Overlord

Between April and May 2026, Proofpoint Threat Research observed a likely North Korean threat actor conducting phishing campaigns using developer role recruitment or code review themes... The infection chain begins with emails containing links to actor-controlled GitHub repositories...

The emails contained links to GitHub repositories masquerading as technical assignments or cryptocurrency-related projects. The instructions encouraged the target to clone the repository and open it in an editor such as VS Code or Cursor.

The hidden tasks.json file defines a task with runOptions.runOn: "folderOpen", a VS Code feature that executes the task automatically when the folder is opened in the editor.

The task definition specifies the platform-specific commands that will be executed when the task runs: Linux/macOS: /bin/bash vendor/run-update.sh Windows: wscript.exe //B //Nologo vendor/run-update-hidden-launch.vbs

The tasks.json file launches run-update-hidden-launch.vbs via wscript.exe //B (hidden window), which calls run-update.cmd.

Linux/macOS: /bin/bash vendor/run-update.sh

The tasks.json file launches run-update-hidden-launch.vbs via wscript.exe //B (hidden window), which calls run-update.cmd.

Once Python is available, the credential stealer (detect_malware.py) is executed for each browser profile.

Unlike Linux/macOS, the Windows attack does not deploy a Go binary. It runs entirely as JavaScript inside the editor's Electron process using ELECTRON_RUN_AS_NODE=1...

The campaigns abused Visual Studio Code workflows and deployed a stealthy new technique using malicious Visual Studio Extensions (VSIX) that requires minimal user interaction.

The instructions encouraged the target to clone the repository and open it in an editor such as VS Code or Cursor. A pre-configured task executes silently when the user opens the repository folder in the IDE...

Inside the hidden vscode folder, there is a file called tasks.json that will execute either a shell script or .cmd file... when the repository is opened in Cursor or VS Code.

The hidden tasks.json file defines a task with runOptions.runOn: "folderOpen", a VS Code feature that executes the task automatically when the folder is opened in the editor.

Every time the user opens VS Code or Cursor on macOS or Linux, the VSIX extension activates, checks whether the subsequent infection portions are already running, and re-launches them if not.

The hidden tasks.json file defines a task with runOptions.runOn: "folderOpen", a VS Code feature that executes the task automatically when the folder is opened in the editor.

Every time the user opens VS Code or Cursor on macOS or Linux, the VSIX extension activates, checks whether the subsequent infection portions are already running, and re-launches them if not.

For Chrome, Edge, and Brave, elevated privileges are required to access credentials protected by App-Bound Encryption. COM Elevation Moniker is used to elevate privileges silently. If this fails, it falls back to Start-Process -Verb RunAs...

COM Elevation Moniker is used to elevate privileges silently. If this fails, it falls back to Start-Process -Verb RunAs, which displays the standard Windows UAC dialog.

The initial launcher (run-update.sh) is a bash script with an embedded Base64-encoded payload... The CMD file decodes an embedded script... The three encrypted payloads are decrypted at runtime using the hardcoded AES-256-GCM key...

The loader installs a malicious VS Code extension (VSIX) masquerading as a legitimate Google service.

The infection chain finishes by deleting malicious payloads and directories from the cloned repository in an effort to clean up forensic artifacts, while maintaining persistence through the VSIX extension.

It also schedules cleanup of vendor/ and .vscode/ via a background subshell that survives editor shutdown.

The CMD file decodes an embedded script... The three encrypted payloads are decrypted at runtime using the hardcoded AES-256-GCM key...

The Linux backdoor uses Zenity... to create a prompt to collect user credentials. ... a second embedded Mach-O binary named darwin-password-prompt creates a fake system dialogue to prompt the user to enter their password.

The credential theft uses a second embedded Mach-O binary named darwin-password-prompt that creates a fake system dialogue to prompt the user to enter their password... The Linux backdoor uses Zenity... to create a prompt to collect user credentials.

The threat actor added three custom modules: browserlogin (Chrome and Firefox credential theft)...

The payloads communicate with a hardcoded C&C server, enabling remote command execution, system reconnaissance, followed by exfiltration of browser wallet extensions, decrypted credentials...

Password extraction from Chromium browsers via DPAPI + App-Bound Encryption bypass... Firefox credential extraction via key4.db + logins.json

After password validation, the malware modifies Keychain ACLs for the following browsers... Safe Storage keys are then extracted. Following credential gathering, the backdoor re-launches itself as root... dump the entire login keychain.

The payloads communicate with a hardcoded C&C server, enabling remote command execution, system reconnaissance...

The payloads communicate with a hardcoded C&C server... followed by exfiltration of browser wallet extensions, decrypted credentials, and desktop wallets.

The Linux backdoor uses Zenity... to create a prompt to collect user credentials. ... a second embedded Mach-O binary named darwin-password-prompt creates a fake system dialogue to prompt the user to enter their password.

The credential theft uses a second embedded Mach-O binary named darwin-password-prompt that creates a fake system dialogue to prompt the user to enter their password... The Linux backdoor uses Zenity... to create a prompt to collect user credentials.

Overlord first collects wallet extension data, browser profile artifacts, and standalone wallet directories, packaging them into a ZIP and uploading to the C&C server.

Once Overlord is running, it immediately establishes a persistent WebSocket connection to the C&C server at 23.137.105.75:5173.

After both phases are complete, the stolen data is uploaded to the C&C server at 23.137.105.75:5173 via HTTP POST.

these binaries function as full RATs with persistent WebSocket connectivity.

The Linux and macOS infection chains use native Go binaries derived from the open-source Overlord C&C framework... these binaries function as full RATs with persistent WebSocket connectivity.

The collected credentials, Safe Storage keys, and keychain data are then packaged as ZIP files and uploaded to the C&C via the persistent WebSocket connection.