A North Korean-linked campaign, dubbed DeceptiveDevelopment, is targeting freelance software developers with job interview-themed lures to deploy cross-platform malware BeaverTail and InvisibleFerret. The attacks, ongoing since late 2023, aim to steal cryptocurrency wallets and login credentials through trojanized codebases shared via fake recruiter profiles on job-hunting sites like Upwork, Freelancer.com, and Crypto Jobs List. The malware is hidden in crypto-related projects, gambling apps, and even fake conferencing software. BeaverTail acts as a downloader, while InvisibleFerret steals browser data, exfiltrates files, and installs AnyDesk for persistence. The campaign primarily targets crypto developers worldwide, following a broader trend of North Korean cyber threats focused on cryptocurrency theft.

‍