DeceptiveDevelopment: North Korea-Aligned Group Targets Developers with AI-Enhanced Fake Job Scams
ESET research reveals DeceptiveDevelopment, a North Korea-aligned threat actor using fake job offers and AI-enhanced fake job offers and synthetic identities to target software developers in the cryptocurrency and Web3 sectors.
ESET researchers have unveiled a detailed white paper at Virus Bulletin 2025 exposing the operations of DeceptiveDevelopment, a North Korea-aligned threat actor that has been active since at least 2023. The group focuses on financial gain by targeting software developers, particularly those working in cryptocurrency and Web3 projects, using a sophisticated blend of social engineering, multiplatform malware, and AI-generated synthetic identities. The research highlights a white paper provides full technical analysis of the group's toolset and its tight connections to North Korean IT worker campaigns, collectively tracked as WageMole.
DeceptiveDevelopment operators pose as recruiters on platforms like LinkedIn, Upwork, Freelancer, and Crypto Jobs List, offering fake lucrative job opportunities. Victims are lured into participating in coding challenges or pre-interview tasks that involve downloading trojanized codebases from private repositories on GitHub, GitLab, or Bitbucket. The malicious code is often hidden in long comments that extend beyond the visible edge of a code editor, making it difficult to detect. Once executed, the first-stage malware, BeaverTail, is deployed, leading to further compromise.
The group has also adopted the ClickFix social engineering technique, first reported by Sekoia.io in March 2025. In this variant, victims are directed to a fake job interview website where they are asked to complete a lengthy application form. After investing significant time, they are prompted to record a video answer, but a pop-up error message about camera access leads them to a "How to fix" link. This link instructs them to copy and paste a terminal command that actually downloads and executes malware, rather than fixing the camera issue.
DeceptiveDevelopment's toolset is primarily multiplatform, as ESET describes, "mostly multiplatform" and includes initial obfuscated malicious scripts in Python and JavaScript, basic backdoors in Python and Go, and a more complex .NET backdoor called TsunamiKit. The group's most typical payloads are BeaverTail, OtterCookie, and WeaselStore infostealers, along with the InvisibleFerret modular RAT. ESET also identified specific links between more complex backdoors used by DeceptiveDevelopment, such as AkdoorTea and Tropidoor, and other, more APT-oriented North Korea-aligned operations.
The group's operations are tightly connected to the WageMole activity cluster, which involves North Korean IT workers using stolen identities and AI-generated synthetic profiles to secure real jobs at companies worldwide. While DeceptiveDevelopment operators compromise job seekers' systems, North Korean IT workers then use the stolen information to pose as those job seekers, employing tactics like proxy interviewing and AI-driven identity fabrication. This dual approach creates a hybrid threat that combines cybercrime with espionage and financial fraud.
ESET's white paper includes full malware analysis, infrastructure details, and operational insights gathered from public sources, including unintentionally exposed data and victim testimonials. The research highlights the evolving sophistication of North Korea-aligned cyber operations, which now leverage AI to create convincing fake identities and to enhance social engineering attacks. The findings underscore the growing risk to software developers and the cryptocurrency industry, where trust in recruitment processes can be exploited for financial gain and intelligence gathering.