Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency

    Tuesday, June 9, 2026 In: Threat Research Print

    Date: 06/09/2026

    Severity: Critical

    Summary

    Between April and May 2026, Threat Research identified a likely North Korean threat actor targeting nearly 100 organizations across finance, cryptocurrency, education, technology, and other sectors. The activity cluster is tracked as UNK_DeadDrop. The phishing campaigns used developer recruitment and code review lures to attract victims. Attack emails contained links to attacker-controlled GitHub repositories hosting malicious scripts. These scripts delivered cross-platform malware for macOS, Linux, and Windows, including the open-source Go framework Overlord. The campaigns abused Visual Studio Code workflows and leveraged malicious VSIX extensions requiring minimal user interaction; while similar to Contagious Interview, the activity is tracked separately due to no direct telemetry overlap.

    Indicators of Compromise (IOC) List

    Domains/URLs  : 

    nemesistrade.work

    ceronet.work

    deep-ai-guard.store

    ceronetwork.org

    culyrax.us

    elsavora.us

    optixauvex.us

    recruitvex.us

    talentnexhr.ink

    onoplanoai.ink

    trixauvexnet.ink

    recruitptogether.xyz

    contactpredicttogether.ink

    connectptogether.ink

    notifypulsynk.ink

    contactpulsynk.ink

    contacttrixauvex.ink

    trixauvex.org

    careertrixauvex.ink

    cotrixauvex.ink

    pulsynk.org

    mailtrixauvex.ink

    teampulsynk.team

    careerpulsynk.xyz

    mailpulsynk.xyz

    mailpredicttogether.ink

    predicttogetherrecruit.store

    predicttogerecruit.store

    predicttogether.ink

    careerpredictto.space

    togetherhire.fun

    predictcareertogether.space

    predicttocareer.space

    nowurisch.fit

    hyperdevpipline.org

    asteara.org

    doxxela.ink

    coslyintra.online

    valorecuiting.online

    onoplainai.ink

    raxvatange.ink

    alphanonega.org

    domatisc.ink

    migadyn.info

    empowerpharmacy.space

    nxlog.tech

    Ondofinance.tech

    https://github.com/Pulsynk/pulsynk

    https://github.com/Trixauvex-org/trixauvex

    https://github.com/PedrinPY/rekt-db

    https://github.com/sr-werney/forge-4626invariants

    https://github.com/wayout4u/rekt-db

    https://github.com/ziobiri/forge-4626-invariants

    https://github.com/skyjum/x402-kit

    https://github.com/Stomp47/rekt-db

    https://github.com/mireles343/forge-4626invariants

    https://gitlab.com/pulsynk-org/rekt-db.git

    https://gitlab.com/trixauvex-org/x402-kit.git

    https://gitlab.com/predict-together/forge-4626invariants.git

    https://github.com/rkama411/x402-kit

    IP Address : 

    170.205.29.83

    170.205.30.227

    23.137.105.75

    Hash : 

