North Korean Hackers Use New AkdoorTea Backdoor to Target Global Crypto Developers

The North Korea-linked threat actors associated with the Contagious Interview campaign have been attributed to a previously undocumented backdoor called AkdoorTea, along with tools like TsunamiKit and Tropidoor.

Slovak cybersecurity firm ESET, which is tracking the activity under the name DeceptiveDevelopment, said the campaign targets software developers across all operating systems, Windows, Linux, and macOS, particularly those involved in cryptocurrency and Web3 projects. It’s also referred to as DEV#POPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, and Void Dokkaebi.

“DeceptiveDevelopment’s toolset is mostly multi-platform and consists of initial obfuscated malicious scripts in Python and JavaScript, basic backdoors in Python and Go, and a dark web project in .NET,” ESET researchers Peter Kálnai and Matěj Havránek said in a report shared with The Hacker News.

The campaign essentially involves the impersonated recruiters offering what appear to be lucrative job roles over platforms like LinkedIn, Upwork, Freelancer, and Crypto Jobs List. After initial outreach, should the prospective target express interest in the opportunity, they are either asked to complete a video assessment by clicking on a link or a coding exercise.

The programming assignment requires them to clone projects hosted on GitHub, which silently install malware. On the other hand, websites explicitly set up for undertaking the so-called video assessment display non-existent errors related to camera or microphone access being blocked, and urge them to follow ClickFix-style instructions to rectify the problem by either launching the command prompt or the Terminal app, depending on the operating system used.

Irrespective of the method employed, the attacks have been generally found to deliver several pieces of malware such as BeaverTail, InvisibleFerret, OtterCookie, GolangGhost (aka FlexibleFerret or WeaselStore), and PylangGhost.

“WeaselStore’s functionality is quite similar to both BeaverTail and InvisibleFerret, with the main focus being exfiltration of sensitive data from browsers and cryptocurrency wallets,” ESET said. “Once the data has been exfiltrated, WeaselStore, unlike traditional infostealers, continues to communicate with its C&C server, serving as a RAT capable of executing various commands.”

Also deployed as part of these infection sequences are TsunamiKit, PostNapTea, and Tropidoor, the first of which is a malware toolkit delivered by InvisibleFerret and is designed for information and cryptocurrency theft. The use of TsunamiKit was first discovered in November 2024.

The toolkit comprises several components, the starting point being the initial stage TsunamiLoader that triggers the execution of an injector (TsunamiInjector), which, in turn, drops TsunamiInstaller and TsunamiHardener.

While TsunamiInstaller acts as a dropper of TsunamiClientInstaller that then downloads and executes TsunamiClient, TsunamiHardener is responsible for setting up persistence for TsunamiClient, as well as configuring Microsoft Defender exclusions. TsunamiClient is the core module that incorporates a .NET spyware and drops cryptocurrency miners like XMRig and NBMiner.

It’s believed that TsunamiKit is likely a modification of a dark web project rather than a native creation of the threat actor, given that samples related to the toolkit have been uncovered dating back to December 2021, predating the onset of Contagious Interview, which is believed to have commenced sometime in late 2022.

The BeaverTail stealer and downloader has also been found to act as a distribution vehicle for another malware known as Tropidoor that, according to ASEC, overlaps with a Lazarus Group tool called LightlessCan. ESET said it found evidence of Tropidoor artifacts uploaded to VirusTotal from Kenya, Colombia, and Canada, adding the malware also shares “large portions of code” with PostNapTea, a malware used by the threat actor against South Korean targets in 2022.

PostNapTea supports commands for configuration updates, file manipulation and screen capturing, file system management, process management, and running custom versions of Windows commands like whoami, netstat, tracert, lookup, ipconfig, and systeminfo, among others, for improved stealth – a feature also present in LightlessCan.

“Tropidoor is the most sophisticated payload yet linked to the DeceptiveDevelopment group, probably because it is based on malware developed by the more technically advanced threat actors under the Lazarus umbrella,” ESET said.

Execution chain of WeaselStore

The latest addition to the threat actor’s arsenal is a remote access trojan dubbed AkdoorTea that’s delivered by means of a Windows batch script. The script downloads a ZIP file (“nvidiaRelease.zip”) and executes a Visual Basic Script present in it, which then proceeds to launch BeaverTail and AkdoorTea payloads also contained in the archive.

It’s worth pointing out that the campaign has leveraged NVIDIA-themed driver updates in the past as part of ClickFix attacks to address supposed camera or microphone issues when providing the video assessments, indicating that this approach is being used to propagate AkdoorTea.

AkdoorTea gets its name from the fact that it shares commonalities with Akdoor, which is described as a variant of the NukeSped (aka Manuscrypt) implant – further reinforcing Contagious Interview’s connections to the larger Lazarus Group umbrella.

“DeceptiveDevelopment’s TTPs illustrate a more distributed, volume-driven model of its operations. Despite often lacking technical sophistication, the group compensates through scale and creative social engineering,” ESET said.

“Its campaigns demonstrate a pragmatic approach, exploiting open-source tooling, reusing available dark web projects, adapting malware probably rented from other North Korea-aligned groups, and leveraging human vulnerabilities through fake job offers and interview platforms.”

Contagious Interview doesn’t operate in silo, as it has been also found to share some level of overlaps with Pyongyang’s fraudulent IT worker scheme (aka WageMole), with the Zscaler noting that intelligence gleaned from the former is used by North Korean actors to secure jobs at those companies using stolen identities and fabricating synthetic personas. The IT worker threat is believed to have been ongoing since 2017.

Connection between Contagious Interview and WageMole

Cybersecurity company Trellix, in a report published this week, said it uncovered an instance of a North Korean IT worker employment fraud targeting a U.S. healthcare company, where an individual using the name “Kyle Lankford” applied for a Principal Software Engineer position.

While the job applicant did not raise any red flags during the early stages of the hiring process, Trellix said it was able to correlate their email addresses with known North Korea IT worker indicators. Further analysis of the email exchanges and background checks identified the candidate as a likely North Korean operative, it added.

“The activities of North Korean IT workers constitute a hybrid threat,” ESET noted. “This fraud-for-hire scheme combines classical criminal operations, such as identity theft and synthetic identity fraud, with digital tools, which classify it as both a traditional crime and a cybercrime (or e-crime).”

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.