{"id":359,"date":"2026-03-23T19:49:24","date_gmt":"2026-03-23T19:49:24","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=359"},"modified":"2026-03-23T19:49:24","modified_gmt":"2026-03-23T19:49:24","slug":"north-korean-hackers-abuse-vs-code-auto-run-tasks-to-deploy-stoatwaffle-malware","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=359","title":{"rendered":"North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware"},"content":{"rendered":"<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgEYRIy7X7XvfWs__-DS2yjU2mg0-f4TxESTTQnzRIgLaWPDe3Oe_25A0_pi_XHxryaqyz4YBRzci03kVa5TgSstslqpZdhUwBniNuYvx8N4pEZEI4mHGmZuh1QmnlhRcBXWTWLttZkuVU7aFvOrNg8sp0ODl4-sDi0q3X3XzBbCD0ppjxYihFwMxuMSHf4\/s1700-e365\/northkorean.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><\/a><\/div>\n<p>The North Korean threat actors behind the Contagious Interview campaign, also tracked as WaterPlum, have been attributed to a malware family tracked as <strong>StoatWaffle<\/strong> that&#8217;s distributed via malicious Microsoft Visual Studio Code (VS Code) projects.<\/p>\n<p>The use of VS Code \u00abtasks.json\u00bb to distribute malware is a relatively new tactic adopted by the threat actor since December 2025, with the attacks leveraging the \u00abrunOn: folderOpen\u00bb option to automatically trigger its execution every time any file in the project folder is opened in VS Code.<\/p>\n<p>\u00abThis task is configured so that it downloads data from a web application on Vercel regardless of executing OS [operating system],\u00bb NTT Security <a href=\"https:\/\/jp.security.ntt\/insights_resources\/tech_blog\/stoatwaffle_malware_en\/\" rel=\"noopener\" target=\"_blank\">said<\/a> in a report published last week. \u00abThough we assume that the executing OS is Windows in this article, the essential behaviors are the same for any OS.\u00bb<\/p>\n<p>The downloaded payload first checks whether Node.js is installed in the executing environment. If it&#8217;s absent, the malware downloads Node.js from the official website and installs it. Subsequently, it proceeds to launch a downloader, which periodically polls an external server to fetch a next-stage downloader that exhibits identical behavior by reaching out to another endpoint on the same server and executing the received response as Node.js code.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/not-fast-enough-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhlXM830ruQd2xT6M7JNeNRjaFa1onD12WjSCHihTFMTzbyfT9h-irPmXy_h3E1HGSs6sdv7FTmnyNVTM5kmSb7BuUtZe8gKoTQt99P1sSzRcqqXpOJP6eoAOhR3DGb6qHx9kOZ_HBZUMmVnsnd0DM7QfUp81bgzTvvgLww6oqB-EhnDfWXH5pWCYhAsyLs\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>StoatWaffle has been found to deliver two different modules &#8211;<\/p>\n<ul>\n<li>A stealer that captures credentials and extension data stored in web browsers (Chromium-based browsers and Mozilla Firefox) and uploads them to a command-and-control (C2) server. If the compromised system runs on macOS, it also steals the iCloud Keychain database.<\/li>\n<li>A remote access trojan (RAT) that communicates with the C2 server to fetch and execute commands on the infected host. The commands allow the malware to change the current working directory, enumerate files and directories, execute Node.js code, upload file, recursively search the given directory and list or upload files matching a certain keyword, run shell commands, and terminate itself.<\/li>\n<\/ul>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiNcuWL-9Hpc5iFLjfk2w9Zid8TqxRcOkoMeTjr_lA0GdIRCxF4vSnZJDm69TAkh65svIbIXAmzfUJzI6hjYNXUf0T9CAMO-TT09KDBq9MExubx39fbhp3YOlyoJ85ksyjpBA9nai0MzQqaowtLAtGaDRZLJN_JtReTPAWe7dYxluW5z1oBPs6m109yF6Qt\/s1700-e365\/flow.png\" style=\"clear: left; display: block; float: left;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiNcuWL-9Hpc5iFLjfk2w9Zid8TqxRcOkoMeTjr_lA0GdIRCxF4vSnZJDm69TAkh65svIbIXAmzfUJzI6hjYNXUf0T9CAMO-TT09KDBq9MExubx39fbhp3YOlyoJ85ksyjpBA9nai0MzQqaowtLAtGaDRZLJN_JtReTPAWe7dYxluW5z1oBPs6m109yF6Qt\/s1700-e365\/flow.png\" alt=\"\" border=\"0\" data-original-height=\"1855\" data-original-width=\"2795\"\/><\/a><\/div>\n<p>\u00abStoatWaffle is a modular malware implemented by Node.js, and it has Stealer and RAT modules,\u00bb the Japanese security vendor said. \u00abWaterPlum is continuously developing new malware and updating existing ones.\u00bb<\/p>\n<p>The development coincides with various campaigns mounted by the threat actor targeting the open-source ecosystem &#8211;<\/p>\n<ul>\n<li>A set of <a href=\"https:\/\/kmsec.uk\/blog\/pylangghost-npm\/\" rel=\"noopener\" target=\"_blank\">malicious npm packages<\/a> that distribute the PylangGhost malware, marking the first time the malware has been propagated via npm packages.