Cyber Security Archives - Online Pitstop

How scammers are exploiting DeepSeek’s rise

admin — Thu, 27 Feb 2025 00:56:29 +0000

Digital Security

As is their wont, cybercriminals waste no time launching attacks that aim to cash in on the frenzy around the latest big thing – plus, what else to know before using DeepSeek

31 Jan 2025
•
,
4 min. read

It’s become almost a cliché to say that cybercriminals are remarkably quick to latch onto the latest trends and technologies and exploit them for their own nefarious gains. The buzz around DeepSeek and its state-of-the-art AI models is no exception. In fact, the past few days have provided a stark reminder that while the tech world is evolving at a breakneck speed, the tactics of online scammers often remain strikingly familiar.

Since the R1 reasoning model of the little-known Chinese startup took the world by storm last week, security researchers have spotted a number of fraudulent attempts to capitalize on its meteoric rise to popularity. Alongside this, DeepSeek has faced intense scrutiny over its privacy and security practices, bringing to light several risks surrounding (not necessarily only DeepSeek’s) AI models.

Here’s a rundown of how fraudsters use DeepSeek’s popularity as a lure for scams and malware, as well as a short recap of some of the key privacy and security issues that have also thrown the spotlight on the company in the past few days.

Scams and malware

One example comes from a user on X who posted some details about a website that mimics the official one and urges visitors to download what poses as DeepSeek’s AI model. Instead, however, clicking it triggers the download of a malicious executable that ESET products detect as Win32/Packed.NSIS.A.

While the website largely “looks the part”, a keen eye will spot at least one more giveaway beside the URL itself: unlike the “Start now” button on the official website, the fake one says “Download Now”. (DeepSeek has launched mobile apps for both iOS and Android with great success, but you can also use it directly in your desktop browser without needing to download anything.) To further bolster the ploy’s chances of success, the malware is digitally signed by “K.MY TRADING TRANSPORT COMPANY LIMITED”.

Others have also spotted a number of newly-created lookalike domains that aim to trick people into thinking that they have landed on the real thing, but are instead to part them from their data or hard-earned money, including by touting (non-existent) DeepSeek pre-IPO shares.

Another risk has to do with bogus DeepSeek crypto tokens that have surged on multiple blockchain networks, with some reaching market capitalizations of millions of dollars in short order. The company made it clear on X earlier in January that it has not issued any cryptocurrency.

Privacy and security concerns surrounding DeepSeek

Right on the heels of its rapid ascent, DeepSeek said it had itself been the target of “a large-scale cyberattack” that caused it to suspend new user signups.

Meanwhile, cloud cybersecurity company Wiz has found a database belonging to DeepSeek that inadvertently exposed API keys, system logs, user chat prompts and other sensitive information to the open internet. DeepSeek has since locked down the database.

Cybersecurity firms KELA and Palo Alto Networks have found that DeepSeek’s AI models are susceptible to so-called evil jailbreak attacks and their security guardrails can be subverted to generate malicious outputs, including ransomware, as well as fabricate content such as detailed instructions for creating toxins and explosives.

Much like has been the case with TikTok and other Chinese online services, DeepSeek’s data collection practices also garnered scrutiny almost immediately, including from regulatory authorities in the United States, Ireland, Italy and France.

Precautions

Whether it’s a viral new app, a juggernaut social media platform, or an AI tool, cybercriminals are highly adept at weaving thee latest fads and trends into their ploys, ultimately making the ruses more enticing and harder to spot.

To protect yourself from DeepSeek-themed scams, keep your eyes peeled for any email or social media messages that attempt to piggyback off its popularity and push you to click on suspicious links.

Indeed, as AI tools can be harnessed to create highly convincing phishing campaigns and other social engineering attacks, be skeptical of messages that arrive out of the blue, particularly if they offer something too good to be true such as investment opportunities or create a sense of urgency. You’re better off contacting the company or person mentioned in the messages directly via verified channels and navigating to the official website by typing it into your web browser.

Strengthen your online accounts with two-factor authentication (2FA) wherever possible so that it’s far harder for cybercriminals to access your accounts even if they obtain your credentials. Make sure to also use multilayered security software across all your devices that can go a long way towards keeping you safe.

More broadly, when interacting with DeepSeek or, indeed, any other AI model, be mindful of the data you’re entering into it, including names, email addresses and sensitive personal preferences. The same goes for corporate and other sensitive data; the US Navy, for example, has already banned use of DeepSeek among its ranks.

The post How scammers are exploiting DeepSeek’s rise appeared first on Online Pitstop.

Patch or perish: How organizations can master vulnerability management

admin — Wed, 26 Feb 2025 00:53:53 +0000

Business Security

Don’t wait for a costly breach to provide a painful reminder of the importance of timely software patching

Phil Muncaster

05 Feb 2025
•
,
5 min. read

Vulnerability exploitation has long been a popular tactic for threat actors. But it’s becoming increasingly so – a fact that should alarm every network defender. Observed cases of vulnerability exploitation resulting in data breaches surged three-fold annually in 2023, according to one estimate. And attacks targeting security loopholes remain one of the top three ways threat actors start ransomware attacks.

As the number of CVEs continues to hit new record highs, organizations are struggling to cope. They need a more consistent, automated and risk-based approach to mitigating vulnerability-related threats.

Bug overload

Software vulnerabilities are inevitable. As long as humans create computer code, human error will creep in to the process, resulting in the bugs that bad actors have become so expert at exploiting. Yet doing so at speed and scale opens a door to not just ransomware and data theft, but sophisticated state-aligned espionage operations, destructive attacks and more.

Unfortunately, the number of CVEs being published each year is stubbornly high, thanks to several factors:

New software development and continuous integration lead to increased complexity and frequent updates, expanding potential entry points for attackers and sometimes introducing new vulnerabilities. At the same time, companies adopt new tools that often rely on third-party components, open-source libraries and other dependencies that may contain undiscovered vulnerabilities.
Speed is often prioritized over security, meaning software is being developed without adequate code checks. This allows bugs to creep into production code – sometimes coming from the open source components used by developers.
Ethical researchers are upping their efforts, thanks in part to a proliferation of bug bounty programs run by organizations as diverse as the Pentagon and Meta. These are responsibly disclosed and patched by the vendors in question, but if customers don’t apply these patches, they’ll be exposed to exploits
Commercial spyware vendors operate in a legal grey area, selling malware and exploits for their clients – often autocratic governments – to spy on their enemies. The UK’s National Cyber Security Centre (NCSC) estimates that the commercial “cyber-intrusion sector” doubles every ten years
The cybercrime supply chain is increasingly professionalized, with initial access brokers (IABs) focusing exclusively on breaching victim organizations – often via vulnerability exploitation. One report from 2023 recorded a 45% increase in IABs on cybercrime forums, and a doubling of dark web IAB ads in 2022 versus the previous 12 months

What types of vulnerability are making waves?

The story of the vulnerability landscape is one of both change and continuity. Many of the usual suspects appear in MITRE’s top 25 list of the most common and dangerous software flaws seen between June 2023 and June 2024. They include commonly-seen vulnerability categories like cross-site scripting, SQL injection, use after free, out-of-bounds read, code injection and cross-site request forgery (CSRF). These should be familiar to most cyber-defenders, and may therefore require less effort to mitigate, either through improved hardening/protection of systems and/or enhanced DevSecOps practices.

However, other trends are perhaps even more concerning. The US Cybersecurity and Infrastructure Security Agency (CISA) claims in its list of 2023 Top Routinely Exploited Vulnerabilities that a majority of these flaws were initially exploited as a zero-day. This means, at the time of exploitation, there were no patches available, and organizations have to rely on other mechanisms to keep them safe or to minimize the impact. Elsewhere, bugs with low complexity and which require little or no user interaction are also often favored. An example is the zero-click exploits offered by commercial spyware vendors to deploy their malware.

Explore how ESET Vulnerability and Patch Management inside the ESET PROTECT platform provides a pathway to swift remediation, helping keep both disruption and costs down to a minimum.

Another trend is of targeting perimeter-based products with vulnerability exploitation. The National Cyber Security Centre (NCSC) has warned of an uptick in such attacks, often involving zero-day exploits targeting file transfer applications, firewalls, VPNs and mobile device management (MDM) offerings. It says:

“Attackers have realised that the majority of perimeter-exposed products aren’t ‘secure by design’, and so vulnerabilities can be found far more easily than in popular client software. Furthermore, these products typically don’t have decent logging (or can be easily forensically investigated), making perfect footholds in a network where every client device is likely to be running high-end detective capabilities.”

