Research Update: Threat Actors Behind the DEV#POPPER Campaign Have Retooled and are Continuing to Target Software Developers via Social Engineering
Contents
Securonix Threat Research Security Advisory
Research Update: Threat Actors Behind the DEV#POPPER Campaign Have Retooled and are Continuing to Target Software Developers via Social Engineering
By Securonix Threat Research: Den Iuzvyk, Tim Peck
Jul 31, 2024
tldr:
The threat actors behind the previously documented DEV#POPPER campaign are continuing to target developers by means of new malware and tactics, including support for Linux, Windows and macOS.
The Securonix Threat Research team has been monitoring the threat actors behind the ongoing investigation into the DEV#POPPER campaign, we have identified additional malware variants linked to the same North Korean threat actors using similar, stealthy malicious code execution tactics, though now with much more robust capabilities.
Based on the gathered telemetry, no specific trend in victimology was identified. However, analysis of the collected samples revealed victims are primarily scattered across South Korea, North America, Europe, and the Middle East, indicating that the impact of the attack is widespread.
As with the previous …
Research Update: Threat Actors Behind the DEV#POPPER Campaign Have Retooled and are Continuing to Target Software Developers via Social Engineering
By Securonix Threat Research: Den Iuzvyk, Tim Peck
Jul 31, 2024
tldr:
The threat actors behind the previously documented DEV#POPPER campaign are continuing to target developers by means of new malware and tactics, including support for Linux, Windows and macOS.
The Securonix Threat Research team has been monitoring the threat actors behind the ongoing investigation into the DEV#POPPER campaign, we have identified additional malware variants linked to the same North Korean threat actors using similar, stealthy malicious code execution tactics, though now with much more robust capabilities.
Based on the gathered telemetry, no specific trend in victimology was identified. However, analysis of the collected samples revealed victims are primarily scattered across South Korea, North America, Europe, and the Middle East, indicating that the impact of the attack is widespread.
As with the previous …
IoC
0639d8eaad9df842d6f358831b0d4c654ec4d9ebec037ab5defa240060956925
2d10b48454537a8977affde99f6edcbb7cd6016d3683f9c28a4ec01b127f64d8
6263b94884726751bf4de6f1a4dc309fb19f29b53cce0d5ec521a6c0f5119264
63238b8d083553a8341bf6599d3d601fbf06708792642ad513b5e03d5e770e9b
67.203.123.171
67.203.7.171
6708792642
77.37.37.81
7e5828382c9ef9cd7a643bc329154a37fe046346fd2cf4698da2b91050c9fe12
B31F5BDE1BDBC2DFD453B91BAB2E9BE0BECEC555EE6EDD70744C77F2AD15D18C
BC4A082E2B999D18EF2D7DE1948B2BFD9758072F5945E08798F47827686621F2
EFF2A9FCA46425063DCA080466427353DC52AC225D9DF7C1EF0EC8BA49109B71
http://67.203.123.171:1244/pdown
http://67.203.7.171:1244
http://67.203.7.171:1244/brow/
http://67.203.7.171:1244/client/
http://67.203.7.171:1244/keys
http://67.203.7.171:1244/payload
http://67.203.7.171:1244/uploads
http://77.37.37.81
http://de.ztec.store
http://de.ztec.store:8000
http://de.ztec.store:8000/www/run.py
2d10b48454537a8977affde99f6edcbb7cd6016d3683f9c28a4ec01b127f64d8
6263b94884726751bf4de6f1a4dc309fb19f29b53cce0d5ec521a6c0f5119264
63238b8d083553a8341bf6599d3d601fbf06708792642ad513b5e03d5e770e9b
67.203.123.171
67.203.7.171
6708792642
77.37.37.81
7e5828382c9ef9cd7a643bc329154a37fe046346fd2cf4698da2b91050c9fe12
B31F5BDE1BDBC2DFD453B91BAB2E9BE0BECEC555EE6EDD70744C77F2AD15D18C
BC4A082E2B999D18EF2D7DE1948B2BFD9758072F5945E08798F47827686621F2
EFF2A9FCA46425063DCA080466427353DC52AC225D9DF7C1EF0EC8BA49109B71
http://67.203.123.171:1244/pdown
http://67.203.7.171:1244
http://67.203.7.171:1244/brow/
http://67.203.7.171:1244/client/
http://67.203.7.171:1244/keys
http://67.203.7.171:1244/payload
http://67.203.7.171:1244/uploads
http://77.37.37.81
http://de.ztec.store
http://de.ztec.store:8000
http://de.ztec.store:8000/www/run.py