Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency

2026-06-08 Proofpoint

https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal

Thumbnail for Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency

Proofpoint observed UNK_DeadDrop, a very likely North Korea-aligned developer phishing cluster, sending more than 250 emails to targets at nearly 100 organizations in April and May 2026, especially across cryptocurrency, finance, technology, education, and business services. The actor used recruitment, code-review, Foundry testing, and AI payments lures to drive developers to malicious GitHub and GitLab repositories that abused VS Code and Cursor task automation and installed a malicious VSIX extension. Linux and macOS payloads used Overlord-derived Go RATs with persistent WebSocket C&C, while the Windows chain ran JavaScript and Python inside the editor's Electron process to steal cryptocurrency wallets, browser credentials, keychain or keyring data, and standalone wallet artifacts. Proofpoint notes overlap with Contagious Interview tradecraft but tracks UNK_DeadDrop as a distinct cluster due to separate telemetry, email-based initial access, self-contained payloads, and distinct infrastructure.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN nemesis.work 2026-06-08 2026-06-08
HASH 808e7154b7af2bc7a4b28d577297c55… 2026-06-08 2026-06-08
HASH 339907b44f161f57ff30819f422c552… 2026-06-08 2026-06-08
HASH bb10adac5b0124efedfe71102c1d563… 2026-06-08 2026-06-08
HASH a2b9a769df84d9d3a4694bb0252a2c6… 2026-06-08 2026-06-08
HASH e1bf1b29e6fa3525d7f32f429290a88… 2026-06-08 2026-06-08
HASH 734699773e53d995f20d485eb612610… 2026-06-08 2026-06-08
HASH d5e9288693aa745dc89368deac677e7… 2026-06-08 2026-06-08
HASH 52886aab179f26421678ff23af1b0fa… 2026-06-08 2026-06-08
HASH 2812e0847d472cb8870c94f463331db… 2026-06-08 2026-06-08
HASH 6cf9f7b2aa456a0b438600588df869b… 2026-06-08 2026-06-08
HASH 91b9381d19b2e6a2db5cc0307167979… 2026-06-08 2026-06-08
HASH d3ebce2f05fe91a8260e87fd11a6ea1… 2026-06-08 2026-06-08
HASH 62761f38ed194c59abe15c49f09f0eb… 2026-06-08 2026-06-08
HASH 4c0d9b802c075be79e9edb52d88f8dd… 2026-06-08 2026-06-08
HASH c935808147f0236c81483d7bbeda4b9… 2026-06-08 2026-06-08
HASH 35813f4401d3ad77b618275473a556e… 2026-06-08 2026-06-08
URL https://gitlab.com/predict-toge… 2026-06-08 2026-06-08
URL https://gitlab.com/trixauvex-or… 2026-06-08 2026-06-08
URL https://github.com/mireles343/f… 2026-06-08 2026-06-08
URL https://github.com/sr-werney/fo… 2026-06-08 2026-06-08
URL https://github.com/rkama411/x40… 2026-06-08 2026-06-08
URL https://github.com/skyjum/x402-… 2026-06-08 2026-06-08
URL https://github.com/mireles343/f… 2026-06-08 2026-06-08
URL https://github.com/ziobiri/forg… 2026-06-08 2026-06-08
URL https://github.com/sr-werney/fo… 2026-06-08 2026-06-08
URL https://github.com/Stomp47/rekt… 2026-06-08 2026-06-08
URL https://github.com/wayout4u/rek… 2026-06-08 2026-06-08
URL https://github.com/PedrinPY/rek… 2026-06-08 2026-06-08
URL https://github.com/Trixauvex-or… 2026-06-08 2026-06-08
URL https://github.com/Pulsynk/puls… 2026-06-08 2026-06-08
IPv4 170.205.29.83 2026-06-08 2026-06-08
DOMAIN migadyn.info 2026-06-08 2026-06-08
DOMAIN domatisc.ink 2026-06-08 2026-06-08
DOMAIN alphanonega.org 2026-06-08 2026-06-08
DOMAIN raxvatange.ink 2026-06-08 2026-06-08
DOMAIN onoplainai.ink 2026-06-08 2026-06-08
DOMAIN valorecuiting.online 2026-06-08 2026-06-08
DOMAIN coslyintra.online 2026-06-08 2026-06-08
DOMAIN doxxela.ink 2026-06-08 2026-06-08
DOMAIN asteara.org 2026-06-08 2026-06-08
DOMAIN hyperdevpipline.org 2026-06-08 2026-06-08
DOMAIN nowurisch.fit 2026-06-08 2026-06-08
DOMAIN predictcareertogether.space 2026-06-08 2026-06-08
DOMAIN togetherhire.fun 2026-06-08 2026-06-08
DOMAIN careerpredictto.space 2026-06-08 2026-06-08
DOMAIN predicttogether.ink 2026-06-08 2026-06-08
DOMAIN predicttogerecruit.store 2026-06-08 2026-06-08
DOMAIN predicttogetherrecruit.store 2026-06-08 2026-06-08
DOMAIN careerpulsynk.xyz 2026-06-08 2026-06-08
DOMAIN teampulsynk.team 2026-06-08 2026-06-08
DOMAIN cotrixauvex.ink 2026-06-08 2026-06-08
DOMAIN careertrixauvex.ink 2026-06-08 2026-06-08
DOMAIN contactpulsynk.ink 2026-06-08 2026-06-08
DOMAIN notifypulsynk.ink 2026-06-08 2026-06-08
DOMAIN connectptogether.ink 2026-06-08 2026-06-08
DOMAIN contactpredicttogether.ink 2026-06-08 2026-06-08
DOMAIN recruitptogether.xyz 2026-06-08 2026-06-08
DOMAIN talentnexhr.ink 2026-06-08 2026-06-08
DOMAIN optixauvex.us 2026-06-08 2026-06-08
DOMAIN elsavora.us 2026-06-08 2026-06-08
DOMAIN culyrax.us 2026-06-08 2026-06-08
DOMAIN ceronetwork.org 2026-06-08 2026-06-08
DOMAIN deep-ai-guard.store 2026-06-08 2026-06-08
DOMAIN ceronet.work 2026-06-08 2026-06-08
IPv4 170.205.30.227 2026-06-08 2026-06-08
DOMAIN nemesistrade.work 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
DOMAIN ondofinance.tech 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
DOMAIN nxlog.tech 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
DOMAIN empowerpharmacy.space 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected].… 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
DOMAIN mailtrixauvex.ink 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
DOMAIN recruitvex.us 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
DOMAIN mailpulsynk.xyz 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
DOMAIN trixauvex.org 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
DOMAIN onoplanoai.ink 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
DOMAIN trixauvexnet.ink 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
DOMAIN predicttocareer.space 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
DOMAIN mailpredicttogether.ink 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
DOMAIN contacttrixauvex.ink 2026-06-08 2026-06-08
EMAIL [email protected] 2026-06-08 2026-06-08
EMAIL [email protected] 2026-05-25 2026-06-08
EMAIL [email protected] 2026-05-25 2026-06-08
URL https://gitlab.com/pulsynk-org/… 2026-05-25 2026-06-08
DOMAIN pulsynk.org 2026-05-25 2026-06-08
IPv4 23.137.105.75 2026-05-25 2026-06-08

Related Actors

Related Reports

« Back