new Function(), New Threat: Inside a Live DPRK Developer-Targeting Campaign | Intercept Cell

We acquired live malware source code from a DPRK-linked campaign targeting software developers through trojanized Next.js coding assessments, then registered a fake agent with the live C2 and captured the full Stage 2 tasking payload on delivery. We deobfuscated it. Two C2 servers remain operational.

Two days after we published our analysis of a trojanized CUDA toolkit linked to DPRK threat actors, we found the same operational cluster has pivoted. The new vector: fake Next.js coding assessments sent to developers during job interviews. We pulled the actual malware loader source code off live staging infrastructure, confirmed two active command-and-control servers, registered a fake agent, and captured the full Stage 2 tasking payload when the C2 pushed it to our session. We deobfuscated the entire chain. The campaign is still running. Microsoft Defender published a report on February 24 identifying malicious repositories on Bitbucket posing as legitimate Next.js projects. We independently acquired artifacts from the live infrastructure and confirmed active C2 servers. Five Vercel-hosted staging domains remained live at time of analysis, including endpoints actively serving malware loader code to anyone who requested it. The campaign uses recruiting-themed lures. A developer receives a repository framed as a technical assessment or interview project. The repo looks legitimate. It builds. It runs. It also phones home to Pyongyang. The attackers embedded three independent execution triggers into each repository, ensuring infection regardless of how the developer interacts with the code: A .vscode/tasks.json file configured with runOn: \"folderOpen\" executes a Node script the moment the developer opens the project folder in VS Code and clicks Trust. The script fetches a loader from a Vercel staging domain and executes it in memory.