DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception
Contents
This blogpost introduces our latest white paper, presented at Virus Bulletin 2025, where we detail the operations of the North Korea-aligned threat actor we call DeceptiveDevelopment and its connections to North Korean IT worker campaigns. The white paper provides full technical details, including malware analysis, infrastructure, and OSINT findings. Here, we summarize the key insights and highlight the broader implications of this hybrid threat.
Key points of this blogpost:
- The invention and focus of the operations are on the social-engineering methods.
- DeceptiveDevelopment’s toolset is mostly multiplatform and consists of initial obfuscated malicious scripts in Python and JavaScript, basic backdoors in Python and Go, and a dark web project in .NET.
- We provide insights into operational details of North Korean IT workers, like work assignments, schedules, communication with clients, etc., gathered from public sources.
- Native, more complex Windows backdoors are an occasional addition in the execution chain and are likely shared by …
Key points of this blogpost:
- The invention and focus of the operations are on the social-engineering methods.
- DeceptiveDevelopment’s toolset is mostly multiplatform and consists of initial obfuscated malicious scripts in Python and JavaScript, basic backdoors in Python and Go, and a dark web project in .NET.
- We provide insights into operational details of North Korean IT workers, like work assignments, schedules, communication with clients, etc., gathered from public sources.
- Native, more complex Windows backdoors are an occasional addition in the execution chain and are likely shared by …
IoC
http://164.132.209.191
http://103.231.75.101
http://86.104.72.247
http://199.188.200.147
http://116.125.126.38
http://45.8.146.93
http://103.35.190.170
http://45.159.248.110
http://176.223.112.74
164.132.209.191
45.159.248.110
103.231.75.101
86.104.72.247
116.125.126.38
112.0.0.0
103.35.190.170
199.188.200.147
176.223.112.74
45.8.146.93
[email protected]
http://103.231.75.101
http://86.104.72.247
http://199.188.200.147
http://116.125.126.38
http://45.8.146.93
http://103.35.190.170
http://45.159.248.110
http://176.223.112.74
164.132.209.191
45.159.248.110
103.231.75.101
86.104.72.247
116.125.126.38
112.0.0.0
103.35.190.170
199.188.200.147
176.223.112.74
45.8.146.93
[email protected]