<\/li>\n<li>A campaign known as <a href=\"https:\/\/opensourcemalware.com\/blog\/polinrider-attack\" rel=\"noopener\" target=\"_blank\">PolinRider<\/a> has <a href=\"https:\/\/opensourcemalware.com\/?search=%23polinrider\" rel=\"noopener\" target=\"_blank\">implanted<\/a> a malicious obfuscated JavaScript payload in hundreds of public GitHub repositories that culminates in the deployment of a new version of BeaverTail, a known stealer and downloader malware attributed to Contagious Interview.<\/li>\n<li>Among the compromises are <a href=\"https:\/\/opensourcemalware.com\/blog\/neutralinojs-compromise\" rel=\"noopener\" target=\"_blank\">four repositories<\/a> belonging to the Neutralinojs GitHub organization. The attack is said to have compromised the GitHub account of a long-time neutralinojs contributor with organization-level write access to force-push JavaScript code that retrieves encrypted payloads in Tron, Aptos, and Binance Smart Chain (BSC) transactions to download and run BeaverTail. The victims are believed to have been infected via a malicious VS Code extension or an npm package.<\/li>\n<\/ul>\n<p><a name=\"more\"\/><\/p>\n<p>Microsoft, in an <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/03\/11\/contagious-interview-malware-delivered-through-fake-developer-job-interviews\/\" rel=\"noopener\" target=\"_blank\">analysis<\/a> of Contagious Interview this month, said the threat actors achieve initial access to developer systems through \u00abconvincingly staged recruitment processes\u00bb that mirror legitimate technical interviews, ultimately persuading victims into running malicious commands or packages hosted on GitHub, GitLab, or Bitbucket as part of the assessment.<\/p>\n<p>In some cases, targets are approached on LinkedIn. However, the individuals chosen for this social engineering attack are not junior developers, but rather founders, CTOs, and senior engineers in the cryptocurrency or Web3 sector, who are likely to have elevated access to the company&#8217;s tech infrastructure and cryptocurrency wallets. A recent incident <a href=\"https:\/\/www.allsecure.io\/blog\/lazarus-linkedin-attack\/\" rel=\"noopener\" target=\"_blank\">involved<\/a> the attackers unsuccessfully targeting the founder of AllSecure.io via a fake job interview.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEglq24c1GgnEb7B4Nqpjwn8srEjmLsOFW__CY4AktuXe6VLZmCwGGLBOuODvoBYhnL4Px_jKTj9HZ6QY5AG1fBBZ_ILQre3r-pmw1yw6FIzyeTqWP5JqskXwk29RcaJ_vuGKrHBrr6DeqJKAoZ7Om5fE2bJyaSBi7rDUobVs_Z4r5QAZMSJu35TDIdanCnH\/s1700-e365\/access.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEglq24c1GgnEb7B4Nqpjwn8srEjmLsOFW__CY4AktuXe6VLZmCwGGLBOuODvoBYhnL4Px_jKTj9HZ6QY5AG1fBBZ_ILQre3r-pmw1yw6FIzyeTqWP5JqskXwk29RcaJ_vuGKrHBrr6DeqJKAoZ7Om5fE2bJyaSBi7rDUobVs_Z4r5QAZMSJu35TDIdanCnH\/s1700-e365\/access.jpg\" alt=\"\" border=\"0\" data-original-height=\"428\" data-original-width=\"975\"\/><\/a><\/div>\n<p>Some of the key malware families deployed as part of these attack chains include OtterCookie (a backdoor capable of extensive data theft), InvisibleFerret (a Python-based backdoor), and FlexibleFerret (a modular backdoor implemented in both Go and Python). While InvisibleFerret is known to be typically delivered via BeaverTail, recent intrusions have been found to distribute the malware as a follow-on payload, after leveraging initial access obtained through OtterCookie.<\/p>\n<p>It&#8217;s worth mentioning here that FlexibleFerret is also referred to as WeaselStore. Its Go and Python variants go by the monikers GolangGhost and PylangGhost, respectively.<\/p>\n<p>In a sign that the threat actors are actively refining their tradecraft, newer mutations of the VS Code projects have eschewed Vercel-based domains for GitHub Gist-hosted scripts to download and execute next-stage payloads that ultimately lead to the deployment of FlexibleFerret. These VS Code projects are staged on GitHub.<\/p>\n<p>\u00abBy embedding targeted malware delivery directly into interview tools, coding exercises, and assessment workflows developers inherently trust, threat actors exploit the trust job seekers place in the hiring process during periods of high motivation and time pressure, lowering suspicion and resistance,\u00bb the tech giant said.<\/p>\n<p>In response to the ongoing abuse of VS Code Tasks, Microsoft has included a mitigation in the January 2026 update (<a href=\"https:\/\/code.visualstudio.com\/updates\/v1_109#_automatic-tasks-disabled-by-default\" rel=\"noopener\" target=\"_blank\">version 1.109<\/a>) that introduces a new \u00abtask.allowAutomaticTasks\u00bb setting, which defaults to \u00aboff\u00bb in order to improve security and prevent unintended execution of tasks defined in \u00abtasks.json\u00bb when opening a workspace.