Making things worse

As if that weren’t enough to concern network defenders, their efforts are complicated further by:

The sheer speed of vulnerability exploitation. Google Cloud research estimates an average time-to-exploit of just five days in 2023, down from a previous figure of 32 days
The complexity of today’s enterprise IT and OT/IoT systems, which span hybrid and multi-cloud environments with often-siloed legacy technology
Poor quality vendor patches and confusing communications, which leads defenders to duplicate effort and means they’re often unable to effectively gauge their risk exposure
A NIST NVD backlog which has left many organizations without a critical source of up-to-date information on the latest CVEs

According to a Verizon analysis of CISA’s Known Exploited Vulnerabilities (KEV) catalog:

At 30 days 85% of vulnerabilities went unremediated
At 55 days, 50% of vulnerabilities went unremediated
At 60 days 47% of vulnerabilities went unremediated

Time to patch

The truth is that there are simply too many CVEs published each month, across too many systems, for enterprise IT and security teams to patch them all. The focus should therefore be on prioritizing effectively according to risk appetite and severity. Consider the following features for any vulnerability and patch management solution:

Automated scanning of enterprise environments for known CVEs
Vulnerability prioritization based on severity
Detailed reporting to identify vulnerable software and assets, relevant CVEs and patches etc
Flexibility to select specific assets for patching according to enterprise needs
Automated or manual patching options

For zero-day threats, consider advanced threat detection which automatically unpacks and scans possible exploits, executing in a cloud-based sandbox to check whether it’s malicious or not. Machine learning algorithms can be applied to the code to identify novel threats with a high degree of accuracy in minutes, automatically blocking them and providing a status of each sample.

Other tactics could include microsegmentation of networks, zero trust network access, network monitoring (for unusual behavior), and strong cybersecurity awareness programs.

As threat actors adopt AI tools of their own in ever-greater numbers, it will become easier for them to scan for vulnerable assets that are exposed to internet-facing attacks. In time, they may even be able to use GenAI to help find zero-day vulnerabilities. The best defense is to stay informed and keep a regular dialog going with your trusted security partners.

The post Patch or perish: How organizations can master vulnerability management appeared first on Online Pitstop.

How AI-driven identify fraud is causing havoc

admin — Tue, 25 Feb 2025 00:53:17 +0000

Deepfake fraud, synthetic identities, and AI-powered scams make identity theft harder to detect and prevent – here’s how to fight back

Phil Muncaster

11 Feb 2025
•
,
4 min. read

Artificial intelligence (AI) is transforming our world in ways both expected and unforeseen. For consumers, the technology means more accurately personalized digital content, better healthcare diagnostics, real-time language translation to help on holiday, and generative AI assistants to enhance productivity at work. But AI is also used to help cybercriminals be more productive, especially when it comes to identity fraud – the most common fraud type today.

Over a third of banking risk and innovation leaders in the UK, Spain and US cite their biggest challenge today as the rise of AI-generated fraud and deepfakes, making it the number one answer. So how does AI-powered fraud work and what can you do to stay safe?

How does AI-driven identity fraud work?

Identity fraud refers to the use of your personally identifiable information (PII) to commit a crime, such as running up credit card debt in your name, or accessing a bank or other account. According to one estimate, AI-driven fraud now accounts for over two-fifths (43%) of all fraud attempts recorded by the financial and payments sector. Nearly a third (29%) of those attempts are thought to be successful. So how is AI helping the cybercriminals?

There are several different tactics we can highlight:

Deepfake account takeovers (ATOs) and account creation: Scammers are using deepfake audio and video likenesses of legitimate users to bypass the Know Your Customer (KYC) checks used by financial services companies to verify customers are who they say they are. An image or video of you is scraped from the web and fed into a deepfake tool or generative AI. It’s then inserted into the data stream between user and service provider in so-called injection attacks designed to fool the authentication systems. One report claims that deepfakes now account for a quarter (24%) of fraudulent attempts to pass motion-based biometrics checks and 5% of static selfie-based checks.
Document forgeries: There was a time when fraudsters used physical document forgeries, such as faked passport pages, to open new accounts in the names of unassuming victims. However, they’re more likely today to do so digitally. According to this report, digital forgeries account for over 57% of all document fraud – a 244% annual increase. Scammers will typically access document templates online or download document images stolen in data breaches and then alter the details in Photoshop. Generative AI (GenAI) tools are helping them to do this at speed and scale.
Synthetic fraud: This is where scammers either create new identities by combining real (stolen) and made-up PII to form a completely new (synthetic) identity, or create a new identity using just fabricated data. This is then used to open new accounts with banks and credit card firms, for example. Document forgeries and deepfakes can be combined with these identities to increase the fraudsters’ chances of success. According to one report, 76% of US fraud and risk professionals think their organization has synthetic customers. They estimate that this type of fraud has surged 17% annually.
Deepfakes that trick friends and family: Sometimes, fake video or audio can be used in scams that trick even loved ones. One tactic is virtual kidnapping, where relatives receive a phone call from a threat actor claiming to have kidnapped you. They play a deepfake audio of your voice for proof and then demand a ransom. GenAI can also used in these efforts to help the scammers source a likely victim. ESET Global Security Advisor Jake Moore gave a taste of what is currently possible here and here.
Credential stuffing (for ATO): Credential stuffing involves the use of stolen log-ins in automated attempts to access other accounts for which you may have used the same username and password. AI-powered tools could rapidly generate these credential lists from multiple sources of data, helping to scale attacks. And they could also be used to accurately mimic human behavior while logging in, in order to trick defensive filters.

What’s the impact of AI-based fraud?

Fraud is far from a victimless crime. In fact, AI-powered fraud can:

Cause major emotional distress for the individual that’s defrauded. One report claims that 16% of victims contemplated suicide as a result of an identity crime
Make scams more likely to succeed, eating into profits, which forces companies to put their prices up for everyone
Impact the national economy. Lower profits mean lower tax receipts, which in turn mean less cash to spend on public services
Undermine public confidence in the rule of law and even democracy
Undermine business confidence, potentially leading to lower levels of investment into the country

How to keep your identity safe from AI-driven fraud

To combat the offensive use of AI against them, organizations are increasingly turning to defensive AI tools to spot the tell-tale signs of fraud. But what can you do? Perhaps the most effective strategy is to minimize opportunities for threat actors to obtain your PII and audio/video data in the first place. That means:

Don’t overshare information on social media and restrict your privacy settings
Be phishing aware: check sender domains, look for typos and grammatical mistakes, and never click on links or open attachments in unsolicited emails
Turn on multifactor-authentication (MFA) on all accounts
Always use strong, unique passwords stored in a password manager
Keep software up to date on all laptops and mobile devices
Keeping a close eye on bank and card accounts, regularly checking for suspicious activity and freezing accounts immediately if something doesn’t look right
Install multi-layered security software from a reputable vendor on all devices

Also consider staying aware of the latest AI-powered fraud tactics and educating friends and family about deepfakes and AI fraud.

AI-driven fraud attacks will only continue to grow as the technology gets cheaper and more effective. As this new cyber-arms race plays out between corporate network defenders and their adversaries, it’s consumers that will be caught in the middle. Make sure you’re not next.

The post How AI-driven identify fraud is causing havoc appeared first on Online Pitstop.

Neil Lawrence: What makes us unique in the age of AI | Starmus highlights

admin — Mon, 24 Feb 2025 00:52:47 +0000

WeLiveScience

As AI advances at a rapid clip, reshaping industries, automating tasks, and redefining what machines can achieve, one question looms large: what remains uniquely human?

10 Feb 2025

In his talk, Neil Lawrence, the Deep Mind Professor of Machine Learning at the University of Cambridge, tackles the aforementioned fundamental question head-on. With a career dedicated to understanding the intersection of technology and human potential, Mr. Lawrence explores how intelligent systems can complement, rather than replace, human capabilities. At the heart of his talk is the notion of the “atomic human” – a philosophical and technical perspective on what distinguishes us from machines.

Indeed, Mr. Lawrence goes on to examine how technological breakthroughs have forced us to reconsider the traits we hold as inherently human. Each time a machine did something we thought was uniquely human, it cut something away from us. And as this process continues, is there a final frontier – a moment where machines can no longer cut something away from us and take away our capabilities? And if we find what that moment is, does it tell us something about the essence of humanity?

By drawing parallels between AI’s rapid evolution and some of history’s greatest human achievements – from the Apollo missions to Amelia Earhart’s daring flights – Mr. Lawrence illustrates how technology has been a tool to augment human ingenuity, not a force to erase it. With AI reaching further into areas once thought unreachable, the challenge lies in ensuring that we shape it as a tool for empowerment, rather than let it redefine our identity.

