DEV#POPPER
DEV#POPPER is a cross-platform Node.js remote access trojan (RAT). In the referenced campaign, a variant identified by version marker 260311 was delivered by the North Korean threat operation Void Dokkaebi, also known as Famous Chollima, as part of fake job interview and software supply chain compromises targeting developers. Victims were lured into cloning GitHub or GitLab repositories presented as coding tests; malware execution was triggered through malicious .vscode/tasks.json files when repositories were opened in Visual Studio Code, and through obfuscated JavaScript injected into repository files that executed during build or run workflows. The campaign also propagated through compromised repositories, creating worm-like spread across developer collaboration environments.
The malware delivery chain used blockchain-backed staging infrastructure. DEV#POPPER payloads were retrieved from blockchain transactions across Tron, Binance Smart Chain, and Aptos. The loader queried hardcoded blockchain data, retrieved encrypted payload material, XOR-decrypted it, and executed it, allowing operators to rotate wallet addresses and transaction hashes and update payloads dynamically without changing the malware code.
Observed DEV#POPPER capabilities include support for multiple simultaneous operators via independent command queues; command-and-control over WebSocket using socket.io-client; and HTTP endpoints including /verify-human/[VERSION] for heartbeat and notification and /u/f for file uploads, directory exfiltration, and logging. The malware was reported to avoid CI/CD and sandbox environments including GitLab CI and BuildBot, executing only on real developer workstations. Persistence mechanisms described for the analyzed variant include injecting versioned code marked C250617A through C250620A into developer applications such as Antigravity, VS Code, Cursor, Discord, and GitHub Desktop, and creating a hidden .node_modules folder to abuse Node.js module search order hijacking. DEV#POPPER was also linked in reporting to broader Void Dokkaebi infrastructure associated with other malware families including InvisibleFerret, OtterCookie, OmniStealer, and BeaverTail.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The malware, including a variant of the DEV#POPPER remote access trojan, retrieves encrypted payloads from blockchain transactions, decrypts them, and executes them on infected systems.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniqueHowever, the obfuscated JavaScript injected into source code files (flow 2) is part of a more complex approach. It functions as a multistage loader, which is designed to retrieve and execute payloads from blockchain infrastructure.
Command and Control
2 techniquesVoid Dokkaebi uses blockchain networks such as Tron, Aptos, and Binance Smart Chain to host and deliver malware payloads. The malware, including a variant of the DEV#POPPER remote access trojan, retrieves encrypted payloads from blockchain transactions, decrypts them, and executes them on infected systems.
When the project is opened and the developer trusts the workspace, the task executes automatically, downloading and running malware in the background.
IOCs tracked for this family
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote access trojan deployed in a self-spreading supply chain intrusion campaign targeting developers through malicious GitHub or GitLab repositories and illicit Visual Studio Code task configurations.
A remote access trojan used in Void Dokkaebi's campaign that fetches encrypted payloads from blockchain transactions, decrypts them, and executes them on compromised developer systems, enabling dynamic payload updates.
A cross-platform Node.js remote access trojan delivered via downloader and multistage blockchain-based loader infrastructure. This variant supports multi-operator session management, communicates over WebSocket and HTTP for C2 and exfiltration, avoids CI/CD and cloud sandbox environments, and persists by injecting versioned code into developer applications and abusing a hidden .node_modules folder for module search order hijacking.
Remote access trojan (RAT) referenced in the context of North Korean (DPRK) activity; specific capabilities are not described in the provided content.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.