Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency
Between April and May 2026, a likely North Korean threat actor named UNK_DeadDrop conducted phishing campaigns targeting developers in finance, cryptocurrency, education, and technology sectors. The attacks used recruitment and code review themes to deliver emails containing links to malicious GitHub repositories. These repositories hosted malware that exploited Visual Studio Code workflows and deployed malicious VSIX extensions requiring minimal user interaction. The malware was cross-platform, affecting macOS, Linux, and Windows, and included the Overlord framework. The campaign aimed to steal developer assets such as API tokens, cryptocurrency wallets, and credentials by impersonating legitimate cryptocurrency and blockchain projects with fake company personas and professional repositories.
AI Analysis
Technical Summary
The UNK_DeadDrop phishing campaign targeted developers across nearly 100 organizations by sending emails themed around recruitment and code reviews. The emails contained links to GitHub repositories controlled by the threat actor, which hosted malicious scripts. The infection chain leveraged Visual Studio Code workflows and malicious VSIX extensions that required minimal user interaction to execute cross-platform malware on macOS, Linux, and Windows systems. The malware included the open-source Overlord framework and focused on exfiltrating developer assets like API tokens, cryptocurrency wallets, and credentials. The attackers used fake company personas and professional-looking repositories masquerading as legitimate cryptocurrency and blockchain projects to gain victim trust and facilitate credential theft and cryptocurrency theft.
Potential Impact
The campaign enabled theft of sensitive developer assets including API tokens, cryptocurrency wallets, and credentials. This could lead to unauthorized access to developer environments, cryptocurrency theft, and potential compromise of organizational resources. The cross-platform nature of the malware increases the scope of affected systems. The use of trusted platforms like GitHub and Visual Studio Code workflows increases the likelihood of successful infection with minimal user interaction.
Mitigation Recommendations
No official patch or fix is available as this is a phishing campaign leveraging social engineering and malicious repositories. Organizations should educate developers about the risks of clicking on unsolicited links, especially those purporting to be recruitment or code review related. Developers should verify the authenticity of GitHub repositories before interacting with them and avoid installing VSIX extensions from untrusted sources. Monitoring for suspicious Visual Studio Code workflows and extensions is recommended. Since this is not a software vulnerability but a phishing and malware campaign, remediation focuses on user awareness and operational security controls.
Indicators of Compromise
- ip: 23.137.105.75
- hash: 2812e0847d472cb8870c94f463331dbe53b84135132b9bf5f6d84c2382be628f
- hash: 339907b44f161f57ff30819f422c552382ff437b3ae437463b4222cfe86bd943
- hash: 35813f4401d3ad77b618275473a556eb47bfa6f4b7439dd8943b19f81aa7252e
- hash: 4c0d9b802c075be79e9edb52d88f8dd72e6904f5c58267213745818470945c78
- hash: 4f7a8c3d2e1b5f9071a6b2c8d4e3f50a92b1c7d6e8f4a30b5c2d9e1f7a6b8c4d
- hash: 52886aab179f26421678ff23af1b0fabf0a17ffbb534369cdbbac8008cbed8e7
- hash: 62761f38ed194c59abe15c49f09f0ebc431ac852c965180c9327ed84d3a454fb
- hash: 6cf9f7b2aa456a0b438600588df869b38d8007e28f01fa96022f9d8059f120b0
- hash: 734699773e53d995f20d485eb61261033d9d00b4332b39ca26071bcd60cd352f
- hash: 808e7154b7af2bc7a4b28d577297c55f77221c355191cbe00f9f1810b6d4a619
- hash: 91b9381d19b2e6a2db5cc0307167979b502731cb3fb50da684479e9ed35261aa
- hash: a2b9a769df84d9d3a4694bb0252a2c6a5e5f5d1a85a04565362737092bbb3a86
- hash: bb10adac5b0124efedfe71102c1d5638135ec9e1cde8c8cb3353c5ed91bb9f81
- hash: c935808147f0236c81483d7bbeda4b9d602f3595d5d4057f8115d39e222d1c4b
- hash: d3ebce2f05fe91a8260e87fd11a6ea17c156703d081b3f91d9bbe5fd6aeedc10
