North Korean-linked crews connected to the pervasive IT worker scams have upped their malware game, using more advanced tools, including a backdoor that has much of the same code as Pyongyang’s infamous Lazarus Group deploys.

In a white paper [PDF] presented at Virus Bulletin 2025, ESET researchers Peter Kálnai and Matěj Havránek identified new links between DeceptiveDevelopment’s malware and the Lazarus Group’s PostNapTea RAT.

DeceptiveDevelopment, a North Korea-aligned group that has been active since at least 2023, overlaps with the Contagious Interview and WageMole campaigns, plus a gang that CrowdStrike tracks as Famous Chollima. Its members pose as recruiters, posting fake profiles on social media along the lines of Lazarus’ Operation Dream Job, which tricked job seekers into clicking on malicious links. But in this case, the cybercriminals primarily reach out to software developers and typically those involved in cryptocurrency projects.

DeceptiveDevelopment also uses other social engineering techniques, including ClickFix, which tricks users into following bogus prompts such as fake CAPTCHAs, and then infects victims’ computers with trojanized codebases during the fake interview process. And then they pass information, identities, and other data stolen during this process to the North Korean IT workers seeking jobs with Western companies so they can use interview answers to help them get hired. After they’re employed by Western firms, IT workers funnel their salary money back to Pyongyang.

In some cases, the fraudsters use their insider access to steal proprietary source code, and then extort their employers with threats to leak corporate data if not paid a ransom demand.

From Beavers and Ferrets…

DeceptiveDevelopment’s usual payloads include BeaverTail and InvisibleFerret, both of which are fairly simple but obfuscated scripts. 

BeaverTail is an infostealer and downloader that collects data from cryptocurrency wallets, keychains, and saved browser logins. “We have observed variants of this malware written in JavaScript, hidden in fake job challenges, and also in C++ using the Qt framework, disguised as conferencing software,” the researchers wrote.

InvisibleFerret is a Python-based modular malware with information-stealing capabilities. It also provides remote control to attackers.

At the end of 2024, a BeaverTail-like stealer named OtterCookie appeared, believed to be an evolution used by some DeceptiveDevelopment teams.

Plus, according to the researchers, this toolset contains “notable overlap with a certain piece of Lazarus malware.”

Earlier this year, AhnLab malware hunters documented BeaverTail downloading a new backdoor named Tropidoor. And after doing their own analysis on the previously unknown payload, the ESET duo noted that Tropidoor shares large portions of code with PostNapTea, which Lazarus deployed against South Korean targets in 2022.

To Tropidoor and TsunamiKit

Tropidoor code supports several Windows commands including schtasks (task schedulers), ping (test whether a computer can reach another network device), reg (interact with the Windows Registry), net (manage network resources and user accounts), nslookup (retrieve DNS information), and wmic process (retrieve info about running processes on a Windows system).

“Tropidoor is the most sophisticated payload linked with the DeceptiveDevelopment group thus far, likely because it is based on malware developed by the more technically advanced threat actors under the Lazarus umbrella,” Kálnai and Havránek wrote.

Additionally, in November 2024, DeceptiveDevelopment began using a new version of InvisibleFerret that has a modified browser-data stealer module. This module contains a completely new toolkit named TsunamiKit by ESET, based on the developer’s use of “Tsunami” in the names of all of its components. It’s also designed to steal information and cryptocurrency, and its execution chain includes multiple stages of droppers and installers written in Python and .NET, plus a Tor network proxy, coinminers, and the final .NET spyware payload.

After the researchers submitted their paper to the Virus Bulletin conference, they discovered TsunamiKit samples uploaded to VirusTotal back in December 2021, indicating the toolkit has been around since at least then, according to a subsequent blog.

“We conclude that TsunamiKit is likely a modification of a dark web project rather than a new creation by the attackers, based on TsunamiKit largely predating the approximate start of DeceptiveDevelopment activity in 2023, similar TsunamiKit payloads without any signs of BeaverTail having been observed in ESET telemetry, and cryptocurrency mining being a core feature of TsunamiKit,” the two researchers wrote in a Thursday post.

Both in the blog and Virus Bulletin paper, the malware analysts note the increasingly “blurred lines between targeted APT activity and cybercrime, particularly in the overlap between malware campaigns by DeceptiveDevelopment and the operations of North Korean IT workers.”

While North Korea’s dual-use tactics typically combine cybertheft and cyberespionage with non-cyberspace employment-fraud schemes, other government-backed goons from Russia, China, and Iran are also moving into the ransomware biz.

And all of this, as Kálnai and Havránek point out, underscores “the need for defenders to consider broader threat ecosystems rather than isolated campaigns.” ®