A new malware campaign targeting freelance developers has been using deceptive job advertisements to trick them into downloading malicious software disguised as legitimate tools.
The campaign primarily spreads through GitHub repositories and relies on freelancers’ eagerness to secure remote work opportunities.
The attackers pose as reputable companies, offering freelance developers attractive job opportunities. To make their deception convincing, they set up fake websites and distribute malicious software under the guise of professional development tools.
Once downloaded, the malware can compromise the victim’s system, allowing attackers to steal credentials or install additional payloads.
ESET researchers have linked the campaign to a threat actor they call “DeceptiveDevelopment.” The group specializes in targeting freelance platforms and coding communities to spread malware. Victims are often directed to GitHub, where malicious repositories host tools laden with hidden threats.
“DeceptiveDevelopment was first publicly described by Phylum and Unit 42 in 2023 and has already been partially documented under the names Contagious Interview and DEV#POPPER,” ESET wrote.
“We have conducted further analysis of this activity cluster and its operator’s initial access methods, network infrastructure, and toolset, including new versions of the two malware families used by DeceptiveDevelopment – InvisibleFerret and […] BeaverTail.”
The malware uses various techniques to evade detection and persist on compromised systems. ESET noted that it collects sensitive information, including saved login credentials, and can deliver additional malware payloads remotely.
Read more on how threat actors target jobseekers: Lazarus Group Targets Bitdefender Researcher with LinkedIn Recruiting Scam
Developers are advised to exercise caution when applying for freelance opportunities online. Verifying job offers and researching potential employers can help mitigate risks.
Experts also recommend avoiding downloads from unfamiliar GitHub repositories and keeping systems updated with robust security software.
“The DeceptiveDevelopment cluster is an addition to an already large collection of money-making schemes employed by North Korea-aligned actors and conforms to an ongoing trend of shifting focus from traditional money to cryptocurrencies,” ESET explained.
“We observed it go from primitive tools and techniques to more advanced and capable malware, as well as more polished techniques to lure in victims and deploy the malware. Any online job-hunting and freelancing platform can be at risk of being abused for malware distribution by fake recruiters.”
As freelance work continues to grow, threat actors are likely to exploit this evolving ecosystem. Developers and companies alike must implement stronger protections to defend against such targeted threats.