- hash: d5e9288693aa745dc89368deac677e7ea1ec81e663283af30838cdae189b7a7e
- hash: e1bf1b29e6fa3525d7f32f429290a88d6ea2890e61c06574b8ff6372aa5d0667
- domain: alphanonega.org
- domain: asteara.org
- domain: careerpredictto.space
- domain: careerpulsynk.xyz
- domain: careertrixauvex.ink
- domain: ceronet.work
- domain: ceronetwork.org
- domain: connectptogether.ink
- domain: contactpredicttogether.ink
- domain: contactpulsynk.ink
- domain: contacttrixauvex.ink
- domain: coslyintra.online
- domain: cotrixauvex.ink
- domain: culyrax.us
- domain: deep-ai-guard.store
- domain: domatisc.ink
- domain: doxxela.ink
- domain: elsavora.us
- domain: empowerpharmacy.space
- domain: hyperdevpipline.org
- domain: mailpredicttogether.ink
- domain: mailpulsynk.xyz
- domain: mailtrixauvex.ink
- domain: migadyn.info
- domain: nemesis.work
- domain: nemesistrade.work
- domain: notifypulsynk.ink
- domain: nowurisch.fit
- domain: nxlog.tech
- domain: ondofinance.tech
- domain: onoplainai.ink
- domain: onoplanoai.ink
- domain: optixauvex.us
- domain: predictcareertogether.space
- domain: predicttocareer.space
- domain: predicttogerecruit.store
- domain: predicttogether.ink
- domain: predicttogetherrecruit.store
- domain: pulsnyk.org
- domain: pulsynk.org
- domain: raxvatange.ink
- domain: recruitptogether.xyz
- domain: recruitvex.us
- domain: talentnexhr.ink
- domain: teampulsynk.team
- domain: togetherhire.fun
- domain: trixauvex.org
- domain: trixauvexnet.ink
- domain: valorecuiting.online
- domain: hr.onoplanoai.ink
- domain: hr.predicttocareer.space
- domain: hr.trixauvex.org
- domain: hr.mailpulsynk.xyz
- domain: hr.pulsynk.org
- domain: hr.recruitvex.us
- domain: hr.mailtrixauvex.ink
- domain: hr.trixauvexnet.ink
- domain: hr.contacttrixauvex.ink
- domain: hr.mailpredicttogether.ink
Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency
Description
Between April and May 2026, a likely North Korean threat actor named UNK_DeadDrop conducted phishing campaigns targeting developers in finance, cryptocurrency, education, and technology sectors. The attacks used recruitment and code review themes to deliver emails containing links to malicious GitHub repositories. These repositories hosted malware that exploited Visual Studio Code workflows and deployed malicious VSIX extensions requiring minimal user interaction. The malware was cross-platform, affecting macOS, Linux, and Windows, and included the Overlord framework. The campaign aimed to steal developer assets such as API tokens, cryptocurrency wallets, and credentials by impersonating legitimate cryptocurrency and blockchain projects with fake company personas and professional repositories.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The UNK_DeadDrop phishing campaign targeted developers across nearly 100 organizations by sending emails themed around recruitment and code reviews. The emails contained links to GitHub repositories controlled by the threat actor, which hosted malicious scripts. The infection chain leveraged Visual Studio Code workflows and malicious VSIX extensions that required minimal user interaction to execute cross-platform malware on macOS, Linux, and Windows systems. The malware included the open-source Overlord framework and focused on exfiltrating developer assets like API tokens, cryptocurrency wallets, and credentials. The attackers used fake company personas and professional-looking repositories masquerading as legitimate cryptocurrency and blockchain projects to gain victim trust and facilitate credential theft and cryptocurrency theft.
Potential Impact
The campaign enabled theft of sensitive developer assets including API tokens, cryptocurrency wallets, and credentials. This could lead to unauthorized access to developer environments, cryptocurrency theft, and potential compromise of organizational resources. The cross-platform nature of the malware increases the scope of affected systems. The use of trusted platforms like GitHub and Visual Studio Code workflows increases the likelihood of successful infection with minimal user interaction.
