216.73.217.139

Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency

· Published 08/06/2026 10:05 · Modified 09/06/2026 09:00

Export JSON

Essential information

Published
08/06/2026 10:05
Modified
09/06/2026 09:00
Tags
2026-06-08 credential-theft cryptocurrency theft developer-targeting flexibleferret github repositories invisible ferret north korea ottercookie overlord overlord framework unk_deaddrop visual studio code vsix extensions wallet exfiltration
Related entities
18 observables, 1 intrusion sets (apt), 20 techniques (mitre), 4 malware, 63 others

Description

Between April and May 2026, a likely North Korean threat actor conducted phishing campaigns targeting developers across nearly 100 organizations in finance, cryptocurrency, education, and technology sectors. The attacks used recruitment and code review themes, delivering emails with links to actor-controlled hosting malicious scripts. The infection chain exploited workflows and deployed malicious Visual Studio Extensions (VSIX) requiring minimal user interaction. Cross-platform malware was executed on macOS, Linux, and Windows systems, including the open-source . The campaigns specifically targeted developer assets including API tokens, cryptocurrency wallets, and credentials. Attackers employed fake company personas and professional-looking repositories masquerading as legitimate cryptocurrency and blockchain projects to establish credibility and lure victims.

External references