ESET’s commitment to promoting scientific innovation and progress is seen in its ongoing efforts to foster a deep appreciation for science, celebrate the power of groundbreaking research, and connect with leading thinkers in technology and science. ESET recently partnered with Starmus, the global science communication festival, and brought its 7^th edition to Bratislava, Slovakia, in May 2024.

The festival featured a number of thought-provoking perspectives from some of the planet’s foremost thinkers. You can now relive the experience from the comfort of your home and get a taste of how the power of technology is being harnessed to tackle some of the most pressing challenges facing the world today.

The post Neil Lawrence: What makes us unique in the age of AI | Starmus highlights appeared first on Online Pitstop.

DeceptiveDevelopment targets freelance developers

admin — Sun, 23 Feb 2025 00:45:35 +0000

Cybercriminals have been known to approach their targets under the guise of company recruiters, enticing them with fake employment offers. After all, what better time to strike than when the potential victim is distracted by the possibility of getting a job? Since early 2024, ESET researchers have observed a series of malicious North Korea-aligned activities, where the operators, posing as headhunters, try to serve their targets with software projects that conceal infostealing malware. We call this activity cluster DeceptiveDevelopment.

As part of a fake job interview process, the DeceptiveDevelopment operators ask their targets to do a coding test, such as adding a feature to an existing project, with the files necessary for the task usually hosted on private repositories on GitHub or other similar platforms. Unfortunately for the eager work candidate, these files are trojanized: once they download and execute the project, the victim’s computer gets compromised with the operation’s first-stage malware, BeaverTail.

DeceptiveDevelopment was first publicly described by Phylum and Unit 42 in 2023, and has already been partially documented under the names Contagious Interview and DEV#POPPER. We have conducted further analysis of this activity cluster and its operator’s initial access methods, network infrastructure, and toolset, including new versions of the two malware families used by DeceptiveDevelopment – InvisibleFerret, and the aforementioned BeaverTail.

Key points of this blogpost:

DeceptiveDevelopment targets freelance software developers through spearphishing on job-hunting and freelancing sites, aiming to steal cryptocurrency wallets and login information from browsers and password managers.

Active since at least November 2023, this operation primarily uses two malware families – BeaverTail (infostealer, downloader) and InvisibleFerret (infostealer, RAT).

DeceptiveDevelopment’s tactics, techniques, and procedures (TTPs) are similar to several other known North Korea-aligned operations.

We first observed this DeceptiveDevelopment campaign in early 2024, when we discovered trojanized projects hosted on GitHub with malicious code hidden at the end of long comments, effectively moving the code off-screen. These projects delivered the BeaverTail and InvisibleFerret malware. In addition to analyzing the two malware families, we also started investigating the C&C infrastructure behind the campaign. Since then, we have been tracking this cluster and its advances in strategy and tooling used in these ongoing attacks. This blogpost describes the TTPs of this campaign, as well as the malware it uses.

DeceptiveDevelopment profile

DeceptiveDevelopment is a North Korea-aligned activity cluster that we currently do not attribute to any known threat actor. Operators behind DeceptiveDevelopment target software developers on Windows, Linux, and macOS. They primarily steal cryptocurrency for financial gain, with a possible secondary objective of cyberespionage.

To approach their targets, these operators use fake recruiter profiles on social media, not unlike the Lazarus group in Operation DreamJob (as described in this WeLiveSecurity blogpost). However, while Operation DreamJob targeted defense and aerospace engineers, DeceptiveDevelopment reaches out to freelance software developers, often those involved in cryptocurrency projects. To compromise its victims’ computers, DeceptiveDevelopment provides its targets with trojanized codebases that deploy backdoors as part of a faux job interview process.

Victimology

The primary targets of this DeceptiveDevelopment campaign are software developers, mainly those involved in cryptocurrency and decentralized finance projects. The attackers don’t distinguish based on geographical location and aim to compromise as many victims as possible to increase the likelihood of successfully extracting funds and information.

We have observed hundreds of different victims around the world, using all three major operating systems – Windows, Linux, and macOS. They ranged from junior developers just starting their freelance careers to highly experienced professionals in the field. We only observed attacker–victim conversations in English, but cannot say with certainty that the attackers will not use translation tools to communicate with victims who don’t speak that language. A map showing the global distribution of victims can be seen in Figure 1.

Figure 1. Heatmap of different victims of DeceptiveDevelopment

Attribution

We consider DeceptiveDevelopment to be a North Korea-aligned activity cluster with high confidence based on several elements:

We observed connections between GitHub accounts controlled by the attackers and accounts containing fake CVs used by North Korean IT workers. These people apply for jobs in foreign companies under false identities in order to collect salaries to help fund the regime. The observed connections were mutual follows between GitHub profiles where one side was associated with DeceptiveDevelopment, and the other contained fake CVs and other material related to North Korean IT worker activity. Similar connections were also observed by Unit42. Unfortunately, the GitHub pages were taken down before we were able to record all the evidence.
The TTPs (use of fake recruiters, trojanized job challenges, and software used during interviews) are similar to other North Korea-aligned activity (Moonstone Sleet, and Lazarus’s DreamJob and DangerousPassword campaigns).

In addition to the connections between the GitHub profiles, the malware used in DeceptiveDevelopment is rather simple. This tracks with the reporting done by Mandiant claiming that the IT workers’ work is usually of poor quality.

While monitoring DeceptiveDevelopment activity, we saw numerous cases showing a lack of attention to detail on the part of the threat actors. In some of them, the authors failed to remove development notes or commented-out local IP addresses used for development and testing. We also saw samples where they seem to have forgotten to obfuscate the C&C address after changing it; this can be seen in Figure 2. Furthermore, the malware uses freely available obfuscation tools with links to them sometimes left in code comments.

Figure 2. Examples of comments and obfuscation forgotten in the code

Technical analysis

Initial access

In order to pose as recruiters, the attackers copy profiles of existing people or even construct new personas. They then either directly approach their potential victims on job-hunting and freelancing platforms or post fake job listings there. At first, the threat actors used brand new profiles and would simply send links to malicious GitHub projects via LinkedIn to their intended targets. Later, they started using profiles that appear established, with many followers and connections, to look more trustworthy, and branched out to more job-hunting and code-hosting websites. While some of these profiles are set up by the attackers themselves, others are potentially compromised profiles of real people on the platform, modified by the attackers.

Some of the platforms where these interactions occur are generic job-hunting ones, while others focus primarily on cryptocurrency and blockchain projects and are thus more in line with the attackers’ goals. The platforms include:

LinkedIn,
Upwork,
Freelancer.com,
We Work Remotely,
Moonlight, and
Crypto Jobs List.

The most commonly observed compromise vector consists of the fake recruiter providing the victim with a trojanized project under the guise of a hiring challenge or helping the “recruiter” fix a bug for a financial reward.

Victims receive the project files either directly via file transfer on the site or through a link to a repository like GitHub, GitLab, or Bitbucket. They are asked to download the files, add features or fix bugs, and report back to the recruiter. Additionally, they are instructed to build and execute the project in order to test it, which is where the initial compromise happens. The repositories used are usually private, so the victim is first asked to provide their account ID or email address to be granted access to them, most likely to conceal the malicious activity from researchers.

Despite that, we observed many cases where these repositories were publicly available, but realized that these belong mostly to victims who, after completing their tasks, uploaded them to their own repositories. Figure 3 shows an example of a trojanized project hosted on GitHub. We have reported all observed malicious code to the affected services.

Figure 3. README of a trojanized GitHub project

The trojanized projects fall into one of four categories:

hiring challenges,
cryptocurrency projects,
games (usually with blockchain functionality), and
gambling with blockchain/cryptocurrency features.

These repositories are often duplicates of existing open-source projects or demos, with little to no change aside from adding the malicious code and changing the README file. Some of the malicious project names and names of attacker-controlled accounts operating them (where we could assess them) are listed in Table 1.

Table 1. Observed project names and repository/commit authors

Project	Author	Project	Author
Website-Test	Hiring-Main-Support	casino-template-paid	bmstore
guru-challenge	Chiliz-Guru	casino-demo	casinogamedev
baseswap_ver_4	artemreinv	point	freebling-v3
metaverse-backend	metaverse-ritech	Blockchain-game	N/A
lisk-parknetwork	MariaMar1809	3DWorld-tectera-beta	N/A

We also observed the attackers impersonating existing projects and companies by using similar names or appending LLC, Ag, or Inc (abbreviations of legal company types) to the names, as seen in Table 2.

Table 2. Observed project names and repository/commit authors impersonating legitimate projects

Project	Author
Lumanagi-Dex	LUMANAGI-LLC
DARKROOM-NFT	DarkRoomAg
DarkRoom	WonderKiln-Inc

The attackers often use a clever trick to hide their malicious code: they place it in an otherwise benign component of the project, usually within backend code unrelated to the task given to the developer, where they append it as a single line behind a long comment. This way, it is moved off-screen and stays hidden unless the victim scrolls to it or has the word wrap feature of their code editor enabled. Interestingly, GitHub’s own code editor does not enable word wrap, so the malicious code is easy to miss even when looking at code in the repository, as shown in Figure 4.

