Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency
Contents
By Saher Naumaan, Carlos Rubio, and the Proofpoint Threat Research Team
Key Findings
- Between April and May 2026, Proofpoint Threat Research observed a likely North Korean threat actor conducting phishing campaigns using developer role recruitment or code review themes to targets in close to 100 organizations in finance, cryptocurrency, education, technology, and several other sectors. Proofpoint clusters this activity under the name UNK_DeadDrop.
- The infection chain begins with emails containing links to actor-controlled GitHub repositories hosting malicious scripts that result in the execution of cross-platform malware for macOS, Linux, and Windows, including an open-source Go framework named Overlord.
- The campaigns abused Visual Studio Code workflows and deployed a stealthy new technique using malicious Visual Studio Extensions (VSIX) that requires minimal user interaction.
- The activity has similarities to another North Korean group called Contagious Interview; however, there is no direct overlap in Proofpoint telemetry so Proofpoint Threat Research tracks this activity as …
Key Findings
- Between April and May 2026, Proofpoint Threat Research observed a likely North Korean threat actor conducting phishing campaigns using developer role recruitment or code review themes to targets in close to 100 organizations in finance, cryptocurrency, education, technology, and several other sectors. Proofpoint clusters this activity under the name UNK_DeadDrop.
- The infection chain begins with emails containing links to actor-controlled GitHub repositories hosting malicious scripts that result in the execution of cross-platform malware for macOS, Linux, and Windows, including an open-source Go framework named Overlord.
- The campaigns abused Visual Studio Code workflows and deployed a stealthy new technique using malicious Visual Studio Extensions (VSIX) that requires minimal user interaction.
- The activity has similarities to another North Korean group called Contagious Interview; however, there is no direct overlap in Proofpoint telemetry so Proofpoint Threat Research tracks this activity as …
IoC
http://nxlog.tech
http://mailpulsynk.xyz
http://doxxela.ink
http://ceronetwork.org
http://alphanonega.org
https://github.com/mireles343/forge-4626invariants
http://predicttocareer.space
https://github.com/wayout4u/rekt-db
http://coslyintra.online
http://23.137.105.75
http://pulsynk.org
http://predicttogether.ink
http://hr.mailtrixauvex.ink
http://nemesis.work
https://github.com/sr-werney/forge-4626invariants
http://hr.contacttrixauvex.ink
http://hr.trixauvex.org
http://predicttogetherrecruit.store
http://170.205.29.83
http://onoplanoai.ink
https://github.com/Stomp47/rekt-db
https://github.com/Trixauvex-org/trixauvex
http://hr.mailpulsynk.xyz
http://ceronet.work
http://hr.onoplanoai.ink
http://run-update.cmd
http://asteara.org
http://notifypulsynk.ink
http://contacttrixauvex.ink
http://valorecuiting.online
http://hr.trixauvexnet.ink
https://github.com/Pulsynk/pulsynk
http://recruitptogether.xyz
http://trixauvexnet.ink
http://170.205.30.227
https://gitlab.com/pulsynk-org/rekt-db.git
http://raxvatange.ink
http://empowerpharmacy.space
https://github.com/PedrinPY/rekt-db
http://predictcareertogether.space
http://nemesistrade.work
http://recruitvex.us
http://predicttogerecruit.store
http://github.com/vxaboveground/Overlord
http://hr.recruitvex.us
http://mailpredicttogether.ink
http://domatisc.ink
http://talentnexhr.ink
http://optixauvex.us
https://gitlab.com/trixauvex-org/x402-kit.git
http://contactpulsynk.ink
http://23.137.105.75:5173
http://hr.predicttocareer.space
https://github.com/skyjum/x402-kit
http://teampulsynk.team
http://careerpredictto.space
http://hr.pulsynk.org
https://github.com/ziobiri/forge-4626-invariants
http://onoplainai.ink
http://connectptogether.ink
http://elsavora.us
http://culyrax.us
http://hr.mailpredicttogether.ink
http://vendor/run-update.sh
https://github.com/rkama411/x402-kit
http://migadyn.info
http://ondofinance.tech
http://contactpredicttogether.ink
https://github.com/sr-werney/forge-4626-invariants
https://gitlab.com/predict-together/forge-4626invariants.git
http://pulsnyk.org
http://mailtrixauvex.ink
http://careerpulsynk.xyz
http://cotrixauvex.ink
http://careertrixauvex.ink
http://nowurisch.fit
http://deep-ai-guard.store
http://hyperdevpipline.org
https://github.com/mireles343/forge-4626-invariants
http://togetherhire.fun
http://trixauvex.org
170.205.30.227
170.205.29.83
23.137.105.75
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
