A new campaign tracked as “Dev Popper” is a sophisticated, multi-stage infection chain based on social engineering. Attackers target software developers with fake job interviews in an attempt to trick them into installing a Python remote access trojan.

The target developers are asked to perform tasks supposedly related to the interview by downloading and running code for the interview. The code is infected with obfuscated code/packages that downloads additional binaries that complete the infection. The threat actor’s goal is make their targets download malicious software that gathers system information and enables remote access to the host.

According to Securonix analys of Dev Popper, the campaign is likely orchestrated by North Korean threat actors based on the observed tactics. The connections are not strong enough for attribution, though.

Articles:

• https://www.bleepingcomputer.com/news/security/fake-job-interviews-target-developers-with-new-python-backdoor/amp/
• https://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors/