DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception

Sept. 30, 2025, 2:10 p.m.

Description

This analysis delves into the operations of DeceptiveDevelopment, a North Korea-aligned threat actor, and its connections to North Korean IT worker campaigns. The group targets software developers across major systems, focusing on cryptocurrency and Web3 projects. They use social engineering techniques like fake job offers and the ClickFix method to deliver malware. Their toolset includes multiplatform malware such as BeaverTail, InvisibleFerret, WeaselStore, and TsunamiKit. The group shows links to other North Korean cyber operations through shared malware like Tropidoor and AkdoorTea. The analysis also explores the activities of North Korean IT workers, who use stolen identities and AI-generated content to secure remote jobs, highlighting the interconnected nature of these cyber threats.

External References

https://github.com/eset/malware-ioc/tree/master/deceptivedevelopment
https://www.welivesecurity.com/en/eset-research/deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception
https://otx.alienvault.com/pulse/68d56dd09ac2cd6557e9f7f6
Tags
social engineering
north korea
cryptocurrency
remote access
information theft
beavertail
invisibleferret
ottercookie
tropidoor
multiplatform
2025-09-25
weaselstore
postnaptea
tsunamikit
job offers
akdoortea

Date

  • Created: Sept. 25, 2025, 4:29 p.m.
  • Published: Sept. 25, 2025, 4:29 p.m.
  • Modified: Sept. 30, 2025, 2:10 p.m.

Indicators

  • fffb98ec9d21a701aa30b40b340b5a61de0f77846fc0c1eb685a3abe83d1607d
  • f855e04d69dce32e062e4a08b073e684e28f3a4f4f8a23e50e764934b4a45e42
  • e967097a02185995ae58cded08f57e8984152124a3a34adc9543bd4ca1569e5e
  • e46f6971a605f09f1794977ae8771d2f51a226ec98c3a2cad193d2f84c0a70d9
  • a4e4d0e8cdac007183da7696c870ae0619d36f66981efaa8b8770947c0d59e6a
  • c67e8f51c086ce3c7f6fbd3e0d6d29212def08c321197449afbaecdd799173f1
  • bd2453a41ba1c06929fcdd474a059b149089f36a7407c474de8369c0ee68b682
  • 98b70e04625017ad87c3d27aed5edecdff3a8bc5bd33682b64685b358b785d88
  • 95716db687bbe1c4c9af2597a3dd26b61ebe807fb4d0a150255b8e0ed197c9a9
  • 93f11750014fa65066ffa7f7896c3a5b127ef8e68a4062a38610931057fe3dae
  • 76c51fceb086df2a38c0e21e184b0a05b17bccb348d6990d7281fa630074c670
  • 60ec2dbe8cfacdff1d4eb093032b0307e52cc68feb1f67487d9f401017c3edd7
  • 5df555b868c08eed8fea2c5f1bc82c5972f2dd69159b2fdb6a8b40ab6d7a1830
  • 4c2729dd1e87d988c8a16436877267a95d97f587222bdb70a80e87f6c4de020d
  • 4593589ca6cb47339eba8a62b88b30fddce6c05bdd0c6964268b82fdd690176a
  • 420af4aaac771db407ca02ca51912a22ead82b189bad87362b8ad4811bb94a37
  • 3f424b477ac16463e871726cbb106d41574d2d0e910dee035fbd23241515e770
  • 3697852e593cec371245f6a7aaa388176e514b3e63813fdb136a0301969291ea
  • 34b6fc9024591e7a107ffbdfb77e788ec2dd83943ab4ba4889b9996ca08260b8
  • 1fd921159de8ccf3c33c7ad3d52a4186c2695b858435e8e327c4d95a8d1b048a
  • 08a30915045f66bc518c62f0a39dbfc678e713435f9b28a6ebd4bd4861f2d2a7
  • 05c56f6e7215fb32aee98a24cb14c402f3938476d789a74812694056dd2c1d9a
  • 979d20f83f4e992f96f6a23b5119e84959ce82f4a7d4af78b4094b87a05b6260
  • 61525e782cde36d5ed807084f6427d06f2915114b8dc7b33febd3b2566115541
  • 86.104.72.247
  • 103.35.190.170
  • 116.125.126.38
  • 45.8.146.93
  • 45.159.248.110
  • 103.231.75.101
  • www.royalsevres.com
  • n34kr3z26f3jzp4ckmwuv5ipqyatumdxhgjgsmucc65jac56khdy5zqd.onion
  • driverservices.store
Download all indicators here!

Attack Patterns

  • DeceptiveDevelopment

Additional Informations

  • Technology
  • Finance
  • Kenya
  • Colombia
  • Canada