6cf9f7b2aa456a0b438600588df869b38d8007e28f01fa96022f9d8059f120b0
a2b9a769df84d9d3a4694bb0252a2c6a5e5f5d1a85a04565362737092bbb3a86
4c0d9b802c075be79e9edb52d88f8dd72e6904f5c58267213745818470945c78
91b9381d19b2e6a2db5cc0307167979b502731cb3fb50da684479e9ed35261aa
808e7154b7af2bc7a4b28d577297c55f77221c355191cbe00f9f1810b6d4a619
4f7a8c3d2e1b5f9071a6b2c8d4e3f50a92b1c7d6e8f4a30b5c2d9e1f7a6b8c4d
d3ebce2f05fe91a8260e87fd11a6ea17c156703d081b3f91d9bbe5fd6aeedc10
2812e0847d472cb8870c94f463331dbe53b84135132b9bf5f6d84c2382be628f
c935808147f0236c81483d7bbeda4b9d602f3595d5d4057f8115d39e222d1c4b
62761f38ed194c59abe15c49f09f0ebc431ac852c965180c9327ed84d3a454fb
bb10adac5b0124efedfe71102c1d5638135ec9e1cde8c8cb3353c5ed91bb9f81
e1bf1b29e6fa3525d7f32f429290a88d6ea2890e61c06574b8ff6372aa5d0667
35813f4401d3ad77b618275473a556eb47bfa6f4b7439dd8943b19f81aa7252e
339907b44f161f57ff30819f422c552382ff437b3ae437463b4222cfe86bd943
52886aab179f26421678ff23af1b0fabf0a17ffbb534369cdbbac8008cbed8e7
d5e9288693aa745dc89368deac677e7ea1ec81e663283af30838cdae189b7a7e
734699773e53d995f20d485eb61261033d9d00b4332b39ca26071bcd60cd352f
http://mailpulsynk.xyz
http://doxxela.ink
http://ceronetwork.org
http://alphanonega.org
https://github.com/mireles343/forge-4626invariants
http://predicttocareer.space
https://github.com/wayout4u/rekt-db
http://coslyintra.online
http://23.137.105.75
http://pulsynk.org
http://predicttogether.ink
http://hr.mailtrixauvex.ink
http://nemesis.work
https://github.com/sr-werney/forge-4626invariants
http://hr.contacttrixauvex.ink
http://hr.trixauvex.org
http://predicttogetherrecruit.store
http://170.205.29.83
http://onoplanoai.ink
https://github.com/Stomp47/rekt-db
https://github.com/Trixauvex-org/trixauvex
http://hr.mailpulsynk.xyz
http://ceronet.work
http://hr.onoplanoai.ink
http://run-update.cmd
http://asteara.org
http://notifypulsynk.ink
http://contacttrixauvex.ink
http://valorecuiting.online
http://hr.trixauvexnet.ink
https://github.com/Pulsynk/pulsynk
http://recruitptogether.xyz
http://trixauvexnet.ink
http://170.205.30.227
https://gitlab.com/pulsynk-org/rekt-db.git
http://raxvatange.ink
http://empowerpharmacy.space
https://github.com/PedrinPY/rekt-db
http://predictcareertogether.space
http://nemesistrade.work
http://recruitvex.us
http://predicttogerecruit.store
http://github.com/vxaboveground/Overlord
http://hr.recruitvex.us
http://mailpredicttogether.ink
http://domatisc.ink
http://talentnexhr.ink
http://optixauvex.us
https://gitlab.com/trixauvex-org/x402-kit.git
http://contactpulsynk.ink
http://23.137.105.75:5173
http://hr.predicttocareer.space
https://github.com/skyjum/x402-kit
http://teampulsynk.team
http://careerpredictto.space
http://hr.pulsynk.org
https://github.com/ziobiri/forge-4626-invariants
http://onoplainai.ink
http://connectptogether.ink
http://elsavora.us
http://culyrax.us
http://hr.mailpredicttogether.ink
http://vendor/run-update.sh
https://github.com/rkama411/x402-kit
http://migadyn.info
http://ondofinance.tech
http://contactpredicttogether.ink
https://github.com/sr-werney/forge-4626-invariants
https://gitlab.com/predict-together/forge-4626invariants.git
http://pulsnyk.org
http://mailtrixauvex.ink
http://careerpulsynk.xyz
http://cotrixauvex.ink
http://careertrixauvex.ink
http://nowurisch.fit
http://deep-ai-guard.store
http://hyperdevpipline.org
https://github.com/mireles343/forge-4626-invariants
http://togetherhire.fun
http://trixauvex.org
170.205.30.227
170.205.29.83
23.137.105.75
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
6cf9f7b2aa456a0b438600588df869b38d8007e28f01fa96022f9d8059f120b0
a2b9a769df84d9d3a4694bb0252a2c6a5e5f5d1a85a04565362737092bbb3a86
4c0d9b802c075be79e9edb52d88f8dd72e6904f5c58267213745818470945c78
91b9381d19b2e6a2db5cc0307167979b502731cb3fb50da684479e9ed35261aa
808e7154b7af2bc7a4b28d577297c55f77221c355191cbe00f9f1810b6d4a619
4f7a8c3d2e1b5f9071a6b2c8d4e3f50a92b1c7d6e8f4a30b5c2d9e1f7a6b8c4d
d3ebce2f05fe91a8260e87fd11a6ea17c156703d081b3f91d9bbe5fd6aeedc10
2812e0847d472cb8870c94f463331dbe53b84135132b9bf5f6d84c2382be628f
c935808147f0236c81483d7bbeda4b9d602f3595d5d4057f8115d39e222d1c4b
62761f38ed194c59abe15c49f09f0ebc431ac852c965180c9327ed84d3a454fb
bb10adac5b0124efedfe71102c1d5638135ec9e1cde8c8cb3353c5ed91bb9f81
e1bf1b29e6fa3525d7f32f429290a88d6ea2890e61c06574b8ff6372aa5d0667
35813f4401d3ad77b618275473a556eb47bfa6f4b7439dd8943b19f81aa7252e
339907b44f161f57ff30819f422c552382ff437b3ae437463b4222cfe86bd943
52886aab179f26421678ff23af1b0fabf0a17ffbb534369cdbbac8008cbed8e7
d5e9288693aa745dc89368deac677e7ea1ec81e663283af30838cdae189b7a7e
734699773e53d995f20d485eb61261033d9d00b4332b39ca26071bcd60cd352f