Campaigns targeting software developers through social engineering


Threat actors are employing new tactics and persistently targeting software developers through social engineering.

The DEV#POPPER campaign continues to evolve, with North Korean threat actors now deploying malware that targets developers across Linux, Windows, and macOS platforms. The Securonix Threat Research team has identified new, more robust malware variants linked to this campaign, which remains focused on social engineering tactics to compromise industry professionals.

Despite no specific trend in victimology, the campaign’s impact is widespread, affecting individuals in South Korea, North America, Europe, and the Middle East. The adversaries’ advanced techniques exploit human vulnerabilities, leveraging psychological manipulation to deceive victims into compromising sensitive information or their organizations.

Dev popper malware

Cybercriminals are using the confidence of being interviewers to get programmers to download a zip file (onlinestoreforhirog.zip). Inside the zip file is a package that is executed with “npm install” and “npm start”, after executing it the cybercriminal has access to the victim’s computer.

The JavaScript code utilized in the DEV#POPPER campaign is heavily obfuscated, employing multiple techniques to conceal its true functionality. These methods include:

  • Base64 Encoding: Numerous strings are encoded in Base64 and only decoded during runtime, making the code difficult to analyze directly.
  • Dynamic Function and Variable Names: The code uses randomized variable and function names, which are hidden behind decoded strings. This obscures the actual functions and modules being called.
  • Concatenation and Split Strings: Plain-text strings are broken down into small segments, which are then pieced together during compilation, further complicating code analysis.
  • Prototyping Obfuscation: By modifying prototypes like Object.prototype.toString, the code hinders attempts to uncover the true intent of the strings.
Dev popper script

These obfuscation techniques create significant challenges for analysts trying to understand the malware’s behavior, highlighting the sophistication of the DEV#POPPER campaign.

A function prepares a form data object containing system information and other collected data, which is then sent to the command-and-control (C2) server. This process involves:

  • Hostname
  • Platform (OS name)
  • Timestamp
  • Current Time: The timestamp when the data is sent helps the C2 server log and analyze the timeline of the collected information.
  • System Identifier: A unique identifier categorizes the type of data being sent, aiding in processing or organizing the data on the server.
  • Host Identifier: Another unique identifier tracks which machine the data came from, enabling the server to associate the data with the specific infected host.

We recommend that we always be cautious about what we run on our computers. We must have a culture of cybersecurity where we are always on alert for any irregularity as in the case of DEV#POPPER where we were told to run a code without knowing its precedence. That is why cybersecurity awareness is very important not only for work, but also for our daily lives, here at Piscium we encourage and train people to reduce the risks of social engineering.


Subscribe to our blog

Receive relevant information for you company

Don’t lose the opportunity to checkout the latest news

Be the first to know about what is happening in the world