    35813f4401d3ad77b618275473a556eb47bfa6f4b7439dd8943b19f81aa7252e

    c935808147f0236c81483d7bbeda4b9d602f3595d5d4057f8115d39e222d1c4b

    4c0d9b802c075be79e9edb52d88f8dd72e6904f5c58267213745818470945c78

    62761f38ed194c59abe15c49f09f0ebc431ac852c965180c9327ed84d3a454fb

    d3ebce2f05fe91a8260e87fd11a6ea17c156703d081b3f91d9bbe5fd6aeedc10

    91b9381d19b2e6a2db5cc0307167979b502731cb3fb50da684479e9ed35261aa

    6cf9f7b2aa456a0b438600588df869b38d8007e28f01fa96022f9d8059f120b0

    2812e0847d472cb8870c94f463331dbe53b84135132b9bf5f6d84c2382be628f

    52886aab179f26421678ff23af1b0fabf0a17ffbb534369cdbbac8008cbed8e7

    d5e9288693aa745dc89368deac677e7ea1ec81e663283af30838cdae189b7a7e

    734699773e53d995f20d485eb61261033d9d00b4332b39ca26071bcd60cd352f

    e1bf1b29e6fa3525d7f32f429290a88d6ea2890e61c06574b8ff6372aa5d0667

    a2b9a769df84d9d3a4694bb0252a2c6a5e5f5d1a85a04565362737092bbb3a86

    bb10adac5b0124efedfe71102c1d5638135ec9e1cde8c8cb3353c5ed91bb9f81

    339907b44f161f57ff30819f422c552382ff437b3ae437463b4222cfe86bd943

    808e7154b7af2bc7a4b28d577297c55f77221c355191cbe00f9f1810b6d4a619

    Email Address : 

    alex@contacttrixauvex.ink

    alex@mailpredicttogether.ink

    alex@predicttocareer.space

    alex@pulsynk.org

    alex@trixauvexnet.ink

    alexsnow@hr.onoplanoai.ink

    alexsnow@hr.predicttocareer.space

    alexstone@hr.trixauvex.org

    carissae@hr.mailpulsynk.xyz

    christopher@hr.trixauvex.org

    chrisyan@hr.pulsynk.org

    emmaparker@hr.recruitvex.us

    faithtedesco@hr.mailtrixauvex.ink

    frankbloch@hr.trixauvex.org

    jamesrock@hr.trixauvexnet.ink

    jamierain@hr.contacttrixauvex.ink

    jamierain@hr.onoplanoai.ink

    jamiereed@hr.mailpredicttogether.ink

    jamiereed@hr.predicttocareer.space

    joshn@hr.recruitvex.us

    justinstone@hr.trixauvex.org

    nicoupdyke@hr.trixauvexnet.ink

    oliviaben@hr.pulsynk.org

    sam@hr.pulsynk.org

    samalt@hr.contacttrixauvex.ink

    samalt@hr.onoplanoai.ink

    samalt@hr.predicttocareer.space

    shelbysturm@hr.mailtrixauvex.ink

    sophiareed@hr.contacttrixauvex.ink

    sophiareed@hr.onoplanoai.ink

    taylorzhang@hr.pulsynk.org

    dalbir@empowerpharmacy.space

    dianaberendi@nxlog.tech

    gusb@ondofinance.tech

    jasen@empowerpharmacy.space

    joshc@ondofinance.tech

    jovanav@nxlog.tech

    michaelw@ondofinance.tech

    neila@ondofinance.tech

    oladotuna@ondofinance.tech

    sarikasinha@nxlog.tech

    sladjanas@nxlog.tech

    valerie@empowerpharmacy.space

    vanjamirkovic@nxlog.tech

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "togetherhire.fun" or url like "togetherhire.fun" or siteurl like "togetherhire.fun" or domainname like "nxlog.tech" or url like "nxlog.tech" or siteurl like "nxlog.tech" or domainname like "alphanonega.org" or url like "alphanonega.org" or siteurl like "alphanonega.org" or domainname like "nowurisch.fit" or url like "nowurisch.fit" or siteurl like "nowurisch.fit" or domainname like "trixauvex.org" or url like "trixauvex.org" or siteurl like "trixauvex.org" or domainname like "careerpredictto.space" or url like "careerpredictto.space" or siteurl like "careerpredictto.space" or domainname like "coslyintra.online" or url like "coslyintra.online" or siteurl like "coslyintra.online" or domainname like "domatisc.ink" or url like "domatisc.ink" or siteurl like "domatisc.ink" or domainname like "connectptogether.ink" or url like "connectptogether.ink" or siteurl like "connectptogether.ink" or domainname like "notifypulsynk.ink" or url like "notifypulsynk.ink" or siteurl like "notifypulsynk.ink" or domainname like "ondofinance.tech" or url like "ondofinance.tech" or siteurl like "ondofinance.tech" or domainname like "recruitptogether.xyz" or url like "recruitptogether.xyz" or siteurl like "recruitptogether.xyz" or domainname like "pulsynk.org" or url like "pulsynk.org" or siteurl like "pulsynk.org" or domainname like "empowerpharmacy.space" or url like "empowerpharmacy.space" or siteurl like "empowerpharmacy.space" or domainname like "predicttocareer.space" or url like "predicttocareer.space" or siteurl like "predicttocareer.space" or domainname like "contacttrixauvex.ink" or url like "contacttrixauvex.ink" or siteurl like "contacttrixauvex.ink" or domainname like "onoplainai.ink" or url like "onoplainai.ink" or siteurl like "onoplainai.ink" or domainname like "deep-ai-guard.store" or url like "deep-ai-guard.store" or siteurl like "deep-ai-guard.store" or domainname like "talentnexhr.ink" or url like "talentnexhr.ink" or siteurl like "talentnexhr.ink" or domainname like "onoplanoai.ink" or url like "onoplanoai.ink" or siteurl like "onoplanoai.ink" or domainname like "predicttogetherrecruit.store" or url like "predicttogetherrecruit.store" or siteurl like "predicttogetherrecruit.store"

