Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories

MITRE Techniques

• [T1195 ] Supply Chain Compromise – The threat converts developer repositories into delivery channels that infect downstream projects and contributors (‘A compromised developer’s repository becomes an infection vector for the next wave of victims’)
• [T1204 ] User Execution – Victims are tricked into cloning and opening repositories during fake interviews, triggering workspace tasks when trust is granted (‘clone and execute code repositories as part of fabricated job interviews’)
• [T1059.007 ] Command and Scripting Interpreter: JavaScript – Obfuscated JavaScript is appended to source/config files and executed by Node.js tooling as a multistage loader (‘obfuscated JavaScript… is added to the end of the file’ and ‘evaluated as JavaScript by Node.js tooling’)
• [T1027 ] Obfuscated Files or Information – The loader uses string shuffling, hex obfuscation, and character swaps to hinder analysis (‘layers of string shuffling, hexadecimal obfuscation, and character swap algorithms to hinder analysis’)
• [T1070.006 ] Timestomp (Indicator Removal on Host) – The commit-tampering script temporarily alters the system clock and amends commits to preserve original timestamps and authorship (‘temporarily alter the system clock to match the original commit’s timestamp’)
• [T1071.001 ] Application Layer Protocol: Web Protocols – DEV#POPPER uses WebSocket (socket.io-client) and HTTP endpoints for C2, heartbeats, and exfiltration (‘communicates with its command-and-control (C&C) server via WebSocket (using socket.io-client)’ and ‘/verify-human/[VERSION]’ and ‘/u/f’)
• [T1574 ] Hijack Execution Flow – Persistence achieved by creating a hidden .node_modules folder to hijack Node.js module search order and injecting versioned code into developer tooling (‘creates a hidden .node_modules folder for Node.js module search order hijacking’ and ‘injects versioned code… into developer applications’)