TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

ESET WeLiveSecurity

DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception

2025-09-25 · Read original ↗

ATT&CK techniques detected

18 predictions
T1204.002Malicious File
96%
"##tail and invisibleferret, with the main focus being exfiltration of sensitive data from browsers and cryptocurrency wallets. once the data has been exfiltrated, weaselstore, unlike traditional infostealers, continues to communicate with its c & c server, serving as a rat capabl…"
T1204.002Malicious File
96%
"##total. the bat file just downloads the archive and executes run. vbs from it. the archive contains various legitimate jar packages for the nvidia cuda toolkit, together with the following malicious files : - shell. bat, a trojanized installer for node. js, which is executed aft…"
T1105Ingress Tool Transfer
92%
"a 64 ‑ bit downloader named car. dll or img _ layer _ generate. dll. while beavertail, as expected, downloaded invisibleferret, this new downloader retrieved an in - memory payload that was named tropidoor by ahnlab. we realized that tropidoor shares large portions of code with p…"
T1219Remote Access Tools
83%
"the payload module, and - an anydesk module ( which deploys the anydesk remote access tool to allow direct attacker access to the compromised machine ). weaselstore as deceptivedevelopment evolved and started to include more teams in its operations, those teams started modifying …"
T1071.001Web Protocols
74%
"about this service, visit the eset threat intelligence page. iocs files a comprehensive list of indicators of compromise ( iocs ) and samples can be found in our github repository. network mitre att & ck techniques this table was built using version 17 of the mitre att & ck frame…"
T1204.002Malicious File
71%
"framework and disguised as conferencing software. its primary function is downloading the second - stage malware invisibleferret. at the end of 2024, a new malware family with functionality similar to beavertail emerged – it was named ottercookie by ntt security. ottercookie is w…"
T1204.001Malicious Link
71%
"trojanized codebases during staged job interviews. its most typical payloads are the beavertail, ottercookie, and weaselstore infostealers, and the invisibleferret modular rat. targeting strategy deceptivedevelopment operators use various methods to compromise their victims, rely…"
T1204.004Malicious Copy and Paste
66%
"##x was observed. clickfix in relation to deceptivedevelopment was first reported by sekoia. io in march 2025, when it was used by the group as the initial access method on macos and windows systems ; in september 2025, gitlab spotted it being used on linux systems too. the attac…"
T1204.001Malicious Link
64%
"##x was observed. clickfix in relation to deceptivedevelopment was first reported by sekoia. io in march 2025, when it was used by the group as the initial access method on macos and windows systems ; in september 2025, gitlab spotted it being used on linux systems too. the attac…"
T1204.002Malicious File
60%
"a previously unseen, large, encoded block with the first stage of the execution chain deploying a completely new malware toolkit, also intended for information and cryptocurrency theft. we named this toolkit tsunamikit, based on the developer ’ s repeated use of “ tsunami ” in th…"
T1204.004Malicious Copy and Paste
57%
"the clickfix social engineering technique. the victim is instructed, based on their operating system, to open a terminal and copy and paste a command that should solve the issue. however, instead of enabling the victim ’ s camera, the command downloads and executes malware. tools…"
T1204.002Malicious File
55%
"north korea - aligned cyberattacks. we discovered that the tsunamikit project dates back at least to december 2021, when it was submitted to virustotal under the name nitro labs. zip. one of the components contains the pdb path e : \ programming \ the tsunami project \ malware \ …"
T1204.001Malicious Link
53%
"the clickfix social engineering technique. the victim is instructed, based on their operating system, to open a terminal and copy and paste a command that should solve the issue. however, instead of enabling the victim ’ s camera, the command downloads and executes malware. tools…"
T1204.002Malicious File
51%
"a 64 ‑ bit downloader named car. dll or img _ layer _ generate. dll. while beavertail, as expected, downloaded invisibleferret, this new downloader retrieved an in - memory payload that was named tropidoor by ahnlab. we realized that tropidoor shares large portions of code with p…"
T1204.002Malicious File
51%
"the clickfix social engineering technique. the victim is instructed, based on their operating system, to open a terminal and copy and paste a command that should solve the issue. however, instead of enabling the victim ’ s camera, the command downloads and executes malware. tools…"
T1204.002Malicious File
44%
"deceptivedevelopment : from primitive crypto theft to sophisticated ai - based deception this blogpost introduces our latest white paper, presented at virus bulletin 2025, where we detail the operations of the north korea - aligned threat actor we call deceptivedevelopment and it…"
T1204.002Malicious File
36%
"trojanized codebases during staged job interviews. its most typical payloads are the beavertail, ottercookie, and weaselstore infostealers, and the invisibleferret modular rat. targeting strategy deceptivedevelopment operators use various methods to compromise their victims, rely…"
T1204.004Malicious Copy and Paste
34%
"trojanized codebases during staged job interviews. its most typical payloads are the beavertail, ottercookie, and weaselstore infostealers, and the invisibleferret modular rat. targeting strategy deceptivedevelopment operators use various methods to compromise their victims, rely…"

Summary

Malware operators collaborate with covert North Korean IT workers, posing a threat to both headhunters and job seekers