DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception www.welivesecurity.com/en/eset-r…

Malware operators collaborate with covert North Korean IT workers, posing a threat to both headhunters and job seekers.

This blogpost introduces our latest white paper, presented at Virus Bulletin 2025, where we detail the operations of the North Korea-aligned threat actor we call DeceptiveDevelopment and its connections to North Korean IT worker campaigns. The white paper provides full technical details, including malware analysis, infrastructure, and OSINT findings. Here, we summarize the key insights and highlight the broader implications of this hybrid threat.

In this blogpost, we examine the DeceptiveDevelopment group and the WageMole activity cluster as two tightly connected North Korea-aligned entities. WageMole is a label that we have adopted for activities associated with North Korean IT workers. While the campaigns of both are driven by financial gain, each plays a distinct and complementary role in relation to the other.