SafetyDetectives
$ United States dollar
$ United States dollar Euro£ British poundAED UAE dirhamARS Argentine pesoAU$ Australian dollarBGN Bulgarian levR$ Brazilian realCA$ Canadian dollarCHF Swiss francCLP Chilean pesoCN¥ Chinese yuanCOP Colombian pesoCZK Czech korunaDKK Danish kroneEGP Egyptian poundHK$ Hong Kong dollarHUF Hungarian forintIDR Indonesian rupiah Israeli new shekelINR Indian rupee¥ Japanese yen South Korean wonMX$ Mexican pesoMYR Malaysian ringgitNOK Norwegian kroneNZ$ New Zealand dollarPLN Polish złotyRON Romanian leuRUB Russian rubleSAR Saudi riyalSEK Swedish kronaSGD Singapore dollar฿ Thai bahtTRY Turkish liraNT$ New Taiwan dollarUAH Ukrainian hryvnia Vietnamese DongZAR South African rand

Freelance Developers Targeted by Malicious Ads on GitHub

Penka Hristovska
Penka Hristovska Former Editor
Published on: February 20, 2025
Penka Hristovska Penka Hristovska Former Editor
Published on: February 20, 2025

A new malware campaign is targeting freelance developers by using fake job advertisements to lure them into downloading malicious software disguised as legitimate tools.

The campaign mainly spreads through GitHub repositories. The attackers impersonate reputable companies and offer enticing job opportunities to freelance developers. To make their scam more believable, they create fake websites and prompt job seekers to download malware-laden software disguised as legitimate development tools.

Once downloaded, the malware infiltrates the victim’s system and allows the attackers to steal credentials or install additional malicious payloads.

ESET researchers say it gathers sensitive information, such as saved login credentials, and can remotely deploy additional malicious payloads. The malware also uses different techniques to avoid detection on compromised systems, according to them.

ESET believes the group behind the campaign is a threat group named “DeceptiveDevelopment.” This group targets freelance platforms and coding communities to distribute malware and is often directed to malicious GitHub repositories.

“DeceptiveDevelopment was first publicly described by Phylum and Unit 42 in 2023 and has already been partially documented under the names Contagious Interview and DEV#POPPER,” ESET says in a report.

“The DeceptiveDevelopment cluster is an addition to an already large collection of money-making schemes employed by North Korea-aligned actors and conforms to an ongoing trend of shifting focus from traditional money to cryptocurrencies,” ESET explains. “We observed it go from primitive tools and techniques to more advanced and capable malware, as well as more polished techniques to lure in victims and deploy the malware.

“Any online job-hunting and freelancing platform can be at risk of being abused for malware distribution by fake recruiters.”

Developers should be very cautious when applying for freelance opportunities online and make sure to verify job offers by researching potential employers. It’s also best to avoid downloads from unknown GitHub repositories — and if you’re not too familiar with the signs of potential malware, for an added layer of protection, you should consider getting strong antivirus software.

About the Author
Penka Hristovska
Penka Hristovska
Former Editor
Published on: February 20, 2025

About the Author

Penka Hristovska is a former editor at SafetyDetectives. She was an editor at several review sites that covered all things technology — including VPNs and password managers — and had previously written on various topics, from online security and gaming to computer hardware. She’s highly interested in the latest developments in the cybersecurity space and enjoys learning about new trends in the tech sector. When she’s not in “research mode,” she’s probably re-watching Lord of The Rings or playing DOTA 2 with her friends.