Figure 4. Malicious code appended after a long comment pushing it off-screen in GitHub’s code editor (top) and the page source of just line #1 as seen in a code editor with word wrapping enabled (bottom)

Another compromise vector we observed consisted of the fake recruiter inviting the victim to a job interview using an online conferencing platform and providing a link to a website from which the necessary conferencing software can be downloaded. The website is usually a clone of an existing conferencing platform’s website, as seen in Figure 5, and the downloaded software contains the first stage of the malware.

Figure 5. Malicious website at mirotalk[.]net, a copy of the legitimate MiroTalk site (sfu.mirotalk.com), serving malware disguised as conferencing software via a click of the Join Room button

Toolset

DeceptiveDevelopment primarily uses two malware families as part of its activities, delivered in two stages. The first stage, BeaverTail, has both a JavaScript and a native variant (written in C++ using the Qt platform), and is delivered to the victim, disguised as a part of a project the victim is asked to work on, a hiring challenge, or inside trojanized remote conferencing software such as MiroTalk or FreeConference.

BeaverTail acts as a simple login stealer, extracting browser databases containing saved logins, and as a downloader for the second stage, InvisibleFerret. This is modular Python-based malware that includes spyware and backdoor components, and is also capable of downloading the legitimate AnyDesk remote management and monitoring software for post-compromise activities. Figure 6 shows the full compromise chain from initial compromise, through data exfiltration, to the deployment of AnyDesk.

Figure 6. DeceptiveDevelopment compromise chain

Both BeaverTail and InvisibleFerret have been previously documented by Unit 42, Group-IB, and Objective-See. A parallel investigation was also published by Zscaler, whose findings we can independently confirm. Our analysis contains details that have not been publicly reported before and presents a comprehensive overview of the malicious activity.

BeaverTail

BeaverTail is the name for the infostealer and downloader malware used by DeceptiveDevelopment. There are two different versions – one written in JavaScript and placed directly into the trojanized projects with simple obfuscation, and native versions, built using the Qt platform, that are disguised as conferencing software and were initially described by Objective-See. Both versions have strong similarities in their functionalities.

This malware targets Windows, Linux, and macOS systems, with the aim of collecting saved login information and cryptocurrency wallet data.

It starts by getting the C&C IP address and port. While the IP addresses vary, the ports used are usually either 1224 or 1244, making the malicious network activity easily identifiable. In the JavaScript version, the IP address and port are obfuscated using base64 encoding, split into three parts, and swapped around to prevent automatic decoding. Other strings are also encoded with base64, often with one dummy character prepended to the resulting string to thwart simple decoding attempts. The native version has the IP, port, and other strings all stored in plaintext. The obfuscated JavaScript code can be seen in Figure 7, and the deobfuscated code in Figure 8.

Figure 7. Obfuscated BeaverTail code

Figure 8. Deobfuscated BeaverTail code

BeaverTail then looks for browser extensions installed in the Google Chrome, Microsoft Edge, Opera, and Brave browsers and checks whether any of them match extension names from a hardcoded list from Chrome Web Store or Microsoft Edge Add-ons, shown below. The browser listed in parentheses is the source of the extension; note that both Opera and Brave also use extensions from Chrome Web Store, as they are Chromium-based.

nkbihfbeogaeaoehlefnkodbefgpgknn – MetaMask (Chrome)
ejbalbakoplchlghecdalmeeeajnimhm – MetaMask (Edge)
fhbohimaelbohpjbbldcngcnapndodjp – BNB Chain Wallet (Chrome)
hnfanknocfeofbddgcijnmhnfnkdnaad – Coinbase Wallet (Chrome)
ibnejdfjmmkpcnlpebklmnkoeoihofec – TronLink (Chrome)
bfnaelmomeimhlpmgjnjophhpkkoljpa – Phantom (Chrome)
fnjhmkhhmkbjkkabndcnnogagogbneec – Ronin Wallet (Chrome)
aeachknmefphepccionboohckonoeemg – Coin98 Wallet (Chrome)
hifafgmccdpekplomjjkcfgodnhcellj – Crypto.com Wallet (Chrome)

If they are found, any .ldb and .log files from the extensions’ directories are collected and exfiltrated.

Apart from these files, the malware also targets a file containing the Solana keys stored in the user’s home directory in .config/solana/id.json. BeaverTail then looks for saved login information in /Library/Keychains/‌login.keychain (for macOS) or /.local/share/keyrings/ (for Linux). If they exist, the Firefox login databases key3.db, key4.db, and logins.json from /.mozilla/firefox/ are also exfiltrated during this time.

Each BeaverTail sample contains a victim ID used for identification. These IDs are used throughout the whole compromise chain as identifiers in all downloads and uploads. We suspect that these IDs are unique to each victim and are used to connect the stolen information to the victim’s public profile.

The collected data along with the computer hostname and current timestamp is uploaded to the /uploads API endpoint on the C&C server. Then, a standalone Python environment is downloaded in an archive called p2.zip, hosted on the C&C server, to enable execution of the next stage. Finally, the next stage is downloaded from the C&C server (API endpoint /client/) into the user’s home directory under the name .npl and executed using the downloaded Python environment.

In August 2024, we observed a new version of the JavaScript BeaverTail, where the code placed in the trojanized project acted only as a loader and downloaded and executed the actual payload code from a remote server. This version also used a different obfuscation technique and added four new cryptocurrency wallet extensions to the list of targets:

jblndlipeogpafnldhgmapagcccfchpi – Kaia Wallet (Chrome)
acmacodkjbdgmoleebolmdjonilkdbch – Rabby Wallet (Chrome)
dlcobpjiigpikoobohmabehhmhfoodbb – Argent X – Starknet Wallet (Chrome)
aholpfdialjgjfhomihkjbmgjidlcdno – Exodus Web3 Wallet (Chrome)

When investigating the ipcheck[.]cloud website, we noticed that the homepage is a mirror of the malicious mirotalk[.]net website, serving native BeaverTail malware disguised as remote conferencing software, indicating a direct connection between the new JavaScript and the native versions of BeaverTail.

InvisibleFerret

InvisibleFerret is modular Python malware with capabilities for information theft and remote attacker control. It consists of four modules – main (the .npl file), payload (pay), browser (bow), and AnyDesk (adc). The malware has no persistence mechanism in place aside from the AnyDesk client deployed at the end of the compromise chain. After gaining persistence via AnyDesk, the attackers can execute InvisibleFerret at will.

Interestingly, most of its backdoor functionality requires an operator (or scripted behavior) at the other side sending commands, deciding what data to exfiltrate and how to propagate the attack. In all versions of InvisibleFerret that we observed, the backdoor components are activated upon operator command. The only functionality not executed by the operator is the initial fingerprinting, which is done automatically.

Main module

The main module, originally named main, is the .npl file that BeaverTail downloaded from the C&C server and saved into the home directory. It is responsible for downloading and executing individual payload modules. All modules contain an XOR-encrypted and base64-encoded payload, preceded by four bytes representing the XOR key, followed by code to decrypt and execute it via exec, as seen in Figure 9. Each module also contains the sType variable, containing the current victim ID. This ID is a copy of the ID specified in the download request. When a request is made to download the script file, the given ID is placed as the sType value into the final script file by the C&C server’s API.

Figure 9. Decrypting and executing the InvisibleFerret payload

This module contains a hardcoded C&C address encoded with base64 and split into two halves that have been swapped to make decoding harder. In most cases that we observed, this address was identical to the one used in the preceding BeaverTail sample. The main module downloads the payload module from /payload/ to .n2/pay in the user’s home directory and executes it. Afterwards, if running on macOS (determined by checking whether a call to the platform.system function returns Darwin), it exits. On other operating systems it also downloads the browser module from /brow/ to .n2/bow in the user’s home directory and executes that in a separate Python instance.

Payload module

The pay module consists of two parts – one collects information and the other serves as a backdoor. The first part contains a hardcoded C&C URL, usually similar to the previously used ones, and collects the following:

the user’s UUID,
OS type,
PC name,
username,
system version (release),
local IP address, and
public IP address and geolocation information (region name, country, city, ZIP code, ISP, latitude and longitude) parsed from http://ip-api.com/json.

This information, illustrated in Figure 10, is then uploaded to the /keys API endpoint using HTTP POST.

