Executive Summary
A Proofpoint Threat Research report published on 8 June 2026 detailed a phishing campaign tracked as UNK_DeadDrop targeting software developers across multiple organizations. The campaign uses fake recruitment and code review lures to convince developers to download malicious project files from GitHub repositories. Once executed, the malware is designed to compromise developer workstations and facilitate the theft of sensitive information, including credentials and cryptocurrency assets.
Proofpoint assessed that the activity aligns with tactics commonly associated with North Korean threat actors targeting the cryptocurrency sector. The campaign highlights the continued use of social engineering and trusted developer platforms to gain access to high value targets.
Key Takeaways
- Proofpoint identified the activity as UNK_DeadDrop, a phishing campaign targeting software developers through fake recruitment opportunities and code review requests.
- The campaign leveraged GitHub repositories containing malicious project files, using legitimate developer workflows to increase the likelihood of execution.
- Victims were directed to download and execute code from attacker-controlled repositories, resulting in the deployment of malware on developer systems.
- The malware conducts credential theft by extracting passwords from Chromium-based browsers, harvesting Firefox credentials, stealing browser cookies from Chrome, Edge, and Brave, and leveraging multiple techniques to access protected browser databases.
- The malware was observed targeting sensitive developer information, including credentials, authentication tokens, and cryptocurrency-related assets.
- Proofpoint assessed that UNK_DeadDrop shares multiple characteristics with previously documented North Korea-aligned campaigns, including Contagious Interview activity reported by OpenSourceMalware, Microsoft, and JAMF, with observed overlaps in developer targeting, cryptocurrency theft, credential theft, GitHub-based delivery, and cross-platform malware deployment.
- The campaign specifically abused trusted platforms and services commonly used by developers, including GitHub-hosted repositories to evade suspicion and increase user interaction.
IOCs
Proofpoint threat research team has provided a list of indicators of compromise (IOCs) that can be found here:
Indicator | Type |
alex@contacttrixauvex[.]ink | Email address |
alex@mailpredicttogether[.]ink | Email address |
alex@predicttocareer[.]space | Email address |
alex@pulsynk[.]org | Email address |
alex@trixauvexnet[.]ink | Email address |
[email protected][.]ink] | Email address |
[email protected][.]space | Email address |
[email protected][.]org | Email address |
[email protected][.]xyz | Email address |
[email protected][.]org | Email address |
[email protected][.]org | Email address |
[email protected][.]us | Email address |
[email protected][.]ink | Email address |
[email protected][.]org | Email address |
[email protected][.]ink | Email address |
[email protected][.]ink | Email address |
[email protected][.]ink | Email address |
[email protected][.]ink | Email address |
[email protected][.]space | Email address |
[email protected][.]us | Email address |
[email protected][.]org | Email address |
[email protected][.]ink | Email address |
[email protected][.]org | Email address |
[email protected][.]org | Email address |
[email protected][.]ink | Email address |
[email protected][.]ink | Email address |
[email protected][.]space | Email address |
[email protected][.]ink | Email address |
[email protected][.]ink | Email address |
[email protected][.]ink | Email address |
[email protected][.]org] | Email address |
dalbir@empowerpharmacy[.]space | Email address |
dianaberendi@nxlog[.]tech | Email address |
gusb@ondofinance[.]tech | Email address |
