logo

DPRK Contagious Interview “Fake Font” Abuses VS Code Tasks

ID: dcb5d7c4-505c-5c3d-a809-027a4a041422

STIX ID: report--dcb5d7c4-505c-5c3d-a809-027a4a041422

Feed Name: OpenSourceMalware Blog

Threat Score
90/100

Date Published: 2026-01-28

Date Updated: 2026-06-20

Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2

...
...

**Executive summary:** OpenSourceMalware describes a Lazarus Group 'Fake Font' supply‑chain campaign that lures developers with fake coding assessments and abuses VS Code .vscode/tasks.json to run JavaScript disguised as .woff2 (BeaverTail), which fetches and executes a highly obfuscated InvisibleFerret Python backdoor designed to steal cryptocurrency, browser credentials, and maintain persistence; the report includes technical TTPs, IOCs (fake Alchemy domain, file paths, headers), analysis of obfuscation techniques, and mitigation guidance.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.