Figure 10. System information submitted by the payload module to the C&C server

The second part acts as a TCP backdoor, and a TCP reverse shell, accepting remote commands from the C&C server and communicating via a socket connection. It usually uses port 1245, but we also observed ports 80, 2245, 3001, and 5000. Notably, the C&C IP address hardcoded in this part was different from the previous ones sometimes, probably to separate the more suspicious final network activity from the initial deployment.

The second payload checks whether it is executing under Windows – if it is, it enables a keylogger implemented using pyWinHook and a clipboard stealer using pyperclip, shown in Figure 11. These collect and store any keypresses and clipboard changes in a global buffer and run in a dedicated thread for as long as the script itself is running.

Figure 11. Clipboard stealer and keylogger code

Afterwards, it executes the backdoor functionality, which consists of eight commands, described in Table 3.

Table 3. Commands implemented in InvisibleFerret

ID	Command	Function	Description
1	ssh_cmd	Removes the compromise	· Only supports the delete argument. · Terminates operation and removes the compromise.
2	ssh_obj	Executes shell commands	· Executes the given argument[s] using the system shell via Python’s subprocess module and returns any output generated by the command.
3	ssh_clip	Exfiltrates keylogger and clipboard stealer data	· Sends the contents of the keylogger and clipboard stealer buffer to the C&C server and clears the buffer. · On operating systems other than Windows, an empty response is sent, as the keylogging functionality is not enabled.
4	ssh_run	Installs the browser module	· Downloads the browser module to .n2/bow in the user’s home directory and executes it in a new Python instance (with the CREATE_NO_WINDOW and CREATE_NEW_PROCESS_GROUP flags set on Windows) · Replies to the server with the OS name and get browse.
5	ssh_upload	Exfiltrates files or directories, using FTP	· Uploads files to a given FTP server with server address and credentials specified in arguments. · Has six subcommands: · sdira, sdir, sfile, sfinda, sfindr, and sfind. · sdira – uploads everything in a directory specified in args, skipping directories matching the first five elements in the ex_dirs array (listed below). Sends >> upload all start: followed by the directory name to the server when the upload starts, ‑counts: followed by the number of files selected for upload when directory traversal finishes, and uploaded success once everything is uploaded. · sdir – similar to sdira, but exfiltrates only files smaller than 104,857,600 bytes (100 MB) with extensions not excluded by ex_files and directories not excluded by ex_dirs. The initial message to the server is >> upload start: followed by the directory name. · sfile – similar to sdir, but exfiltrates only a single file. If the extension is .zip, .rar, .pdf, or is in the ex_files list (in this case not being used to exclude files for upload, but from encryption), it gets directly uploaded. Otherwise the file is encrypted using XOR with the hardcoded key G01d*8@( before uploading. · sfinda – searches the given directory and all its subdirectories (excluding those in the ex_dirs list) for files matching a provided pattern, and uploads those not matching items in the ex_files list. When starting, sends >> ufind start: followed by the starting directory to the server, followed by ufind success after it finishes. · sfindr – similar to sfinda, but without the recursive search. Searches only the specified directory. · sfind – similar to sfinda, but starts the search in the current directory.
6	ssh_kill	Terminates the Chrome and Brave browsers	· Termination is done via the taskkill command on Windows or killall on other systems, as shown in Figure 12. · Replies to the server with Chrome & Browser are terminated.
7	ssh_any	Installs the AnyDesk module	· This works identically to the ssh_run command, downloading the AnyDesk module to and executing it from the .n2 folder in the user’s home directory. · Replies to the server with the OS name and get anydesk.
8	ssh_env	Uploads data from the user’s home directory and mounted drives, using FTP	· Sends — uenv start to the server. · Establishes an FTP connection using the server address and credentials provided in the arguments. · On Windows, uploads the directory structure and contents of the Documents and Downloads folders, as well as the contents of drives D to I. · On other systems, uploads the entirety of the user’s home directory and the /Volumes directory containing all mounted drives. · Only uploads files smaller than 20,971,520 bytes (20 MB) and excludes directories matching the ex_dir list and files matching the ex_files, ex_files1, and ex_files2 lists described in Figure 13. · Finishes by sending — uenv success to the server.

Figure 12. Implementation of the ssh_kill command

Each command is named with the prefix ssh_ and assigned a numerical value to be used when communicating with the server. For each command received, a new thread is spawned to execute it and the client immediately starts listening for the next command. Replies to commands are sent asynchronously as the commands finish executing. The two-way communication is done over sockets, in JSON format, with two fields:

command – denoting the numerical command ID.
args – containing any additional data sent between the server and client.

The script also contains lists of excluded file and directory names (such as cache and temporary directories for software projects and repositories) to be skipped when exfiltrating data, and a list of interesting name patterns to exfiltrate (environment and configuration files; documents, spreadsheets, and other files containing the words secret, wallet, private, password, etc.)

Browser module

The bow module is responsible for stealing login data, autofill data, and payment information saved by web browsers. The targeted browsers are Chrome, Brave, Opera, Yandex, and Edge, all Chromium-based, with multiple versions listed for each of the three major operating systems (Windows, Linux, macOS) as shown in Figure 13.

Figure 13. Targeted browsers and their versions

It searches through the browser’s local storage folders (an example is shown in Figure 14) and copies the databases containing login and payment information to the %Temp% folder on Windows or the /tmp folder on other systems, into two files:

LoginData.db containing user login information, and
webdata.db containing saved payment information (credit cards).

Figure 14. Hardcoded local browser paths on Windows

Because the saved passwords and credit card numbers are stored in an encrypted format using AES, they need to be decrypted before exfiltration. The encryption keys used for this are obtained based on the operating system in use. On Windows, they are extracted from the browser’s Local State file, on Linux they are obtained through the secretstorage package, and on macOS they are obtained through the security utility, as illustrated in Figure 15.

Figure 15. Extracting the encryption keys for browser databases on Windows, Linux, and macOS

The collected information (see Figure 16) is then sent to the C&C server via an HTTP POST request to the /keys API endpoint.

Figure 16. Information submitted by the browser module to the C&C server

AnyDesk module

The adc module is the only persistence mechanism found in this compromise chain, setting up AnyDesk access to the victim’s computer using a configuration file containing hardcoded login credentials.

On Windows, it checks whether the C:/Program Files (x86)/AnyDesk/AnyDesk.exe exists. If not, it downloads anydesk.exe from the C&C server (http://:/anydesk.exe) into the user’s home directory.

Then it attempts to set up AnyDesk for access by the attacker by entering hardcoded password hash, password salt, and token salt values into the configuration files. If the configuration files don’t exist or don’t contain a given attacker-specified password salt value, the module attempts to modify them to add the hardcoded login information. If that fails, it creates a PowerShell script in the user’s home directory named conf.ps1, containing code to modify the configuration files (shown in Figure 17) and attempts to launch it.

Figure 17. PowerShell script to modify AnyDesk configuration, adding hardcoded password hash and salt, and token salt

After these actions complete, the AnyDesk process is killed and then started again to load the new configuration. Lastly, the adc module attempts to delete itself by calling the os.remove function on itself.

InvisibleFerret update

We later discovered an updated version of InvisibleFerret with major changes, used since at least August 2024. It is no longer separated into individual modules, but rather exists as a single large script file (but still retaining the backdoor commands to selectively install the browser and AnyDesk modules). There are also slight code modifications for increased support of macOS, for example collecting the username along with the hostname of the computer.

Another modification we observed is the addition of an identifier named gType, in addition to sType. It acts as a secondary victim/campaign identifier in addition to sType when downloading modules from the C&C server (e.g., :///). We haven’t seen it used to label the exfiltrated data.

This new version of InvisibleFerret has also implemented an additional backdoor command, ssh_zcp, capable of exfiltrating data from browser extensions and password managers via Telegram and FTP.

With the new command, InvisibleFerret first looks for and, if present, collects data from 88 browser extensions for the Chrome, Brave, and Edge browsers and then places it into a staging folder in the system’s temporary directory. The complete list of extensions can be found in the Appendix and the code for collecting the data is shown in Figure 18.

Figure 18. Collection of data from browser extensions in the new version of InvisibleFerret

Apart from the extension data, the command can also exfiltrate information from the Atomic and Exodus cryptocurrency wallets on all systems, in addition to 1Password, Electrum, WinAuth, Proxifier4, and Dashlane on Windows. This is illustrated in Figure 19.

Figure 19. Collection of data from various applications in the new version of InvisibleFerret

The data is then archived and uploaded to a Telegram chat using the Telegram API with a bot token, as well as to an FTP server. Once the upload is done, InvisibleFerret removes both the staging folder and the archive.

Clipboard stealer module

In December 2024 we discovered yet another version of InvisibleFerret, containing an additional module named mlip, downloaded from the C&C endpoint /mclip/ to .n2/mlip. This module contains the keylogging and clipboard-stealing functionality that was separated from the rest of the payload module.

