{
  "name": "Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors",
  "slug": "analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors",
  "description": "This report delves into an ongoing social engineering attack campaign, codenamed DEV#POPPER, likely orchestrated by North Korean threat actors, targeting software developers through fake job interviews. The attackers trick the developers into downloading and executing malicious Python-based RAT disguised as benign software. The report meticulously dissects the attack chain, uncovering its stages, from a malicious NPM package to command execution, payload download, and the RAT's capabilities, including system information gathering, remote command execution, data exfiltration, and keystroke logging.",
  "published": "2024-04-29T16:38:29+00:00",
  "created_at": "2024-04-29T16:38:29+00:00",
  "modified_at": "2024-05-01T21:06:37+00:00",
  "created_at_opencti": "2024-04-29T16:38:29+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "dev#popper",
    "developers",
    "python",
    "python-based rat",
    "rat",
    "social engineering"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "173.211.106.101"
      },
      {
        "id": "",
        "name": "147.124.214.131"
      },
      {
        "id": "",
        "name": "http://147.124.214.131"
      },
      {
        "id": "",
        "name": "f9ca12321fb91157cce8513e935810d1c2005ab0739322b474f0cb4af2605d16"
      },
      {
        "id": "",
        "name": "977a9024962102b02128d391c0543c63328d3f26701eca1a5d282af4d493dc2e"
      },
      {
        "id": "",
        "name": "45c991529a421104f2edf03d92e01d95774bf54325f9107dd4139505912a0c1e"
      },
      {
        "id": "",
        "name": "33617f0ac01a0f7fa5f64bd8edef737f678c44e677e4a2fb23c6b8a3bcd39fa2"
      }
    ],
    "malware": [
      {
        "id": "54a0abe9-8011-4c78-a778-833684a16f06",
        "name": "DEV#POPPER",
        "slug": "devpopper"
      }
    ],
    "intrusion_sets": [
      {
        "id": "57f26b3c-034f-4761-b730-281d519aa2a8",
        "name": "North Korean threat actors",
        "slug": "north-korean-threat-actors"
      }
    ],
    "attack_patterns": [
      {
        "id": "7671fe3e-6a85-463e-928d-16117d2f4f9b",
        "name": "T1059.006"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "eaff4611-3c78-4127-8745-726f77ed68ba",
        "name": "T1070.004"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb",
        "name": "T1132"
      },
      {
        "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b",
        "name": "T1033"
      },
      {
        "id": "31d29704-da1c-47ea-b93f-76d368813bdf",
        "name": "T1560"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      }
    ]
  },
  "external_refs": [
    "https://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors",
    "https://otx.alienvault.com/pulse/662fe9254594bca799ff2bd5"
  ]
}