    Detection Query 2 :

    domainname like "nemesistrade.work" or url like "nemesistrade.work" or siteurl like "nemesistrade.work" or domainname like "ceronet.work" or url like "ceronet.work" or siteurl like "ceronet.work" or domainname like "ceronetwork.org" or url like "ceronetwork.org" or siteurl like "ceronetwork.org" or domainname like "culyrax.us" or url like "culyrax.us" or siteurl like "culyrax.us" or domainname like "elsavora.us" or url like "elsavora.us" or siteurl like "elsavora.us" or domainname like "optixauvex.us" or url like "optixauvex.us" or siteurl like "optixauvex.us" or domainname like "recruitvex.us" or url like "recruitvex.us" or siteurl like "recruitvex.us" or domainname like "trixauvexnet.ink" or url like "trixauvexnet.ink" or siteurl like "trixauvexnet.ink" or domainname like "contactpredicttogether.ink" or url like "contactpredicttogether.ink" or siteurl like "contactpredicttogether.ink" or domainname like "contactpulsynk.ink" or url like "contactpulsynk.ink" or siteurl like "contactpulsynk.ink" or domainname like "careertrixauvex.ink" or url like "careertrixauvex.ink" or siteurl like "careertrixauvex.ink" or domainname like "cotrixauvex.ink" or url like "cotrixauvex.ink" or siteurl like "cotrixauvex.ink" or domainname like "mailtrixauvex.ink" or url like "mailtrixauvex.ink" or siteurl like "mailtrixauvex.ink" or domainname like "teampulsynk.team" or url like "teampulsynk.team" or siteurl like "teampulsynk.team" or domainname like "careerpulsynk.xyz" or url like "careerpulsynk.xyz" or siteurl like "careerpulsynk.xyz" or domainname like "mailpulsynk.xyz" or url like "mailpulsynk.xyz" or siteurl like "mailpulsynk.xyz" or domainname like "mailpredicttogether.ink" or url like "mailpredicttogether.ink" or siteurl like "mailpredicttogether.ink" or domainname like "predicttogerecruit.store" or url like "predicttogerecruit.store" or siteurl like "predicttogerecruit.store" or domainname like "predicttogether.ink" or url like "predicttogether.ink" or siteurl like "predicttogether.ink" or domainname like "predictcareertogether.space" or url like "predictcareertogether.space" or siteurl like "predictcareertogether.space" or domainname like "hyperdevpipline.org" or url like "hyperdevpipline.org" or siteurl like "hyperdevpipline.org" or domainname like "asteara.org" or url like "asteara.org" or siteurl like "asteara.org" or domainname like "doxxela.ink" or url like "doxxela.ink" or siteurl like "doxxela.ink" or domainname like "valorecuiting.online" or url like "valorecuiting.online" or siteurl like "valorecuiting.online" or domainname like "raxvatange.ink" or url like "raxvatange.ink" or siteurl like "raxvatange.ink" or domainname like "migadyn.info" or url like "migadyn.info" or siteurl like "migadyn.info" 

