logo

DPRK Malware Hiding in Microsoft VSCode Dictionary Files

ID: b37353fd-c827-5d33-8a32-dc88076de140

STIX ID: report--b37353fd-c827-5d33-8a32-dc88076de140

Feed Name: OpenSourceMalware Blog

Threat Score
90/100

Date Published: 2025-12-23

Date Updated: 2026-06-20

Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2

...
...

This report documents a Lazarus Group supply-chain style campaign (“Contagious Interview”) that lures developers with fake job assessments and delivers a multi-stage JavaScript dropper hidden in VS Code files (.vscode/spellright.dict and tasks.json). The dropper creates a hidden ~/Programs_X64 directory, writes a main.js that beacons to a Vercel-hosted C2 (ip-regions-check.vercel.app) using a custom header, and executes arbitrary payloads via eval(response.data); the analysis includes deobfuscation details and IOCs (domain, IP 146.70.41.188, file paths, header, campaign ID).

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.