DPRK Malware Hiding in Microsoft VSCode Dictionary Files
ID: b37353fd-c827-5d33-8a32-dc88076de140
STIX ID: report--b37353fd-c827-5d33-8a32-dc88076de140
Feed Name: OpenSourceMalware Blog
Date Published: 2025-12-23
Date Updated: 2026-06-20
Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2
This report documents a Lazarus Group supply-chain style campaign (“Contagious Interview”) that lures developers with fake job assessments and delivers a multi-stage JavaScript dropper hidden in VS Code files (.vscode/spellright.dict and tasks.json). The dropper creates a hidden ~/Programs_X64 directory, writes a main.js that beacons to a Vercel-hosted C2 (ip-regions-check.vercel.app) using a custom header, and executes arbitrary payloads via eval(response.data); the analysis includes deobfuscation details and IOCs (domain, IP 146.70.41.188, file paths, header, campaign ID).
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
