Cybersecurity researchers have flagged two malicious cyber campaigns that exhibit similarities with a persistent North Korean threat cluster known as Contagious Interview (aka Famous Chollima, HexagonalRodent, and Void Dokkaebi).
According to a report published by Proofpoint, the threat actor has been found orchestrating phishing campaigns using developer role recruitment or code review themes to target nearly 100 organizations in finance, cryptocurrency, education, technology, and several other sectors. The activity has been codenamed UNK_DeadDrop.
“The infection chain begins with emails containing links to actor-controlled GitHub repositories hosting malicious scripts that result in the execution of cross-platform malware for macOS, Linux, and Windows, including an open-source Go framework named Overlord,” Proofpoint researchers Saher Naumaan and Carlos Rubio said.
A crucial aspect connecting the campaign to Pyongyang is the use of Microsoft Visual Studio Code (VS Code) projects that employ the “runOn: folderOpen” technique to trigger the execution of malicious code every time the code editor is opened without requiring any user interaction. This approach has been adopted by the Contagious Interview actors since December 2025.
The activity documented by the enterprise security company involved more than 250 emails that were sent during a six-week period to individuals in almost 100 organizations. Over 75% of the targeted entities are located in the U.S., followed by the U.K., Australia, France, Brazil, Germany, India, Israel, Japan, and the Netherlands.
The emails contain links to GitHub repositories masquerading as technical assignments or cryptocurrency-related projects, instructing recipients to clone the repository and open it in VS Code or Cursor, resulting in the execution of operating system-specific malware loaders for Linux, macOS, and Windows. Subsequent lures observed in May 2026 have pivoted their approach by requesting targets to review their open-source projects.
The loader – a shell script for macOS and Linux and a VBScript for Windows systems – is designed to install a malicious VS Code extension (VSIX) that masquerades as a legitimate Google service, while communicating with an external server to facilitate remote command execution, system reconnaissance, and data exfiltration from browser wallet extensions, credentials, and desktop wallet apps.
The Linux and macOS infection chains lead to a custom version of the open-source Overlord framework with capabilities to enable data theft. It also prompts users to enter their system password using a fake security pop-up. The Windows attack chain, on the other hand, relies on the VBScript payload to run a CMD file, which then installs the extension.
The end goal remains the same: to steal credentials and data from wallet browser extensions and applications, and exfiltrate the results to the server (“23.137.105[.]75:5173”) via an HTTP POST request.
“Unlike the Linux/macOS…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