    Detection Query 3 :

    dstipaddress IN ("23.137.105.75","170.205.29.83","170.205.30.227") or srcipaddress IN ("23.137.105.75","170.205.29.83","170.205.30.227")

    Detection Query 4 :

    sha256hash IN ("52886aab179f26421678ff23af1b0fabf0a17ffbb534369cdbbac8008cbed8e7","339907b44f161f57ff30819f422c552382ff437b3ae437463b4222cfe86bd943","4c0d9b802c075be79e9edb52d88f8dd72e6904f5c58267213745818470945c78","a2b9a769df84d9d3a4694bb0252a2c6a5e5f5d1a85a04565362737092bbb3a86","bb10adac5b0124efedfe71102c1d5638135ec9e1cde8c8cb3353c5ed91bb9f81","62761f38ed194c59abe15c49f09f0ebc431ac852c965180c9327ed84d3a454fb","e1bf1b29e6fa3525d7f32f429290a88d6ea2890e61c06574b8ff6372aa5d0667","35813f4401d3ad77b618275473a556eb47bfa6f4b7439dd8943b19f81aa7252e","c935808147f0236c81483d7bbeda4b9d602f3595d5d4057f8115d39e222d1c4b","d3ebce2f05fe91a8260e87fd11a6ea17c156703d081b3f91d9bbe5fd6aeedc10","91b9381d19b2e6a2db5cc0307167979b502731cb3fb50da684479e9ed35261aa","6cf9f7b2aa456a0b438600588df869b38d8007e28f01fa96022f9d8059f120b0","2812e0847d472cb8870c94f463331dbe53b84135132b9bf5f6d84c2382be628f","d5e9288693aa745dc89368deac677e7ea1ec81e663283af30838cdae189b7a7e","734699773e53d995f20d485eb61261033d9d00b4332b39ca26071bcd60cd352f","808e7154b7af2bc7a4b28d577297c55f77221c355191cbe00f9f1810b6d4a619")

    Detection Query 5 :

