Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors

deceptivedevelopment

DeceptiveDevelopment is a North Korean state-sponsored threat actor specializing in elaborate fake IT job recruitment scams. The group targets job seekers globally, particularly in the cryptocurrency and finance sectors, using social engineering on platforms such as LinkedIn, Upwork, Freelancer, and Crypto Jobs List. Victims are lured with fake job opportunities and subjected to staged interviews, during which they are tricked into running malicious terminal commands (the 'ClickFix' tactic) or downloading trojanized code from private repositories. The campaign targets Windows, macOS, and Linux systems. DeceptiveDevelopment employs a multi-stage attack chain, deploying payloads such as BeaverTail (and its JavaScript variant OtterCookie) to steal browser credentials and crypto wallet data, InvisibleFerret (a modular Python backdoor with stealer, payload, clipboard, and remote access components), and Tropidoor, a sophisticated backdoor sharing code with Lazarus Group's PostNapTea malware. The group also uses AkdoorTea, a Windows remote-access payload leveraging legitimate Nvidia components and a trojanized Node.js installer. ESET researchers have observed a 500% increase in ClickFix attacks in the first half of the year. DeceptiveDevelopment is tracked as distinct from the Lazarus Group but shares malware code and technical sophistication, indicating collaboration or code sharing within North Korean cyber operations. The group hands off stolen information to a related actor, WageMole, which poses as job seekers to further the campaign's objectives. The campaign is ongoing, with evolving tooling and infrastructure, and is part of broader North Korean efforts to support fraudulent IT worker schemes and financial theft. The U.S. Department of Justice has taken coordinated action against these operations, including indictments, arrests, and asset seizures.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

knowbe4 blogNews
Oct 3, 2025
North Korean Hackers Target Job Seekers With Social Engineering Tricks

DeceptiveDevelopment is conducting social engineering campaigns targeting job seekers to steal data and support North Korea’s fraudulent IT worker operations. They use fake recruiter profiles and job offers to lure victims into downloading trojanized code or executing malicious commands.

Read more
govinfosecurityNews
Sep 26, 2025
North Korea Fake Job Recruiters Up Their Backdoor Game

DeceptiveDevelopment is a North Korean threat actor known for posing as recruiters and using fake job offers to social engineer developers into downloading malware. They target Windows, macOS, and Linux users, primarily through social engineering on LinkedIn and freelance marketplaces. Their campaigns involve staged pre-interviews and technical tests that trick victims into running malicious terminal commands, leading to credential and crypto wallet theft, and remote access.

Read more
bank info securityNews
Sep 26, 2025
North Korea Fake Job Recruiters Up Their Backdoor Game

DeceptiveDevelopment is a North Korean threat actor known for posing as recruiters and using fake job offers to social engineer developers into downloading malware. They target Windows, macOS, and Linux users, primarily through social engineering on LinkedIn and freelance marketplaces. Their campaigns involve staged pre-interviews and technical tests that trick victims into running malicious terminal commands, leading to credential and crypto wallet theft, and remote access.

Read more
infosecurity magazine comNews
May 20, 2025
Russian APT Groups Intensify Attacks in Europe with Zero-Day Exploits and Wipers

North Korean group using fake job listings and social engineering to distribute malware targeting cryptocurrency, blockchain, and finance sectors.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.