Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency
Essential information
- Published
- 08/06/2026 10:05
- Modified
- 09/06/2026 09:00
- Tags
- 2026-06-08 credential-theft cryptocurrency theft developer-targeting flexibleferret github repositories invisible ferret north korea ottercookie overlord overlord framework unk_deaddrop visual studio code vsix extensions wallet exfiltration
- Related entities
- 18 observables, 1 intrusion sets (apt), 20 techniques (mitre), 4 malware, 63 others
Description
Between April and May 2026, a likely North Korean threat actor conducted phishing campaigns targeting developers across nearly 100 organizations in finance, cryptocurrency, education, and technology sectors. The attacks used recruitment and code review themes, delivering emails with links to actor-controlled GitHub repositories hosting malicious scripts. The infection chain exploited Visual Studio Code workflows and deployed malicious Visual Studio Extensions (VSIX) requiring minimal user interaction. Cross-platform malware was executed on macOS, Linux, and Windows systems, including the open-source Overlord framework. The campaigns specifically targeted developer assets including API tokens, cryptocurrency wallets, and credentials. Attackers employed fake company personas and professional-looking repositories masquerading as legitimate cryptocurrency and blockchain projects to establish credibility and lure victims.