Showing an advancement in technical capabilities of the operators, the keylogging and clipboard stealing functionality of this module has been limited to two processes only, chrome.exe and brave.exe, while the earlier versions of InvisibleFerret logged any and all keystrokes. The collected data is uploaded to a new API endpoint, /api/clip.

Network infrastructure

DeceptiveDevelopment’s network infrastructure is composed of dedicated servers hosted by commercial hosting providers, with the three most commonly used providers being RouterHosting (now known as Cloudzy), Stark Industries Solutions, and Pier7ASN. The server API is written in Node.js and consists of nine endpoints, listed in Table 4.

Table 4. DeceptiveDevelopment C&C API endpoints

API endpoint	Description
/pdown	Downloading the Python environment.
/uploads	BeaverTail data upload.
/client/	InvisibleFerret loader.
/payload/	InvisibleFerret payload module.
/brow/	InvisibleFerret browser module.
/adc/	InvisibleFerret AnyDesk module.
/mclip/	InvisibleFerret keylogger module.
/keys	InvisibleFerret data upload.
/api/clip	InvisibleFerret keylogger module data upload.

Most C&C communication we observed was done over ports 1224 or 1244 (occasionally 80 or 3000) for C&C communication over HTTP, and 1245 (occasionally 80, 2245, 3001, 5000, or 5001) for backdoor C&C communication over TCP sockets. All communication from the client to the C&C server, except downloading the Python environment, contains the campaign ID. For InvisibleFerret downloads, the ID is added to the end of the URL in the GET request. For data exfiltration, the ID is sent as part of the POST request in the type field. This is useful for identifying network traffic and determining what specific sample and campaign it belongs to.

The campaign IDs (sType and gType values) we observed are alphanumeric and don’t seem to bear any direct relation to the campaign. Before the introduction of gType, some of the sType values were base64 strings containing variants of the word team and numbers, such as 5Team9 and 7tEaM;. After gType was introduced, most observed values for both values were purely numeric, without the use of base64.

Conclusion

The DeceptiveDevelopment cluster is an addition to an already large collection of money-making schemes employed by North Korea-aligned actors and conforms to an ongoing trend of shifting focus from traditional money to cryptocurrencies. During our research, we observed it go from primitive tools and techniques to more advanced and capable malware, as well as more polished techniques to lure in victims and deploy the malware. Any online job-hunting and freelancing platform can be at risk of being abused for malware distribution by fake recruiters. We continue to observe significant activity related to this campaign and expect DeceptiveDevelopment to continue innovating and searching for more ways to target cryptocurrency users.

For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.

ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

A comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.

Files

SHA-1	Filename	Detection	Description
48E75D6E2BDB2B00ECBF4801A98F96732E397858	FCCCall.exe	Win64/DeceptiveDevelopment.A	Trojanized conferencing app – native BeaverTail.
EC8B6A0A7A7407CA3CD18DE5F93489166996116C	pay.py	Python/DeceptiveDevelopment.B	InvisibleFerret payload module.
3F8EF8649E6B9162CFB0C739F01043A19E9538E7	bow.py	Python/DeceptiveDevelopment.C	InvisibleFerret browser module.
F6517B68F8317504FDCD415653CF46530E19D94A	pay_u2GgOA8.py	Python/DeceptiveDevelopment.B	InvisibleFerret new payload module.
01C0D61BFB4C8269CA56E0F1F666CBF36ABE69AD	setupTest.js	JS/Spy.DeceptiveDevelopment.A	BeaverTail.
2E3E1B95E22E4A8F4C75334BA5FC30D6A54C34C1	tailwind.config.js	JS/Spy.DeceptiveDevelopment.A	BeaverTail.
7C8724B75BF7A9B8F27F5E86AAC9445AAFCCB6AC	conf.ps1	PowerShell/DeceptiveDevelopment.A	AnyDesk configuration PowerShell script.
5F5D3A86437082FA512B5C93A6B4E39397E1ADC8	adc.py	Python/DeceptiveDevelopment.A	InvisibleFerret AnyDesk module.
7C5B2CAFAEABBCEB9765D20C6A323A07FA928624	bow.py	Python/DeceptiveDevelopment.A	InvisibleFerret browser module.
BA1A54F4FFA42765232BA094AAAFAEE5D3BB2B8C	pay.py	Python/DeceptiveDevelopment.A	InvisibleFerret payload module.
6F049D8A0723DF10144CB51A43CE15147634FAFE	.npl	Python/DeceptiveDevelopment.A	InvisibleFerret loader module.
8FECA3F5143D15437025777285D8E2E3AA9D6CAA	admin.model.js	JS/Spy.DeceptiveDevelopment.A	BeaverTail.
380BD7EDA453487CF11509D548EF5E5A666ACD95	run.js	JS/Spy.DeceptiveDevelopment.A	BeaverTail.

Network

IP	Domain	Hosting provider	First seen	Details
95.164.17[.]24	N/A	STARK INDUSTRIES SOLUTIONS LTD	2024‑06‑06	BeaverTail/InvisibleFerret C&C and staging server.
185.235.241[.]208	N/A	STARK INDUSTRIES SOLUTIONS LTD	2021‑04‑12	BeaverTail/InvisibleFerret C&C and staging server.
147.124.214[.]129	N/A	Majestic Hosting Solutions, LLC	2024‑03‑22	BeaverTail/InvisibleFerret C&C and staging server.
23.106.253[.]194	N/A	LEASEWEB SINGAPORE PTE. LTD.	2024‑05‑28	BeaverTail/InvisibleFerret C&C and staging server.
147.124.214[.]237	N/A	Majestic Hosting Solutions, LLC	2023‑01‑28	BeaverTail/InvisibleFerret C&C and staging server.
67.203.7[.]171	N/A	Amaze Internet Services	2024‑02‑14	BeaverTail/InvisibleFerret C&C and staging server.
45.61.131[.]218	N/A	RouterHosting LLC	2024‑01‑22	BeaverTail/InvisibleFerret C&C and staging server.
135.125.248[.]56	N/A	OVH SAS	2023‑06‑30	BeaverTail/InvisibleFerret C&C and staging server.

MITRE ATT&CK techniques

This table was built using version 16 of the MITRE ATT&CK framework.

