North Korean hackers are intensifying their global campaign against cryptocurrency and Web3 developers, using a new backdoor called AkdoorTea to infiltrate victims’ systems, according to a fresh research from Slovak cybersecurity firm ESET.
The operation, tracked under the name DeceptiveDevelopment, overlaps with campaigns known as Contagious Interview, DEV#POPPER, and Void Dokkaebi.
The attackers primarily target software developers across Windows, Linux, and macOS environments by impersonating recruiters on job-hunting platforms such as LinkedIn, Upwork, Freelancer, and Crypto Jobs List, and lure them into downloading malware-laced projects.
“DeceptiveDevelopment’s toolset is mostly multi-platform and consists of initial obfuscated malicious scripts in Python and JavaScript, basic backdoors in Python and Go, and a dark web project in .NET,” ESET researchers Peter Kálnai and Mat?j Havránek wrote in a report published on Thursday.
How The Scam Works
The attackers impersonate recruiters offering fake, lucrative job opportunities to attract their targets’ interest. Once a target shows interest in a fake job offer, they are directed to complete the following challenges:
Coding Assignments – cloning trojanized GitHub projects that secretly install malware.
Video Assessments – fake interview sites that display fake camera or microphone errors and prompt victims to run terminal commands (the “ClickFix” technique).
The hackers’ toolkit includes information-stealing malware:
- BeaverTail, InvisibleFerret, and WeaselStore – information-stealing malware capable of exfiltrating data from cryptocurrency wallets, keychains, and saved browser logins.
- TsunamiKit – a multi-stage toolkit that sets persistence, deploys .NET spyware, and installs crypto miners like XMRig and NBMiner.
- Tropidoor and PostNapTea – sophisticated remote access trojans linked to Lazarus operations, with capabilities like screen capturing, system reconnaissance, and file manipulation.
- AkdoorTea – the latest payload, hidden inside a file disguised as an NVIDIA driver update, enabling remote control after launching via BeaverTail.
Hybrid Threat Model
ESET points out that the campaign is tied to North Korea’s covert IT worker scheme, known as WageMole. In this operation, workers use stolen or AI-generated identities to secure remote jobs, even relying on real-time face-swapping tools during video interviews. Information stolen through malware campaigns is then recycled to make these fraudulent employment schemes more effective.
Implications
ESET researchers note that DeceptiveDevelopment depends less on technical sophistication and more on creative social engineering and the reuse of dark web tooling.
“Despite often lacking technical sophistication, the group compensates through scale and creative social engineering. Its campaigns demonstrate a pragmatic approach, exploiting open-source tooling, reusing available dark web projects, adapting malware probably rented from other North Korea-aligned groups, and leveraging human vulnerabilities through fake job offers and interview platforms,” ESET researchers added.
“The activities of North Korean IT workers constitute a hybrid threat. This fraud-for-hire scheme combines classical criminal operations, such as identity theft and synthetic identity fraud, with digital tools, which classify it as both a traditional crime and a cybercrime (or e-crime).”
A Dual Threat: Malware And Fraudulent Hiring
Experts warn that North Korea’s hackers are combining malware-driven crypto theft with fraudulent IT hiring, underscoring the blurred lines between state-sponsored espionage and organized cybercrime. This creates a hybrid threat that puts both developers and employers at risk.
Job seekers risk system compromise, while companies risk unknowingly hiring sanctioned North Korean operatives who may later become insider threats – highlighting the urgent need for stronger hiring checks and more vigilant cybersecurity defenses.
