ESET Research's Deep Dive Into Deceptivedevelopment, North Korean Crypto Theft Via Fake Job Offers

• ESET Research released a deep dive report into the activities of the DeceptiveDevelopment threat group and North Korean IT workers, which are considered tightly bound.
• The analyzed campaigns rely heavily on sophisticated social engineering tactics, including fake job interviews and the ClickFix technique, to deliver malware and exfiltrate cryptocurrency with a possible secondary objective of cyberespionage.
• ESET also analyzed OSINT data that sheds light on the operations of North Korean IT workers involved in fraudulent employment schemes.
  

PRAGUE and BRATISLAVA, Slovakia, Sept. 25, 2025 (GLOBE NEWSWIRE) -- ESET Research has released new findings on DeceptiveDevelopment, also known as Contagious Interview – a threat group aligned with North Korea that has grown increasingly active in recent years. The group is primarily focused on cryptocurrency theft, targeting freelance developers across Windows, Linux, and macOS platforms. The newly published research paper traces the group's evolution from early malware families to more advanced toolsets. These campaigns rely heavily on sophisticated social engineering tactics, including fake job interviews and the ClickFix technique, to deliver malware and exfiltrate cryptocurrency. ESET also analyzed open-source intelligence (OSINT) data that sheds light on the operations of North Korean IT workers involved in fraudulent employment schemes and their ties to DeceptiveDevelopment. These findings are being presented today at the annual Virus Bulletin (VB) Conference.

DeceptiveDevelopment is a North Korea-aligned group active since at least 2023, focused on financial gain. The group targets software developers on all major systems – Windows, Linux, and macOS – and especially those in cryptocurrency and Web3 projects. Initial access is achieved exclusively via various social engineering techniques like ClickFix, and fake recruiter profiles similar to Lazarus's Operation DreamJob to deliver trojanized codebases during staged job interviews. Its most typical payloads are the BeaverTail, OtterCookie, and WeaselStore infostealers, and the InvisibleFerret modular RAT.

“DeceptiveDevelopment operators use fake recruiter profiles on social media, in a fashion similar to Lazarus's Operation DreamJob. However, in this case, they specifically reached out to software developers, often those involved in cryptocurrency projects, providing potential victims with trojanized codebases that deploy backdoors as part of a faux job interview process,” says Peter Kálnai, one of the co-authors of the research paper.“The individuals behind all these activities trade high-end technical sophistication for a broad scale of operations and highly creative social engineering. Their malware is mostly simple, yet they manage to lure even tech-savvy targets,” adds Kálnai.

The attackers opted for various methods to compromise users, relying on clever social engineering tricks. Via both fake and hijacked profiles, they pose as recruiters on platforms like LinkedIn, Upwork, Freelancer, and Crypto Jobs List. They offer fake lucrative job opportunities in order to attract their target's interest. Victims are requested to participate in a coding challenge or pre-interview task.

In addition to fake recruiter accounts, the attackers have customized and improved the social engineering method called ClickFix. Victims are lured to a fake job interview site and asked to fill out a detailed application form, investing significant time and effort. At the final step, they're prompted to record a video answer, but the site displays a camera error and offers a“How to fix” link. This link instructs users to open a terminal and copy a command that should solve the camera or microphone issue, which instead of fixing the issue, downloads and executes malware.

While research into DeceptiveDevelopment is primarily based on data from ESET telemetry and reverse-engineering the group's toolset, it is interesting to point out its connections to fraud operations by North Korean IT workers. According to the FBI's“Most Wanted” poster, the IT worker campaign has been ongoing since at least April 2017 and has become increasingly prominent in recent years. In a joint advisory released in May 2022, the IT worker campaign is described as a coordinated effort by North Korea-aligned workers to gain employment at overseas companies, whose salaries are then used as funding for the regime. They have also been known to steal internal company data and use it for extortion, as stated in an announcement by the FBI in January 2025.

As ESET Research discovered from available OSINT data, fake CVs, and other related materials, the IT workers mainly focus on employment and contract work in the West, specifically prioritizing the United States. However, our findings based on the acquired materials have shown a shift toward Europe, with targets in countries such as France, Poland, Ukraine, and Albania. The workers utilize AI to perform their job tasks and rely heavily on AI for manipulating photos in their profile pictures and CVs, and even perform face swaps in real-time video interviews to look like the persona they are currently using. They utilize remote interviewing platforms like Zoom, MiroTalk, FreeConference, or Microsoft Teams for various social engineering techniques. Proxy interviewing poses a severe risk to employers, since hiring of an illegitimate employee from a sanctioned country may not only be irresponsible or underperforming, but could also evolve into a dangerous insider threat.

“The activities of North Korean IT workers constitute a hybrid threat. This fraud-for-hire scheme combines classical criminal operations, such as identity theft and synthetic identity fraud, with digital tools, which classify it as both a traditional crime and a cybercrime,” comments Kálnai.

The research paper“DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception” summarizes the evolution of the group's two flagship toolsets, InvisibleFerret and BeaverTail. At the same time, it identifies newly discovered links between DeceptiveDevelopment's Tropidoor backdoor and the PostNapTea RAT used by the Lazarus group. Furthermore, it provides a comprehensive analysis of TsunamiKit and WeaselStore, new toolkits used by DeceptiveDevelopment and documents the functionality of a WeaselStore C&C server and its API.

For a more detailed analysis of DeceptiveDevelopment operations and tools, check out the latest ESET Research white paper“DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception” or the brief accompanying blogpost on Make sure to follow ESET Research on Twitter (today known as X) , BlueSky , and Mastodon for the latest news from ESET Research.

About ESET

ESET^® provides cutting-edge cybersecurity to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown - securing businesses, critical infrastructure, and individuals. Whether it's endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit or follow our social media, podcasts and blogs .

MENAFN25092025004107003653ID1110109349