Technical Analysis: UNK_DeadDrop Phishing Campaign Targeting Developer Workflows

A sophisticated, sustained phishing campaign is currently targeting the developer community by weaponizing legitimate recruitment and code-review processes. Labeled UNK_DeadDrop and attributed with high confidence to a North Korean-aligned threat actor, the operation utilizes attacker-controlled GitHub repositories to deliver cross-platform malware. Over a six-week period, the actors executed more than 250 highly tailored email attacks, impacting nearly 100 organizations across the finance, cryptocurrency, education, and technology sectors.

The campaign’s primary strength lies in its ability to blend seamlessly into the daily professional lives of software engineers. Attackers deploy social engineering lures—often framed as technical take-home assessments or invitations to contribute to open-source projects—that direct victims to malicious GitHub repositories. These repositories are meticulously crafted to appear legitimate, featuring professional project structures (such as Python or Foundry), functional scripts, and high-quality documentation to bypass initial skepticism.

The infection vector exploits the automation inherent in modern Integrated Development Environments (IDEs). Each malicious repository contains a hidden .vscode directory with a tasks.json configuration designed to trigger automatically upon folder opening. When a developer opens the repository in Visual Studio Code or the Cursor editor, the task executes platform-specific launchers. Notably, the Cursor editor lacks the “workspace trust” dialog found in VS Code, allowing for silent, zero-interaction execution of malicious payloads.

According to Proofpoint’s technical analysis, the payload architecture is tailored to the victim’s operating system:

• Linux and macOS: The campaign deploys native Go binaries derived from the open-source Overlord C&C framework. These binaries function as persistent Remote Access Trojans (RATs), featuring specialized modules for browser credential harvesting, targeted cryptocurrency wallet exfiltration, and anti-forensic cleanup.
• macOS Specifics: The macOS chain utilizes a Mach-O component that presents a deceptive system dialog to harvest user passwords. Once credentials are obtained, the malware modifies Keychain Access Control Lists (ACLs) and relaunches with elevated privileges to exfiltrate Safe Storage keys and full keychain data.
• Linux Specifics: The Linux variant leverages Zenity dialogs and attempts to access the GNOME Keyring, utilizing Python-based fallback methods to escalate privileges and extract sensitive secrets.
• Windows: The Windows architecture differs significantly, executing entirely within the editor’s Electron/Node.js runtime by setting the ELECTRON_RUN_AS_NODE=1 environment variable. This allows the pipeline to decrypt three AES-GCM-protected payloads at runtime: a Node.js agent, a wallet stealer, and a credential extraction script. To evade App-Bound Encryption, the stealer employs COM elevation techniques and leverages Volume Shadow Copy services to access locked database files.

Figure 1: Distribution of UNK_DeadDrop targeting across sector and geography (Source: Proofpoint).

The infrastructure supporting UNK_DeadDrop was rapidly provisioned throughout April and May 2026. Attackers utilized services like Vercel for supporting pages, Namecheap for domain registration, and Mailgun or MailHostBox for email delivery. A subset of domains, such as nemesis[.]work, were hosted on IPs associated with Advin Services LLC, which have been linked to previous UNK_DeadDrop activity (e.g., 170.205.29[.]83 and 170.205.30[.]227).

Figure 2: Sample attacker-controlled GitHub repository (Source: Proofpoint).

While UNK_DeadDrop shares tactical DNA with previous “Contagious Interview” campaigns—specifically regarding GitHub delivery and VS Code abuse—it represents a distinct cluster due to its increased scale, the use of embedded repository payloads, and the specific exploitation of the Cursor editor for silent execution.

Mitigation Recommendations: Organizations should enforce strict IDE trust policies, restrict the execution of automatic tasks within development environments, and implement monitoring for anomalous child processes. Security teams should specifically watch for unexpected VSIX extension installations and outbound network activity (WebSocket or HTTP POST) directed toward suspicious or uncharacterized C2 endpoints.

Indicators of Compromise (IOCs)

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution. Re-fang only within controlled threat intelligence platforms.