Mitigation Recommendations
No official patch or fix is available as this is a phishing campaign leveraging social engineering and malicious repositories. Organizations should educate developers about the risks of clicking on unsolicited links, especially those purporting to be recruitment or code review related. Developers should verify the authenticity of GitHub repositories before interacting with them and avoid installing VSIX extensions from untrusted sources. Monitoring for suspicious Visual Studio Code workflows and extensions is recommended. Since this is not a software vulnerability but a phishing and malware campaign, remediation focuses on user awareness and operational security controls.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal"]
- Adversary
- UNK_DeadDrop
- Pulse Id
- 6a2693f169b076341f77f7b6
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip23.137.105.75 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash2812e0847d472cb8870c94f463331dbe53b84135132b9bf5f6d84c2382be628f | — | |
hash339907b44f161f57ff30819f422c552382ff437b3ae437463b4222cfe86bd943 | — | |
hash35813f4401d3ad77b618275473a556eb47bfa6f4b7439dd8943b19f81aa7252e | — | |
hash4c0d9b802c075be79e9edb52d88f8dd72e6904f5c58267213745818470945c78 | — | |
hash4f7a8c3d2e1b5f9071a6b2c8d4e3f50a92b1c7d6e8f4a30b5c2d9e1f7a6b8c4d | — | |
hash52886aab179f26421678ff23af1b0fabf0a17ffbb534369cdbbac8008cbed8e7 | — | |
hash62761f38ed194c59abe15c49f09f0ebc431ac852c965180c9327ed84d3a454fb | — | |
hash6cf9f7b2aa456a0b438600588df869b38d8007e28f01fa96022f9d8059f120b0 | — | |
hash734699773e53d995f20d485eb61261033d9d00b4332b39ca26071bcd60cd352f | — | |
hash808e7154b7af2bc7a4b28d577297c55f77221c355191cbe00f9f1810b6d4a619 | — | |
hash91b9381d19b2e6a2db5cc0307167979b502731cb3fb50da684479e9ed35261aa | — | |
hasha2b9a769df84d9d3a4694bb0252a2c6a5e5f5d1a85a04565362737092bbb3a86 | — | |
hashbb10adac5b0124efedfe71102c1d5638135ec9e1cde8c8cb3353c5ed91bb9f81 | — | |
hashc935808147f0236c81483d7bbeda4b9d602f3595d5d4057f8115d39e222d1c4b | — | |
hashd3ebce2f05fe91a8260e87fd11a6ea17c156703d081b3f91d9bbe5fd6aeedc10 | — | |
hashd5e9288693aa745dc89368deac677e7ea1ec81e663283af30838cdae189b7a7e | — | |
hashe1bf1b29e6fa3525d7f32f429290a88d6ea2890e61c06574b8ff6372aa5d0667 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainalphanonega.org | — | |
domainasteara.org | — | |
domaincareerpredictto.space | — | |
domaincareerpulsynk.xyz | — | |
domaincareertrixauvex.ink | — | |
domainceronet.work | — | |
domainceronetwork.org | — | |
domainconnectptogether.ink | — | |
domaincontactpredicttogether.ink | — | |
domaincontactpulsynk.ink | — | |
domaincontacttrixauvex.ink | — | |
domaincoslyintra.online | — | |
domaincotrixauvex.ink | — | |
domainculyrax.us | — | |
domaindeep-ai-guard.store | — | |
domaindomatisc.ink | — | |
domaindoxxela.ink | — | |
domainelsavora.us | — | |
domainempowerpharmacy.space | — | |
domainhyperdevpipline.org | — | |
domainmailpredicttogether.ink | — | |
domainmailpulsynk.xyz | — | |
domainmailtrixauvex.ink | — | |
domainmigadyn.info | — | |
domainnemesis.work | — | |
domainnemesistrade.work | — | |
domainnotifypulsynk.ink | — | |
domainnowurisch.fit | — | |
domainnxlog.tech | — | |
domainondofinance.tech | — | |
domainonoplainai.ink | — | |
domainonoplanoai.ink | — | |
domainoptixauvex.us | — | |
domainpredictcareertogether.space | — | |
domainpredicttocareer.space | — | |
domainpredicttogerecruit.store | — | |
domainpredicttogether.ink | — | |
domainpredicttogetherrecruit.store | — | |
domainpulsnyk.org | — | |
domainpulsynk.org | — | |
domainraxvatange.ink | — | |
domainrecruitptogether.xyz | — | |
domainrecruitvex.us | — | |
domaintalentnexhr.ink | — | |
domainteampulsynk.team | — | |
domaintogetherhire.fun | — | |
domaintrixauvex.org | — | |
domaintrixauvexnet.ink | — | |
domainvalorecuiting.online | — | |
domainhr.onoplanoai.ink | — | |
domainhr.predicttocareer.space | — | |
domainhr.trixauvex.org | — | |
domainhr.mailpulsynk.xyz | — | |
domainhr.pulsynk.org | — | |
domainhr.recruitvex.us | — | |
domainhr.mailtrixauvex.ink | — | |
domainhr.trixauvexnet.ink | — | |
domainhr.contacttrixauvex.ink | — | |
domainhr.mailpredicttogether.ink | — |
Threat ID: 6a27d5108dd33fbd85ffccce
Added to database: 6/9/2026, 8:55:44 AM
Last enriched: 6/9/2026, 9:11:03 AM
Last updated: 6/9/2026, 12:38:05 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.