Overview

• Researchers say the DeceptiveDevelopment scheme targets crypto and Web3 developers on Windows, macOS, and Linux using impersonated recruiters and fake coding tests or video assessments.
• The latest toolkit addition is AkdoorTea, a Windows RAT delivered via a batch script that fetches an archive (nvidiaRelease.zip) to launch VBS, BeaverTail, and the backdoor, with links to the Akdoor/NukeSped family.
• ESET reports Tropidoor shares large code segments with Lazarus Group’s PostNapTea and exhibits behaviors also noted alongside LightlessCan, strengthening ties to Lazarus-era tooling.
• ESET identified TsunamiKit as a multi‑stage .NET spyware and coin‑mining toolkit delivered via InvisibleFerret, with samples on VirusTotal dating to December 2021 that suggest a modified dark‑web origin predating the campaign.
• ESET and Trellix detail how developer data and interview artifacts flow to North Korea’s WageMole network, including a recent case of a likely operative applying to a U.S. firm under a synthetic identity.