Tactic	ID	Name	Description
Resource Development	T1583.003	Acquire Infrastructure: Virtual Private Server	The attackers rent out infrastructure for C&C and staging servers.
	T1587.001	Develop Capabilities: Malware	The attackers develop the BeaverTail and InvisibleFerret malware.
	T1585.001	Establish Accounts: Social Media Accounts	The attackers create fake social media accounts, pretending to be recruiters.
	T1608.001	Stage Capabilities: Upload Malware	InvisibleFerret modules are uploaded to staging servers, from where they are downloaded to victimized systems.
Initial Access	T1566.003	Phishing: Spearphishing via Service	Spearphishing via job-hunting and freelancing platforms.
Execution	T1059.006	Command-Line Interface: Python	InvisibleFerret is written in Python.
	T1059.007	Command-Line Interface: JavaScript/JScript	BeaverTail has a variant written in JavaScript.
	T1204.002	User Execution: Malicious File	Initial compromise is triggered by the victim executing a trojanized project containing the BeaverTail malware.
	T1059.003	Command-Line Interface: Windows Command Shell	InvisibleFerret’s remote shell functionality allows access to the Windows Command Shell.
Persistence	T1133	External Remote Services	Persistence is achieved by installing and configuring the AnyDesk remote access tool.
Defense Evasion	T1140	Deobfuscate/Decode Files or Information	The JavaScript variant of BeaverTail uses code obfuscation. C&C server addresses and other configuration data are also encrypted/encoded.
	T1564.001	Hide Artifacts: Hidden Files and Directories	InvisibleFerret files are dropped to disk with the hidden attribute.
	T1564.003	Hide Artifacts: Hidden Window	InvisibleFerret creates new processes with their windows hidden.
	T1027.013	Obfuscated Files or Information: Encrypted/Encoded File	InvisibleFerret payloads are encrypted and have to be decrypted before execution.
Credential Access	T1555.001	Credentials from Password Stores: Keychain	Keychain data is exfiltrated by both BeaverTail and InvisibleFerret.
	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	Credentials stored in web browsers are exfiltrated by InvisibleFerret.
	T1552.001	Unsecured Credentials: Credentials In Files	Plaintext credentials/keys in certain files are exfiltrated by both BeaverTail and InvisibleFerret.
Discovery	T1010	Application Window Discovery	The InvisibleFerret keylogger collects the name of the currently active window.
	T1217	Browser Bookmark Discovery	Credentials and other data stored by browsers are exfiltrated by InvisibleFerret.
	T1083	File and Directory Discovery	The InvisibleFerret backdoor can browse the filesystem and exfiltrate files.
	T1082	System Information Discovery	System information is collected by both BeaverTail and InvisibleFerret.
	T1614	System Location Discovery	InvisibleFerret geolocates the campaign by querying the IP address location.
	T1016	System Network Configuration Discovery	InvisibleFerret collects network information, such as private and public IP addresses.
	T1124	System Time Discovery	InvisibleFerret collects the system time.
Lateral Movement	T1021.001	Remote Services: Remote Desktop Protocol	AnyDesk is used by InvisibleFerret to achieve persistence and allow remote attacker access.
Collection	T1056.001	Input Capture: Keylogging	InvisibleFerret contains keylogger functionality.
	T1560.002	Archive Collected Data: Archive via Library	Data exfiltrated using InvisibleFerret can be archived using the py7zr and pyzipper Python packages.
	T1119	Automated Collection	Both BeaverTail and InvisibleFerret exfiltrate some data automatically.
	T1005	Data from Local System	Both BeaverTail and InvisibleFerret exfiltrate data from the local system.
	T1025	Data from Removable Media	InvisibleFerret scans removable media for files to exfiltrate.
	T1074.001	Data Staged: Local Data Staging	InvisibleFerret copies browser databases to the temp folder prior to credential extraction. When exfiltrating via a ZIP/7z archive, the file is created locally before being uploaded.
	T1115	Clipboard Data	InvisibleFerret contains clipboard stealer functionality.
Command and Control	T1071.001	Standard Application Layer Protocol: Web Protocols	C&C communication is done over HTTP.
	T1071.002	Standard Application Layer Protocol: File Transfer Protocols	Files are exfiltrated over FTP by InvisibleFerret.
	T1571	Non-Standard Port	Nonstandard ports 1224, 1244, and 1245 are used by BeaverTail and InvisibleFerret.
	T1219	Remote Access Tools	InvisibleFerret can install AnyDesk as a persistence mechanism.
	T1095	Non-Application Layer Protocol	TCP is used for command and control communication.
Exfiltration	T1030	Data Transfer Size Limits	In some cases, InvisibleFerret exfiltrates only files below a certain file size.
	T1041	Exfiltration Over Command and Control Channel	Some data is exfiltrated to the C&C server over HTTP.
	T1567.004	Exfiltration Over Web Service: Exfiltration Over Webhook	Exfiltrating ZIP/7z files can be done over a Telegram webhook (InvisibleFerret’s ssh_zcp command).
Impact	T1657	Financial Theft	This campaign’s goal is cryptocurrency theft and InvisibleFerret has also been seen exfiltrating saved credit card information.

Appendix

Following is a list of browser extensions targeted by the new InvisibleFerret:

ArgentX
Aurox
Backpack
Binance
Bitget
Blade
Block
Braavos
ByBit
Casper
Cirus
Coin98
CoinBase
Compass-Sei
Core-Crypto
Cosmostation
Crypto.com
Dashalane
Enkrypt
Eternl
Exodus
Fewcha-Move
Fluent
Frontier
GoogleAuth
Hashpack
HAVAH
HBAR
Initia
Keplr

Koala
LastPass
LeapCosmos
Leather
Libonomy
MagicEden
Manta
Martian
Math
MetaMask
MetaMask-Edge
MOBOX
Moso
MyTon
Nami
OKX
OneKey
OpenMask
Orange
OrdPay
OsmWallet
Paragon
PetraAptos
Phantom
Pontem
Rabby
Rainbow
Ramper
Rise
Ronin

Safepal
Sender
SenSui
Shell
Solflare
Stargazer
Station
Sub-Polkadot
Sui
Suiet
Suku
Taho
Talisman
Termux
Tomo
Ton
Tonkeeper
TronLink
Trust
Twetch
UniSat
Virgo
Wigwam
Wombat
XDEFI
Xverse
Zapit
Zerion

The post DeceptiveDevelopment targets freelance developers appeared first on Online Pitstop.

Fake job offers target software developers with infostealers

admin — Sat, 22 Feb 2025 00:33:26 +0000

A North Korea-aligned activity cluster tracked by ESET as DeceptiveDevelopment drains victims’ crypto wallets and steals their login details from web browsers and password managers

20 Feb 2025

ESET researchers have observed a malicious campaign where North Korea-aligned threat actors, posing as headhunters, target freelance software developers with info-stealing malware.

The activities – named DeceptiveDevelopment and going back to at least November 2023 – involve spearphishing messages that are being distributed on job-hunting and freelancing sites and ask the targets to take a coding test, with the files necessary for the task usually hosted on private repositories such as GitHub. These files are laden with malware, however, which ultimately lets the attackers steal the victims’ login details and drain their cryptocurrency wallets.

What else is there to know about the campaign’s tactics, techniques, and procedures? Learn from ESET Chief Security Evangelist Tony Anscombe in the video and make sure to read the full blogpost.

Connect with us on Facebook, X, LinkedIn and Instagram.

The post Fake job offers target software developers with infostealers appeared first on Online Pitstop.

No, you’re not fired – but beware of job termination scams

admin — Fri, 21 Feb 2025 00:24:47 +0000

Some employment scams take an unexpected turn as cybercriminals shift from “hiring” to “firing” staff

Phil Muncaster

18 Feb 2025
•
,
5 min. read

Most of us are in a job or looking for one. Or both. That’s largely why employment and work-from-home scams are so popular among cybercriminals (and even some state-aligned threat actors). The schemes typically lure the user by offering amazing job or casual employment opportunities. But in reality, all the scammers usually want is your personal and financial information. In some cases, victims may even end up unwittingly receiving and re-shipping stolen goods, or allowing their bank accounts to be used for money laundering.

However, less-well known is the employment termination scam. This turns the idea on its head: using the threat of losing your job rather than the lure of gaining a new one to catch your attention. So what do they look like and how can you stay safe?

What do job termination scams look like?

At their simplest, job termination scams are a type of phishing attack designed to trick you into handing over your personal and financial information, or on clicking on a malicious link which could trigger a malware download. Social engineering tactics used in phishing aim to create a sense of urgency in the victim, so that they act without thinking things through first. And you can’t get more urgent than a notice informing you that you have been dismissed.

It could arrive in the form of an email from HR, or an authoritative third-party outside the company. It may tell you that your services are no longer required. Or it may claim to include details about your colleagues that are too hard to resist reading. The end goal is to persuade you to click on a malicious link or open an attachment, perhaps by claiming that it includes details of severance payments and termination dates.

Once you click through/open the attachment, you might find that:

With your work logins, adversaries could hijack your email or other accounts to access sensitive corporate data and networks for theft and extortion. And if you reuse those logins across multiple accounts, they may even be able to run credential stuffing campaigns to unlock those accounts, too.

Why do they work so well?

Termination scams are effective because they exploit the credulity of human beings, creating a sense of dread among the victim, and instilling an urgent need for action. You’d be hard pressed to find an employee that didn’t want to know more about their own termination, or potentially contrived details of supposed misconduct.

It’s no coincidence that phishing remains a top-three initial access tactic for ransomware actors and has contributed to a quarter (25%) of financially motivated cyber-incidents over the past two years.

In the wild

Several versions of this scam have been observed circulating in the wild. These include:

An email impersonating the UK’s Courts & Tribunals Service, purporting to contain a link to an employment termination document. Clicking through loads a spoofed website with the Microsoft logo designed to persuade the victim into opening it on a Windows device. It triggers a download of the Casbaneiro (aka Metamorfo) banking trojan.
An email purporting to come from the victim’s HR department, which claims to contain a staff termination list and details on new positions, as an attachment. Opening the fake PDF triggers a fake DocuSign login form requesting the victim enters their email address and password to access it.

Source: PCrisk

How to spot a job termination scam

As with any phishing attack, there are a few warning signs which should flash red if such an email ends up in your inbox. Take a deep breath and look out for giveaways such as:

An unusual sender address that doesn’t match the stated sender. Hover your mouse over the “from” address to see what pops up. It may be something completely different, or it could be an attempt to mimic the impersonated company’s domain, using typos and other characters (e.g., m1crosoft.com, @microsfot.com)
A generic greeting (e.g., “dear employee/user”), which is certainly not the tone a legitimate termination letter would take.
Links embedded in the email or attachments to open. These are often a tell-tale sign of a phishing attempt. If you hover over the link and it doesn’t look right, all the more reason not to click.
Links or attachments that don’t open immediately, but request you to enter logins. Never do so in response to an unsolicited message.
Urgent language. Phishing messages will always try to rush you into making a rash decision.
Misspellings, grammatical or other mistakes in the letter. These are becoming rarer as cybercriminals adopt generative AI tools to write their phishing emails, but they’re still worth looking out for.
Going forward, be on your guard for AI-aided schemes where scammers could use deepfake audio and video likenesses of actual people (that of your boss, perhaps) to trick you into giving up confidential corporate information.

