Proofpoint tracked UNK_DeadDrop, a likely North Korea-aligned phishing cluster that used recruiter and code-review lures to target developers across nearly 100 organizations and delivered malicious GitHub/GitLab repositories with cross-platform payloads. The campaigns abused VS Code and Cursor task automation plus malicious VSIX extensions to steal cryptocurrency wallets and credentials on macOS, Linux, and Windows while maintaining persistence and cleaning up artifacts. #UNK_DeadDrop #Overlord #ContagiousInterview #GitHub #VSIX
Keypoints
- Between April and May 2026, UNK_DeadDrop sent over 250 phishing emails to targets in almost 100 organizations across multiple sectors.
- The lures centered on fake developer recruitment, code reviews, Foundry testing, and AI payments projects.
- Attackers used actor-controlled GitHub and GitLab repositories to deliver malicious content rather than hosting payloads externally.
- The infection chain abused VS Code and Cursor folder-open task execution and deployed a malicious VSIX extension for persistence on macOS and Linux.
- Linux and macOS payloads used the Overlord framework as a persistent RAT with WebSocket C2 connectivity.
- Windows infection ran as JavaScript inside Electron, stealing wallet data and credentials using Python, DPAPI, and App-Bound Encryption bypass techniques.
- Proofpoint assessed the activity as likely North Korea-aligned, with similarities to Contagious Interview but tracked separately due to distinct telemetry and infrastructure.
MITRE Techniques
- [T1566.002 ] Spearphishing Link â Victims received emails containing links to attacker-controlled GitHub/GitLab repositories masquerading as job assessments or code reviews (âemails containing links to actor-controlled GitHub repositoriesâ).
- [T1204.002 ] User Execution: Malicious File â The campaign depended on users cloning repositories and opening them in VS Code or Cursor to trigger execution (âclone the repository and open it in an editor such as VS Code or Cursorâ).
- [T1053.005 ] Scheduled Task/Job: Scheduled Task â A hidden tasks.json executed a task automatically when the folder opened (ârunOptions.runOn: âfolderOpenââ).
- [T1059.004 ] Command and Scripting Interpreter: Unix Shell â Bash scripts launched the payloads on Linux/macOS (â/bin/bash vendor/run-update[.]shâ).
- [T1059.005 ] Command and Scripting Interpreter: Visual Basic â Windows used a hidden VBS launcher to start the next stage (âwscript[.]exe //B //Nologo vendor/run-update-hidden-launch.vbsâ).
- [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell â The Windows chain used a CMD script to decode and stage payloads (ârun-update[.]cmdâ).
- [T1105 ] Ingress Tool Transfer â The malware fetched and staged additional components, including encrypted payloads and embedded binaries (âstages three encrypted files into a staging directoryâ).
- [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder â The malicious VSIX extension persisted and reactivated on editor startup on macOS and Linux (âthe VSIX extension activates⌠and re-launches them if notâ).
- [T1055 ] Process Injection â Windows ran inside the editorâs Electron process using a Node.js interpreter mode (âELECTRON_RUN_AS_NODE=1â).
- [T1027 ] Obfuscated Files or Information â The campaign used Base64, encrypted payloads, and embedded scripts to hide code (âembedded Base64-encoded payloadâ, âthree encrypted filesâ).
- [T1112 ] Modify Registry â The Windows stealer enumerated users via registry to broaden collection (âenumerates all Windows user profiles via registryâ).
- [T1555 ] Credentials from Password Stores â The malware stole browser and keychain credentials from multiple stores (âSafe Storage keys are then extractedâ, âdump the entire login keychainâ).
- [T1552.001 ] Unsecured Credentials: Credentials In Files â The Linux/macOS paths exported credentials to files before upload (âCredentials are exported to e_p.txtâ).
- [T1021.004 ] Remote Services: SSH â Not mentioned.
- [T1041 ] Exfiltration Over C2 Channel â Stolen data was uploaded to the C2 server over persistent WebSocket or HTTP POST channels (âuploaded to the C&C via the persistent WebSocket connectionâ, âvia HTTP POSTâ).
- [T1562.001 ] Impair Defenses: Disable or Modify Tools â The malware deleted payloads and directories to reduce forensic traces (âdeleting malicious payloads and directoriesâ).
- [T1106 ] Native API â The Windows and Linux/macOS chains used system interfaces and elevated components for credential access (âCOM Elevation Serviceâ, ârunuserâ, âVolume Shadow Copyâ).
Indicators of Compromise
- [IP address] C2 and sender infrastructure â 23.137.105[.]75, 170.205.29[.]83
- [Domain] Sender and related infrastructure domains â trixauvex[.]org, pulsynk[.]org, and other related domains such as contacttrixauvex[.]ink and predicttocareer[.]space
- [Email address] Attacker-controlled recruiter addresses â alex@contacttrixauvex[.]ink, alex@pulsynk[.]org, and many other HR-themed mailboxes
- [URL] Attacker-controlled repositories â hxxps://github[.]com/Pulsynk/pulsynk, hxxps://github[.]com/Trixauvex-org/trixauvex, and other GitHub/GitLab repos
- [SHA256] Malicious scripts and packages â c935808147f0236c81483d7bbeda4b9d602f3595d5d4057f8115d39e222d1c4b, 734699773e53d995f20d485eb61261033d9d00b4332b39ca26071bcd60cd352f, and other hashes listed for VSIX, JS, VBS, CMD, and encrypted payloads
- [File name] Malicious payloads and loaders â tasks.json, run-update.sh, run-update.cmd, run-update-hidden-launch.vbs, gus-node-bootstrap.js, detect_malware.py.enc, windows-js-pipeline.js.enc