According to TechRadar , cybersecurity experts from ESET have discovered a new campaign called DeceptiveDevelopment from hacker groups believed to be from North Korea. These groups will pose as recruiters on social media to approach freelance programmers, especially those working on cryptocurrency-related projects.

The main goal of this campaign is to steal cryptocurrency, hackers will copy or create fake profiles of recruiters and contact programmers through recruitment platforms such as LinkedIn, Upwork, or Freelancer.com. They will invite programmers to take a programming skills test as a condition of hiring.

These tests typically revolve around cryptocurrency projects, blockchain-based games, or cryptocurrency gambling platforms. The test files are stored on private repositories like GitHub. When the victim downloads and runs the project, a malware called BeaverTail is launched.

Hackers typically don’t make many changes to the original project’s source code, but instead add malicious code in hard-to-detect locations, such as in the backend or hidden in comments. When executed, BeaverTail attempts to exfiltrate data from the browser to steal login credentials, and also downloads a second piece of malware called InvisibleFerret, which acts as a backdoor, allowing the attacker to install AnyDesk, a remote management tool that can perform additional operations after the intrusion.

The attack campaign can affect users on Windows, macOS, and Linux operating systems. Experts have noted victims across the globe, ranging from novice programmers to seasoned professionals. The DeceptiveDevelopment campaign bears similarities to Operation DreamJob, an earlier campaign by hackers targeting aerospace and defense industry employees to steal confidential information.