Skip to main content
Sign in

UNK_DeadDrop North Korea Developer Phishing Campaign

avoid.net/unk-deaddrop-north-korea-developer-phishing-campaign0/100·93% conf.
[AI-DRAFTED · AWAITING VERIFICATION]
anchored·3Ubgew…uruL

Summary

UNK_DeadDrop is a suspected North Korea-aligned threat actor campaign disclosed by Proofpoint on June 8, 2026, in which attackers sent more than 250 phishing emails to software developers at approximately 100 organizations — with a heavy focus on cryptocurrency firms — over a six-week period in April and May 2026. Victims were directed to actor-controlled GitHub and GitLab repositories disguised as coding assignments or code-review projects; opening these repositories silently deployed cross-platform malware including the Go-based Overlord remote-access framework and malicious VS Code extensions (VSIX) capable of stealing browser credentials, cryptocurrency wallets, and API tokens. Proofpoint tracks UNK_DeadDrop as a distinct cluster from the previously documented Contagious Interview / Lazarus campaigns, noting industrialized repository creation and an email-first delivery model as differentiating characteristics.

Connected Entities

1 entities · 10 linked investigations
Organizations
UNK_DeadDrop North Korea Developer Phishing Campaign
Relationships
    Also appears in
    Mach-O Man Malware Campaign (Lazarus / Chollima)·0Tudou Guarantee Telegram Marketplace·0Fake MetaMask Update Phishing Campaign (May 2026)·0Gemcoin·0Zcash Orchard Counterfeiting Vulnerability·30Bandcampro AI-Assisted Fraud Campaign·2YAM Finance·28Trust Wallet Chrome Extension Hack (December 2025)·28FIFA World Cup 2026 Crypto Scam Tokens·0Morocoin / Berge Blockchain / Cirkor / AI Wealth Investment Club Network·0
    Have evidence about UNK_DeadDrop North Korea Developer Phishing Campaign?

    Timeline(5 events)

    2026-04-01

    Campaign start (approximate): UNK_DeadDrop begins sending phishing emails to developers using fake job-offer and code-review pretexts, directing targets to malicious GitHub and GitLab repositories.

    Proofpoint Threat Research

    2026-04-01

    Impersonation of at least seven legitimate companies including Ondo Finance, Empower Pharmacy, NXLog, OnePlan, Hypen Connect, Valon, and Nourish observed in lure emails.

    Proofpoint Threat Research

    2026-05-31

    Campaign end (approximate): more than 250 phishing emails sent across approximately 100 organizations in a six-week window spanning April and May 2026.

    Proofpoint Threat Research

    2026-06-08

    Proofpoint publicly discloses the UNK_DeadDrop campaign in a detailed threat-insight blog post, describing the Overlord framework, VSIX persistence technique, and cross-platform malware chain.

    Proofpoint Threat Research

    2026-06-08

    The Register, Infosecurity Magazine, CybersecurityNews, TechRadar, and SC Media publish coverage of the Proofpoint disclosure, amplifying awareness to the security and developer communities.

    The Register
    Provenance & Audit Trail
    Anchored on SolanaVerify on-chain

    Decision Log

    This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

    full audit log →version history →

    model: claude-sonnet-4-6

    generated: 6/14/2026, 5:03:44 PM

    last updated: 6/14/2026, 5:03:52 PM

    avoid.net — verified advice for a post-truth world