%20Abstract%20Background%20112024%20SOURCE%20Amazon.jpg)
![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
-Nintendo-Switch-2-–-Overview-trailer-00-00-10.png?width=1920&height=1920&fit=bounds&quality=80&format=jpg&auto=webp#)
_Anna_Berkut_Alamy.jpg?#)
![Pixel 9a gets early teardown: Vapor chamber, cameras, more [Video]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/04/Pixel-9a-teardown-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1){kind=tracking}
![YouTube Announces New Creation Tools for Shorts [Video]](https://www.iclarified.com/images/news/96923/96923/96923-640.jpg)
![[Weekly funding roundup March 29-April 4] Steady-state VC inflow pre-empts Trump tariff impact](https://images.yourstory.com/cs/2/220356402d6d11e9aa979329348d4c3e/WeeklyFundingRoundupNewLogo1-1739546168054.jpg)
Beware of Fake Job Interview Challenges Attacking Developers To Deliver Malware
A North Korea-aligned cybercriminal campaign dubbed DeceptiveDevelopment has been targeting freelance software developers through fake job interviews since early 2024. Posing as recruiters on platforms like LinkedIn, Upwork, and cryptocurrency-focused job boards, attackers lure victims with promising job opportunities or lucrative freelance projects. The ultimate goal is to trick developers into executing trojanized codebases that […] The post Beware of Fake Job Interview Challenges Attacking Developers To Deliver Malware appeared first on Cyber Security News.
A North Korea-aligned cybercriminal campaign dubbed DeceptiveDevelopment has been targeting freelance software developers through fake job interviews since early 2024.
Posing as recruiters on platforms like LinkedIn, Upwork, and cryptocurrency-focused job boards, attackers lure victims with promising job opportunities or lucrative freelance projects.
The ultimate goal is to trick developers into executing trojanized codebases that deploy malware designed to steal cryptocurrency wallet data, browser credentials, and sensitive system information.
Researchers identified two primary malware families in this campaign: BeaverTail, an infostealer and downloader, and InvisibleFerret, a modular backdoor enabling remote access and data exfiltration.
These tools are remain hidden within software projects that victims are asked to review or modify as part of a fake hiring challenge.
Notably, the attackers exploit GitHub’s interface by appending malicious code after long comments, pushing it off-screen in the default editor view.
%20and%20the%20page%20source%20of%20just%20line%20%201%20(Source%20-%20ESET).webp)
ESET researchers noted that this obfuscation technique increases the likelihood of victims unknowingly executing the malware.
Technical Delivery: Hidden Code and Obfuscation
The attackers’ reliance on social engineering is complemented by sophisticated technical tactics.
BeaverTail, delivered as JavaScript or Qt-based executables, begins by decrypting hardcoded Command-and-Control (C&C) server details.
For example, the IP address 147.124.214.237:1244 is split into base64-encoded fragments and rearranged to evade detection:-
javascript host="yNDEuMjA4MTg1LjIzNS4" // Decoded to 147.124.214.237 via string manipulation
.webp)
Once executed, BeaverTail searches for browser extensions like MetaMask, Coinbase Wallet, and Phantom to exfiltrate cryptocurrency keys stored in id.json (Solana) or browser databases.
It also harvests login credentials from Firefox, Chrome, and system keychains. InvisibleFerret, the second-stage payload, uses XOR encryption and modular Python scripts to maintain persistence.
One sample decrypts its payload using a hardcoded key (G01d*8@() and establishes a reverse shell for remote command execution.
.webp)
The malware’s browser module targets Chrome, Brave, and Edge profiles to extract encrypted credentials, leveraging OS-specific decryption methods—such as win32crypt on Windows or secretstorage on Linux—to decode sensitive data.
The campaign’s infrastructure relies on servers hosted by providers like RouterHosting and Majestic Hosting Solutions.
C&C communication occurs over non-standard ports (1244, 3000) to blend with legitimate traffic. Recent updates to InvisibleFerret include FTP-based data exfiltration and integration with Telegram’s API for real-time credential theft, signaling evolving operational sophistication.
Developers are advised to verify recruiter identities, avoid executing unsolicited projects, and monitor for anomalous network activity on ports 1224–1245.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
The post Beware of Fake Job Interview Challenges Attacking Developers To Deliver Malware appeared first on Cyber Security News.