Staying safe

To ensure you don’t get caught out by job termination scams, understand the warning signs listed above. And also consider the following:

Use strong, unique passwords for every account, ideally stored in a password manager
Be sure to switch on two-factor authentication (2FA) for an extra layer of access security
Make sure all of your work and personal devices are regularly patched and up to date
If your IT department offers, join regular phishing simulation exercises to understand what to look out for
If you receive a suspect message, never click on embedded links or open the attachment
Contact the sender through other channels if you’re concerned – but not by replying to the email or using the contact details listed on it
Report any suspect emails to your employer’s IT department
Check whether colleagues have received the same message

Employment termination scams have been around for some time. But if they’re still doing the rounds, they must still be working. Always be sceptical of anything hitting your inbox.

The post No, you’re not fired – but beware of job termination scams appeared first on Online Pitstop.

What is penetration testing? | Unlocked 403 cybersecurity podcast (ep. 10)

admin — Thu, 20 Feb 2025 00:23:39 +0000

Ever wondered what it’s like to hack for a living – legally? Learn about the art and thrill of ethical hacking and how white-hat hackers help organizations tighten up their security.

12 Feb 2025

What if breaking into computer systems, tricking people into handing over passwords, and even sneaking into buildings was part of your normal daily routine? That is the reality for penetration testers – or, more broadly, ethical hackers – who get paid to think like criminals so that they can identify and help close security loopholes before the actual bad guys can exploit them.

In this episode of the Unlocked 403 cybersecurity podcast, Becks sits down with ESET penetration testers Tomas Lezovic and Pavol Michalec to give you a peek into the high-stakes world of hacking for good, answering questions like:

Why are some organizations hesitant to engage third-party pentesters?
Do businesses still fail at the basics?
Which sectors and devices require pentesting the most?
How can you join the ranks of pentesters?
How can something as innocuous as a ladder help breach an organization’s defenses?

Also, don’t miss a demo of a replay attack that leverages one of today’s most popular hacking gadgets.

Connect with us on Facebook, X, LinkedIn and Instagram.

The post What is penetration testing? | Unlocked 403 cybersecurity podcast (ep. 10) appeared first on Online Pitstop.

Katharine Hayhoe: The most important climate equation | Starmus highlights

admin — Wed, 19 Feb 2025 00:23:14 +0000

WeLiveScience

The atmospheric scientist makes a compelling case for a head-to-heart-to-hands connection as a catalyst for climate action

17 Feb 2025

Most people acknowledge that climate change is real and human-driven, yet many still struggle to see how it directly affects their lives. To bridge this gap, Dr. Katharine Hayhoe introduces a simple but powerful equation:

Science + Worry + Action = Hope

As one of the world’s most effective climate communicators, Dr. Hayhoe maintains that understanding the science (head) isn’t enough – we must also feel its urgency (heart) before we can take meaningful action (hands).

This approach transforms climate awareness into tangible solutions and, indeed, echoes the wisdom of Jane Goodall, who said during her own Starmus talk that “It’s only when our clever brain and our human heart come together that we can really reach our full potential.”

For more insights, be sure to read our recent interview with Dr. Hayhoe.

ESET’s commitment to promoting scientific innovation and progress is seen in its ongoing efforts to foster a deep appreciation for science, celebrate the power of groundbreaking research, and connect with leading thinkers in technology and science. ESET recently partnered with Starmus, the global science communication festival, and brought its 7^th edition to Bratislava, Slovakia, in May 2024.

The festival featured a number of thought-provoking perspectives from some of the planet’s foremost thinkers. You can now relive the experience from the comfort of your home and get a taste of how the power of technology is being harnessed to tackle some of the most pressing challenges facing the world today.

The post Katharine Hayhoe: The most important climate equation | Starmus highlights appeared first on Online Pitstop.

Gaming or gambling? Lifting the lid on in-game loot boxes

admin — Tue, 18 Feb 2025 00:22:56 +0000

Kids Online

The virtual treasure chests and other casino-like rewards inside your children’s games may pose risks you shouldn’t play down

13 Feb 2025
•
,
5 min. read

Historically, many video games followed a straightforward economic model: pay once, play forever. These days, however, purchasing a game is often just the beginning. At the same time, modern gaming has increasingly embraced free-to-play ecosystems, where players get access to the base game at no cost, but are constantly nudged to spend money on in-game items in the hope that these extras will speed up their progress, provide competitive advantages, or enhance their gaming experience.

Enter loot boxes, skin betting, and other microtransactions that have become a controversial feature of many video games. But while the lines between entertainment and gambling have become blurry, the consequences are coming into focus. Once dismissed as a niche concern, sealed mystery boxes and other chance-driven, casino-like rewards are now recognized as potential contributors to gambling addiction among children and teens, many of whom don’t even realize they’re gambling.

Meanwhile, the wheels of regulation turn rather slowly. Many parents, for their part, are also often caught off guard and struggle to keep their children and families out of harm’s way.

Tricks of the gaming trade

Loot boxes – not all dissimilar from lottery scratch cards or to digital chocolate eggs containing random plastic toys – are perhaps the most controversial type of in-game rewards. Major gaming franchises, such as Candy Crush, Fortnite, FIFA, League of Legends and Final Fantasy, have also relied on revenue from these “grab bags” and other microtransactions to offset development costs. Studies estimate that by the end of 2025, loot boxes will generate over US$20 billion in revenue.

Source: gov.uk

For the uninitiated, here’s how loot boxes work:

a player spends real money to buy a loot box, or receives it as a reward, without knowing what’s inside
the content is randomized, making the purchase a gamble
rare and highly desirable rewards are intentionally scarce, encouraging repeated spending

This is where the parallels to slot machines and roulette wheels become impossible to ignore. It’s little wonder, then, that this mix of suspense, reward, and intermittent reinforcement keeps players coming back, to the point of possibly encouraging addictive spending among especially young people. The problem is further exacerbated by the accessibility of mobile devices and the lack of age verification controls on many platforms.

Indeed, while casinos are subject to regulations and licensing requirements, many video games operate in a legal gray area. For young players, the risk of compulsive spending is particularly real. The consequences can be severe, including the development of gambling behaviors and significant financial losses, often unbeknownst to parents.

Third-party gambling sites and influencers: The state of play

Loot boxes aren’t just a problem inside games – they’ve spawned an entire secondary gambling market. Third-party websites allow players to trade or bet their in-game items, such as weapon skins for some highly popular games, for real money.

These sites often operate in a regulatory gray area and face little-to-no regulation. Many of them don’t actively stop minors from betting, all while the players who lose money often have no recourse.

The connection between gaming and gambling is often further strengthened by social media influencers who hold massive sway over young audiences. Some may funnel followers into gambling platforms, possibly earning commissions based on user losses – and sometimes without disclosing that they actually owned the platform.

Game over? Hardly

With the line between gaming and gambling blurrier than ever, regulators have taken notice and the gaming industry may face a reckoning in the future. For now, however, legislation and enforcement remain largely elusive, and gaming companies continue to finetune their engagement and monetization tactics.

Here’s a snapshot of legislative action undertaken by some countries vis-à-vis loot boxes and other in-game extras:

What can parents do?

The problem with loot boxes and other controversial in-game purchases isn’t going away anytime soon. What can you as a parent do to help mitigate the underlying risks?

Talk to your children about gambling mechanics in games, since chances are high that they don’t realize they’re engaging in gambling-like behavior. They should understand the difference between earning rewards in a game and spending real money to buy random items.
Keep an eye on what games your child is playing and whether they’re engaging with loot boxes or other microtransactions.
Some platforms let you set spending limits and restrict or turn off in-game purchases. Use these features to prevent accidental or excessive spending on loot boxes or other microtransactions.
Enable parental controls that can block access to certain games or in-app purchases and/or let you set spending limits or approve any purchases made.
Consider monitoring all their online activity, including the social media influencers they follow.
Set a positive example – take your eyes off your own screens and encourage offline hobbies to reduce your children’s screen time.

Loot boxes and gambling-like mechanics in video games are not just a passing fad, so be aware of the risks. For children, gaming should be an adventure and a learning experience, not a gamble that may put the well-being of their entire family at risk.

Why not get your children to watch ‘Hey Pug‘ on Safer Kids Online? Hey Pug is an animated series by ESET that teaches kids about online security and privacy in an engaging and entertaining way.

The post Gaming or gambling? Lifting the lid on in-game loot boxes appeared first on Online Pitstop.