Skip to content
.ca
sign in
6 mincritical

Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories

Void Dokkaebi (Famous Chollima) is conducting a self-propagating supply chain campaign targeting software developers via fake job interviews. By tricking victims into cloning malicious repositories, the attackers deploy the DEV#POPPER RAT and weaponize the victim's own code contributions to infect downstream developers and organizational repositories.

Sens:ImmediateConf:highAnalyzed:2026-04-21reports

Authors: Lucas Silva

ActorsVoid DokkaebiFamous ChollimaDEV#POPPERInvisibleFerretOtterCookieOmniStealerBeaverTail
Void DokkaebiNode.jsSupply ChainVS CodeDEV#POPPER

Source:Trend Micro

IOCs · 5
  • domain
    api[.]trongrid[.]ioTron blockchain API used by the multistage loader for payload staging.
  • domain
    fullnode[.]mainnet[.]aptoslabs[.]comAptos blockchain API used as a fallback data source for payload staging.
  • filename
    .vscode/tasks.jsonMalicious VS Code workspace configuration used for passive worm propagation when a folder is opened.
  • url
    /u/fHTTP endpoint pattern used by DEV#POPPER RAT for data exfiltration.
  • url
    /verify-human/[VERSION]HTTP endpoint pattern used by DEV#POPPER RAT for heartbeat and notifications.

Key Takeaways

  • Void Dokkaebi uses fake job interviews to trick developers into cloning malicious repositories, creating a self-propagating supply chain worm.
  • Propagation occurs passively via malicious .vscode/tasks.json files and actively via obfuscated JavaScript injected into configuration files.
  • The threat actor uses a commit tampering script (temp_auto_push.bat) to rewrite git history and bypass CI/CD security checks.
  • Payload staging leverages blockchain infrastructure (Tron, Aptos, Binance Smart Chain) to evade traditional takedowns.
  • The delivered DEV#POPPER RAT variant specifically avoids CI/CD environments and establishes persistence by modifying developer tools like VS Code and Discord.

Affected Systems

  • Windows
  • macOS
  • Linux
  • Visual Studio Code
  • Node.js
  • Git
  • Developer Workstations

Attack Chain

The attack begins with a fake job interview luring a developer to clone a malicious repository. Opening the repository in VS Code triggers a malicious task in .vscode/tasks.json that downloads and executes the DEV#POPPER RAT. Once compromised, the attacker uses temp_auto_push.bat to inject obfuscated JavaScript into the victim's local repositories and rewrites git history to hide the changes. The tampered code is then force-pushed to remote repositories, turning the victim's contributions into new infection vectors for downstream developers.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: Yes
  • Platforms: Trend Micro Vision One

The article provides Trend Micro Vision One hunting queries to detect the creation of the commit tampering script and outbound connections to known C2 IP addresses.

Detection Engineering Assessment

EDR Visibility: High — EDR can monitor process creation (git commands with specific flags), file creation (temp_auto_push.bat), and network connections from developer tools. Network Visibility: Medium — Network monitoring can detect outbound connections to blockchain APIs and specific HTTP URI patterns, though WebSocket traffic may blend with legitimate developer activity. Detection Difficulty: Moderate — While the malware avoids CI/CD environments, the specific git command line arguments, file names, and network IOCs provide solid detection opportunities on developer endpoints.

Required Log Sources

  • Process Creation (Event ID 4688 / Sysmon 1)
  • File Creation (Sysmon 11)
  • Network Connections (Sysmon 3)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for git commit and push commands utilizing the '--no-verify' flag, especially when executed in rapid succession by a batch script.Process Creation logs (Event ID 4688 or Sysmon 1)Defense EvasionMedium (Some developers may legitimately use --no-verify, but automated batch execution is suspicious)
Monitor for outbound network connections from developer workstations to blockchain API endpoints like api.trongrid.io or fullnode.mainnet.aptoslabs.com.Network Connection logs (Sysmon 3 or firewall logs)Command and ControlLow to Medium (Depends if the organization develops blockchain applications)
Detect HTTP requests containing the URI patterns /verify-human/ or /u/f originating from developer endpoints.Web Proxy / Network Traffic LogsCommand and ControlLow

Control Gaps

  • CI/CD pipeline scanning (malware evades it)
  • Standard code review (obfuscated JS is pushed off-screen)

Key Behavioral Indicators

  • Creation of temp_auto_push.bat
  • git commands with --amend and --no-verify
  • HTTP requests to /verify-human/[VERSION] or /u/f

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Audit repositories for global['!'] and global['_V'] markers.
  • Search for temp_auto_push.bat on developer workstations.
  • Isolate compromised machines and revoke credentials.

Infrastructure Hardening

  • Enforce branch protection and require signed commits (GPG/SSH).
  • Block force pushes to critical branches.
  • Apply network-level blocks for known C2 IPs and blockchain APIs if not required.

User Protection

  • Add .vscode/ to .gitignore globally across organizational repositories.
  • Use isolated, disposable virtual environments for interview coding assignments.
  • Inspect .vscode/tasks.json before granting workspace trust in VS Code.

Security Awareness

  • Train developers on the risks of cloning and executing repositories from job interviews.
  • Educate teams to scrutinize configuration files (e.g., postcss.config.mjs) for hidden code.

MITRE ATT&CK Mapping

  • T1566.001 - Phishing: Spearphishing Attachment
  • T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
  • T1059.003 - Command and Scripting Interpreter: Windows Command Shell
  • T1059.007 - Command and Scripting Interpreter: JavaScript
  • T1564.001 - Hide Artifacts: Hidden Files and Directories
  • T1070.006 - Indicator Removal: Timestomp
  • T1102.002 - Web Service: Bidirectional Communication
  • T1553.006 - Subvert Trust Controls: Code Signing Policy Modification

Additional IOCs

  • Ips:
    • 198[.]105[.]127[.]210 - Potential Void Dokkaebi C2 server
    • 23[.]27[.]202[.]27 - Potential Void Dokkaebi C2 server
    • 154[.]91[.]0[.]196 - Potential Void Dokkaebi C2 server
    • 23[.]27[.]20[.]143 - Potential Void Dokkaebi C2 server
    • 85[.]239[.]62[.]36 - Potential Void Dokkaebi C2 server
    • 83[.]168[.]68[.]219 - Potential Void Dokkaebi C2 server
    • 166[.]88[.]4[.]2 - Potential Void Dokkaebi C2 server
    • 23[.]27[.]120[.]142 - Potential Void Dokkaebi C2 server
  • File Paths:
    • postcss.config.mjs - Targeted configuration file for obfuscated JavaScript injection
    • tailwind.config.js - Targeted configuration file for obfuscated JavaScript injection
    • eslint.config.mjs - Targeted configuration file for obfuscated JavaScript injection
    • next.config.mjs - Targeted configuration file for obfuscated JavaScript injection
  • Command Lines:
    • Purpose: Amend git commit to hide tampering while preserving original authorship metadata | Tools: git | Stage: Defense Evasion | git commit --amend -m "%LAST_COMMIT_TEXT%" --no-verify
    • Purpose: Force push tampered commit to remote repository bypassing pre-commit hooks | Tools: git | Stage: Lateral Movement | git push -uf origin %CURRENT_BRANCH% --no-verify
  • Other:
    • global['!'] - Initialization marker for obfuscated JavaScript loader
    • global['_V'] - Variant initialization marker for obfuscated JavaScript loader
    • C250617A - Version marker for injected persistence code
    • C250620A - Version marker for injected persistence code

Related