    sender IN ("alex@contacttrixauvex.ink","alex@mailpredicttogether.ink","alex@predicttocareer.space","alex@pulsynk.org","alex@trixauvexnet.ink","alexsnow@hr.onoplanoai.ink","alexsnow@hr.predicttocareer.space","alexstone@hr.trixauvex.org","carissae@hr.mailpulsynk.xyz","christopher@hr.trixauvex.org","chrisyan@hr.pulsynk.org","emmaparker@hr.recruitvex.us","faithtedesco@hr.mailtrixauvex.ink","frankbloch@hr.trixauvex.org","jamesrock@hr.trixauvexnet.ink","jamierain@hr.contacttrixauvex.ink","jamierain@hr.onoplanoai.ink","jamiereed@hr.mailpredicttogether.ink","jamiereed@hr.predicttocareer.space","joshn@hr.recruitvex.us","justinstone@hr.trixauvex.org","nicoupdyke@hr.trixauvexnet.ink","oliviaben@hr.pulsynk.org","sam@hr.pulsynk.org","samalt@hr.contacttrixauvex.ink","samalt@hr.onoplanoai.ink","samalt@hr.predicttocareer.space","shelbysturm@hr.mailtrixauvex.ink","sophiareed@hr.contacttrixauvex.ink","sophiareed@hr.onoplanoai.ink","taylorzhang@hr.pulsynk.org","dalbir@empowerpharmacy.space","dianaberendi@nxlog.tech","gusb@ondofinance.tech","jasen@empowerpharmacy.space","joshc@ondofinance.tech","jovanav@nxlog.tech","michaelw@ondofinance.tech","neila@ondofinance.tech","oladotuna@ondofinance.tech","sarikasinha@nxlog.tech","sladjanas@nxlog.tech","valerie@empowerpharmacy.space","vanjamirkovic@nxlog.tech") or recipient In ("alex@contacttrixauvex.ink","alex@mailpredicttogether.ink","alex@predicttocareer.space","alex@pulsynk.org","alex@trixauvexnet.ink","alexsnow@hr.onoplanoai.ink","alexsnow@hr.predicttocareer.space","alexstone@hr.trixauvex.org","carissae@hr.mailpulsynk.xyz","christopher@hr.trixauvex.org","chrisyan@hr.pulsynk.org","emmaparker@hr.recruitvex.us","faithtedesco@hr.mailtrixauvex.ink","frankbloch@hr.trixauvex.org","jamesrock@hr.trixauvexnet.ink","jamierain@hr.contacttrixauvex.ink","jamierain@hr.onoplanoai.ink","jamiereed@hr.mailpredicttogether.ink","jamiereed@hr.predicttocareer.space","joshn@hr.recruitvex.us","justinstone@hr.trixauvex.org","nicoupdyke@hr.trixauvexnet.ink","oliviaben@hr.pulsynk.org","sam@hr.pulsynk.org","samalt@hr.contacttrixauvex.ink","samalt@hr.onoplanoai.ink","samalt@hr.predicttocareer.space","shelbysturm@hr.mailtrixauvex.ink","sophiareed@hr.contacttrixauvex.ink","sophiareed@hr.onoplanoai.ink","taylorzhang@hr.pulsynk.org","dalbir@empowerpharmacy.space","dianaberendi@nxlog.tech","gusb@ondofinance.tech","jasen@empowerpharmacy.space","joshc@ondofinance.tech","jovanav@nxlog.tech","michaelw@ondofinance.tech","neila@ondofinance.tech","oladotuna@ondofinance.tech","sarikasinha@nxlog.tech","sladjanas@nxlog.tech","valerie@empowerpharmacy.space","vanjamirkovic@nxlog.tech") or from In ("alex@contacttrixauvex.ink","alex@mailpredicttogether.ink","alex@predicttocareer.space","alex@pulsynk.org","alex@trixauvexnet.ink","alexsnow@hr.onoplanoai.ink","alexsnow@hr.predicttocareer.space","alexstone@hr.trixauvex.org","carissae@hr.mailpulsynk.xyz","christopher@hr.trixauvex.org","chrisyan@hr.pulsynk.org","emmaparker@hr.recruitvex.us","faithtedesco@hr.mailtrixauvex.ink","frankbloch@hr.trixauvex.org","jamesrock@hr.trixauvexnet.ink","jamierain@hr.contacttrixauvex.ink","jamierain@hr.onoplanoai.ink","jamiereed@hr.mailpredicttogether.ink","jamiereed@hr.predicttocareer.space","joshn@hr.recruitvex.us","justinstone@hr.trixauvex.org","nicoupdyke@hr.trixauvexnet.ink","oliviaben@hr.pulsynk.org","sam@hr.pulsynk.org","samalt@hr.contacttrixauvex.ink","samalt@hr.onoplanoai.ink","samalt@hr.predicttocareer.space","shelbysturm@hr.mailtrixauvex.ink","sophiareed@hr.contacttrixauvex.ink","sophiareed@hr.onoplanoai.ink","taylorzhang@hr.pulsynk.org","dalbir@empowerpharmacy.space","dianaberendi@nxlog.tech","gusb@ondofinance.tech","jasen@empowerpharmacy.space","joshc@ondofinance.tech","jovanav@nxlog.tech","michaelw@ondofinance.tech","neila@ondofinance.tech","oladotuna@ondofinance.tech","sarikasinha@nxlog.tech","sladjanas@nxlog.tech","valerie@empowerpharmacy.space","vanjamirkovic@nxlog.tech")

    Reference:    

    https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal 


    Tags

    MalwarePhishingcryptocurrencyNorth KoreaFinancial ServicesEducationInformation TechnologyGitHub

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.