpoint threat researchers say the targets got unsolicited job offer or code review messages, often spoofing real companies, then were instructed to clone attacker-controlled GitHub repos and open them in code editors like VS Code or Cursor. In other words, the “application” process is the malware delivery mechanism. Researchers also highlight that UNK_DeadDrop differs from earlier DPRK-linked campaigns such as Contagious Interview, shifting from interview-themed social engineering to higher-volume email outreach and moving to links that lead victims to malicious repositories.

This matters for decision-makers because it hits the developer supply chain where organizations are weakest: identity, endpoints, and workflow trust. Developers typically have broad access, can install tooling, and live inside IDEs that make “open and run” feel routine. When attackers disguise malicious repos as coding assignments, cryptocurrency-related projects, or fixes tied to a potential job offer, they get a double win. First, they reduce suspicion by blending into normal dev behavior. Second, they can pivot from a single user entry point into credential theft and crypto wallet exfiltration.

Proofpoint says the campaign starts with emails that appear to originate from real organizations, using attacker-owned sender domains. The spoofed companies include Ondo Finance, Empower Pharmacy, NXLog, OnePlan, Hypen Connect, Valon, and Nourish. The message themes are consistent across attempts: roles like “Full-Stack Engineer” and “Agent Lead Developer,” plus links to GitHub repositories that look like legitimate coding tasks. The victim is told to clone the repository and open it in an integrated development environment, where a pre-configured task silently executes and triggers a platform-specific loader.

The “unseen” part of these attacks is how quickly the payload executes after the developer opens the folder. Proofpoint describes a chain that runs on macOS, Linux, and Windows. The loader decodes embedded payloads for the victim’s platform and installs a malicious VS Code extension (VSIX) masquerading as a legitimate Google service. On macOS and Linux, the VSIX activates when the user opens the code editor and relaunches the infection chain if it is not already running, which effectively turns a routine development habit into persistence. Proofpoint notes the persistence mechanism does not work on Windows.

From there, the next stage splits by platform while using the same command-and-control infrastructure and exfiltration endpoints. For Linux and macOS, the malware uses a native Go binary based on the open-source Overlord C2 framework, described by researchers as a legitimate red-team tool that automates covert infrastructure setup and management and orchestrates post-exploitation activities. For UNK_DeadDrop, Proofpoint says North Korea-aligned operators added modules including browserlogin (Chrome and Firefox credential theft), companywallet (crypto-wallet stealer and exfiltration), and cleanup (anti-forensic removal of workspace artifacts).

On macOS, Proofpoint reports the malware collects wallet extension data, browser profile artifacts, and standalone wallet directories, compresses them into a ZIP, and uploads them to the C2 server. Five minutes later, it proceeds to credential theft, using a second embedded Mach-O binary that shows a fake system dialogue prompting the user to enter their password. Proofpoint says the process validates credentials, then modifies keychain access-control lists across many Chromium-based browsers including Chrome, Brave, Edge, Opera, Vivaldi, Arc, Yandex, and others. It extracts Safe Storage keys and sends stolen credentials, Safe Storage keys, and keychain data to the attacker-controlled server. The backdoor also re-launches itself as root using the stolen password. Linux follows a similar logic, first scooping wallet-related data and uploading it via ZIP, then using Zenity to prompt for credentials and attempting password theft from GNOME Keyring by spawning Python 3 processes per browser.

Windows uses a different approach: Proofpoint says the attacks run entirely as JavaScript inside the editor’s Electron process, which appears as Code.exe. The malware first targets wallet information across 35 wallet extension IDs including MetaMask, Phantom, Rabby, Keplr, and others, plus 18 standalone wallet applications such as Exodus, Electrum, Ledger Live, Monero, Solana CLI, and Bitcoin, and also Firefox profiles. It then installs Python and runs a stealer script, collect_malware.py, for each browser profile to collect credentials across Chromium and Firefox. Proofpoint adds that it steals cookies from Chrome, Edge, and Brave and uses COM Elevation Moniker to access credentials protected by App-Bound Encryption. It attempts to read locked databases using five cascade methods, uploads secrets to the same endpoint, then terminates.

The campaign also evolved midstream. In May, Proofpoint says attackers shifted from unsolicited job offers and moved into peer-review requests on open-source projects, where a potential job offer is tied to suggested fixes. Researchers cite emails purportedly coming from cryptocurrency trading or prediction companies including Pulsynk and Trixauvex. Another late-May UNK_DeadDrop campaign targeted finance and technology companies with a request to test an ERC-4626 vault in Foundry, a toolkit for Ethereum and smart contract development. Across these themes, Proofpoint concludes the activity suggests North Korea-aligned operations targeting developers for financial gain are maturing and evolving, including industrializing and scaling recruitment-themed phishing email volumes.

For boards and executives, the second-order implication is ugly but straightforward: even organizations with “good enough” security around generic phishing can still lose when the lure lands in the developer workflow. When the delivery mechanism is a fake repo plus an IDE extension plus wallet and credential theft modules across operating systems, incident response becomes reactive, and trust in internal development processes becomes a security boundary. UNK_DeadDrop is a reminder that credential theft and crypto theft are not separate threats anymore. They are often one chain.