NORTH Korea‑linked threat actors tracked as UNK_DeadDrop have begun a phishing campaign that pretends to offer software developers jobs or code review opportunities. The attacks use malicious GitHub repositories to deliver a Remote Access Trojan named Overlord.
The fraudulent messages appear to come from legitimate recruiters and contain links to cloned repositories. When opened these repositories run a script that abuses Visual Studio Code’s automatic task execution to drop the Overlord payload. This technique works on macOS Linux and Windows hosts (details).
Once installed the malware searches for cryptocurrency wallet files browser credential stores and SSH keys. It encrypts the stolen data before sending it to attacker‑controlled servers. Finally it removes logs and temporary files to hide its presence (source).
Proofpoint observed more than 250 such emails sent between January and April 2026. The targets numbered almost one hundred organisations mostly in the cryptocurrency sector. The activity is assessed to be aligned with North Korean state‑sponsored groups and is tracked as a distinct cluster labelled UNK_DeadDrop (source).
Security teams should advise staff to treat any unsolicited job or collaboration offers with skepticism. They must verify the sender’s address through independent channels and refuse to clone repositories from unfamiliar sources. Enforcing multi‑factor authentication on developer accounts and cryptocurrency wallets adds a critical barrier (guidance).
Administrators should monitor endpoint telemetry for unauthorized Visual Studio Code extensions or unusual outbound connections. They should also block indicators of compromise such as the malicious GitHub URLs identified in the research. Keeping detection rules up to date helps prevent future infections (read more).