Thursday 25 September 14:30 - 15:00, Green room
Matej Havranek (ESET)
DeceptiveDevelopment, also known as ContagiousInterview, is a North Korea-aligned threat actor operating since late 2023, actively focused on cryptocurrency theft, primarily targeting freelance developers. This threat actor shares some notable TTP similarities with those of other North Korea-aligned groups, such as Lazarus and Moonstone Sleet – namely the use of social engineering, faux recruiter profiles on social media, and delivering malware disguised as job offers. What makes DeceptiveDevelopment unique is its specific targeting of freelance developers and individuals associated with cryptocurrency and blockchain projects. The intention behind this is twofold – theft of the cryptocurrency wallets belonging to these individuals and gaining access to larger projects and institutions these developers may be a part of, potentially for further intrusion.
DeceptiveDevelopment is still highly active, constantly updating its TTPs, social engineering methods, and malware arsenal. This presentation provides detail on two new campaigns utilizing AI-generated videos (deepfakes) of potential investors and elaborate social engineering tactics to target prominent individuals in the cryptocurrency world. We also provide an overview of the recently discovered WeaselStore backdoor and infostealer, deployed in the form of Go source code compiled on the victim's machine, and the elaborate ClickFix social engineering campaign with fake job interview sites used to distribute it. In addition, we present unique insight into the tools and network infrastructure used, including backend code the attackers use to collect information about the victims and deploy the malware campaign.
Finally, we explore relations between DeceptiveDevelopment and the activity of the North Korean IT worker fraud operation recently disclosed by, among others, the US government and the FBI, including new developments in the tactics and techniques of the IT workers themselves and how they solicit voluntary cooperation from unsuspecting individuals, drawing them into the world of cybercrime with the promise of easy money . We provide attendees with a comprehensive overview of where DeceptiveDevelopment fits into the ecosystem of North Korea-aligned groups, what its latest innovations are, and how to defend against this group's – and similar – attacks.
![]() |
Matej Havranek Matej Havranek is a malware researcher at ESET with 10 years of experience in the fields of malware analysis and threat hunting. In addition to malware research, he focuses on APT activity tracking – specifically investigating North Korea – and developing analytic tools. He has presented his past research at conferences like Virus Bulletin and AVAR. He is a fan of ciphers and cryptography, and enjoys challenges. |
Back to VB2025 conference page