jasen@empowerpharmacy[.]space | Email address |
joshc@ondofinance[.]tech | Email address |
jovanav@nxlog[.]tech | Email address |
michaelw@ondofinance[.]tech | Email address |
neila@ondofinance[.]tech | Email address |
oladotuna@ondofinance[.]tech | Email address |
sarikasinha@nxlog[.]tech | Email address |
sladjanas@nxlog[.]tech | Email address |
valerie@empowerpharmacy[.]space | Email address |
vanjamirkovic@nxlog[.]tech | Email address |
nemesistrade[.]work | Domain |
ceronet[.]work | Domain |
deep-ai-guard[.]store | Domain |
ceronetwork[.]org | Domain |
culyrax[.]us | Domain |
elsavora[.]us | Domain |
optixauvex[.]us | Domain |
recruitvex[.]us | Domain |
talentnexhr[.]ink | Domain |
onoplanoai[.]ink | Domain |
trixauvexnet[.]ink | Domain |
recruitptogether[.]xyz | Domain |
contactpredicttogether[.]ink | Domain |
connectptogether[.]ink | Domain |
notifypulsynk[.]ink | Domain |
contactpulsynk[.]ink | Domain |
contacttrixauvex[.]ink | Domain |
trixauvex[.]org | Domain |
careertrixauvex[.]ink | Domain |
cotrixauvex[.]ink | Domain |
pulsynk[.]org | Domain |
mailtrixauvex[.]ink | Domain |
teampulsynk[.]team | Domain |
careerpulsynk[.]xyz | Domain |
mailpulsynk[.]xyz | Domain |
mailpredicttogether[.]ink | Domain |
predicttogetherrecruit[.]store | Domain |
predicttogerecruit[.]store | Domain |
predicttogether[.]ink | Domain |
careerpredictto[.]space | Domain |
togetherhire[.]fun | Domain |
predictcareertogether[.]space | Domain |
predicttocareer[.]space | Domain |
nowurisch[.]fit | Domain |
hyperdevpipline[.]org | Domain |
asteara[.]org | Domain |
doxxela[.]ink | Domain |
coslyintra[.]online | Domain |
valorecuiting[.]online | Domain |
onoplainai[.]ink | Domain |
raxvatange[.]ink | Domain |
alphanonega[.]org | Domain |
domatisc[.]ink | Domain |
migadyn[.]info | Domain |
empowerpharmacy[.]space | Domain |
nxlog[.]tech | Domain |
ondofinance[.]tech | Domain |
170.205.29[.]83 | IP address |
170.205.30[.]227 | IP address |
hxxps://github[.]com/Pulsynk/pulsynk | URL |
hxxps://github[.]com/Trixauvex-org/trixauvex | URL |
hxxps://github[.]com/PedrinPY/rekt-db | URL |
hxxps://github[.]com/sr-werney/forge-4626invariants | URL |
hxxps://github[.]com/wayout4u/rekt-db | URL |
hxxps://github[.]com/ziobiri/forge-4626-invariants | URL |
hxxps://github[.]com/skyjum/x402-kit | URL |
hxxps://github[.]com/Stomp47/rekt-db | URL |
hxxps://github[.]com/mireles343/forge-4626invariants | URL |
hxxps://gitlab[.]com/pulsynk-org/rekt-db.git | URL |
hxxps://gitlab[.]com/trixauvex-org/x402-kit.git | URL |
hxxps://gitlab[.]com/predict-together/forge-4626invariants.git | URL |
hxxps://github[.]com/rkama411/x402-kit | URL |
23.137.105[.]75 | IP address |
35813f4401d3ad77b618275473a556eb47bfa6f4b7439dd8943b19f81aa7252e | SHA256 |
c935808147f0236c81483d7bbeda4b9d602f3595d5d4057f8115d39e222d1c4b | SHA256 |
4c0d9b802c075be79e9edb52d88f8dd72e6904f5c58267213745818470945c78 | SHA256 |
62761f38ed194c59abe15c49f09f0ebc431ac852c965180c9327ed84d3a454fb | SHA256 |
d3ebce2f05fe91a8260e87fd11a6ea17c156703d081b3f91d9bbe5fd6aeedc10 | SHA256 |
91b9381d19b2e6a2db5cc0307167979b502731cb3fb50da684479e9ed35261aa | SHA256 |
6cf9f7b2aa456a0b438600588df869b38d8007e28f01fa96022f9d8059f120b0 | SHA256 |
2812e0847d472cb8870c94f463331dbe53b84135132b9bf5f6d84c2382be628f | SHA256 |
52886aab179f26421678ff23af1b0fabf0a17ffbb534369cdbbac8008cbed8e7 | SHA256 |
d5e9288693aa745dc89368deac677e7ea1ec81e663283af30838cdae189b7a7e | SHA256 |
734699773e53d995f20d485eb61261033d9d00b4332b39ca26071bcd60cd352f | SHA256 |
e1bf1b29e6fa3525d7f32f429290a88d6ea2890e61c06574b8ff6372aa5d0667 | SHA256 |
a2b9a769df84d9d3a4694bb0252a2c6a5e5f5d1a85a04565362737092bbb3a86 | SHA256 |
bb10adac5b0124efedfe71102c1d5638135ec9e1cde8c8cb3353c5ed91bb9f81 | SHA256 |
339907b44f161f57ff30819f422c552382ff437b3ae437463b4222cfe86bd943 | SHA256 |
808e7154b7af2bc7a4b28d577297c55f77221c355191cbe00f9f1810b6d4a619 | SHA256 |