<\/p>\n<p>\u00abThe update also prevents the setting from being defined at the workspace level, so malicious repositories with their own .vscode\/settings.json file should not be able to override the user (global) setting,\u00bb Abstract Security <a href=\"https:\/\/www.abstract.security\/blog\/contagious-interview-evolution-of-vs-code-and-cursor-tasks-infection-chains-part-2\" rel=\"noopener\" target=\"_blank\">said<\/a>.\u00a0<\/p>\n<p>\u00abThis version and the recent February 2026 (<a href=\"https:\/\/code.visualstudio.com\/updates\/v1_110\" rel=\"noopener\" target=\"_blank\">version 1.110<\/a>) release also introduce a secondary prompt that warns the user when an auto-run task is detected in a newly opened workspace. This acts as an additional guard after a user accepts the Workspace Trust prompt.\u00bb<\/p>\n<p>In recent months, North Korean threat actors have also been engaging in a coordinated malware campaign targeting cryptocurrency professionals through LinkedIn social engineering, fake venture capital firms, and fraudulent video conferencing links. The activity shares overlap with clusters tracked as GhostCall and UNC1069.<\/p>\n<p>\u00abThe attack chain culminates in a ClickFix-style fake CAPTCHA page that tricks victims into executing clipboard-injected commands in their Terminal,\u00bb MacPaw&#8217;s Moonlock Lab <a href=\"https:\/\/moonlock.com\/fake-vcs-target-crypto-talent-clickfix-campaign\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThe campaign is cross-platform by design, delivering tailored payloads for both macOS and Windows.\u00bb<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ciso-risk-comm-cert-dr-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgqhIRUj1YTC94RNdUGjmL9vDt5o56pkuKHyTGP8DvhM0bsTe7VSW-pHKY9HaAKsXk4J3x3gREcX_ZtLx04zPaI1UqHjcBD9QquXjOczTKwcJeGnTUqH73_QRG4d0Ki0KBKChGP48m-7VzU7UTgCWdz7hBtd51XbCyMUXu9PBBQt1sbO1V4WLWu4QrEBTZA\/s728-e100\/ciso-dark-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The findings come as the U.S. Department of Justice (DoJ) <a href=\"https:\/\/www.justice.gov\/usao-sdga\/pr\/three-men-sentenced-providing-computer-access-foreign-workers-potential-espionage-plot\" rel=\"noopener\" target=\"_blank\">announced<\/a> the sentencing of three men &#8212; Audricus Phagnasay, 25, Jason Salazar, 30, and Alexander Paul Travis, 35 &#8212; for their roles in furthering North Korea&#8217;s fraudulent information technology (IT) worker scheme in violation of international sanctions. All three individuals previously pleaded guilty in November 2025.<\/p>\n<p>Phagnasay and Salazar were both sentenced to three years of probation and a $2,000 fine. They were also ordered to forfeit the illicit proceeds gained by participating in the wire fraud conspiracy. Travis was sentenced to one year in prison and ordered to forfeit $193,265, the amount earned by North Koreans by using his identity.<\/p>\n<p>\u00abThese men practically gave the keys to the online kingdom to likely North Korean overseas technology workers seeking to raise illicit revenue for the North Korean government \u2014 all in return for what to them seemed like easy money,\u00bb Margaret Heap, U.S. attorney for the Southern District of Georgia, said in a statement.<\/p>\n<p>Last week, Flare and IBM X-Force published a detailed look at the <a href=\"https:\/\/kudelskisecurity.com\/research\/inside-the-dprk-fake-it-worker-network-ip-ranges-proxies-and-internal-coordination\" rel=\"noopener\" target=\"_blank\">IT worker<\/a> <a href=\"https:\/\/kudelskisecurity.com\/research\/dprk-fake-it-workers-fraud-playbook\" rel=\"noopener\" target=\"_blank\">operation<\/a> and its <a href=\"https:\/\/kudelskisecurity.com\/research\/inside-the-cyber-infrastructure-behind-dprk-fake-it-worker-operations\" rel=\"noopener\" target=\"_blank\">internal structure<\/a>, while highlighting how IT workers attend prestigious universities in North Korea and go through a rigorous interview process themselves before joining the scheme.<\/p>\n<p>They are \u00abconsidered elite members of North Korean society and have become an indispensable part of the overall North Korean government&#8217;s strategic objectives,\u00bb the companies noted. \u00abThese objectives include, but are not limited to, revenue generation, remote employment activity, theft of corporate and proprietary information, extortion, and providing support to other North Korean groups.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>The North Korean threat actors behind the Contagious Interview campaign, also tracked as WaterPlum, have been attributed to a malware family tracked as StoatWaffle that&#8217;s distributed via malicious Microsoft Visual&hellip;<\/p>\n","protected":false},"author":1,"featured_media":360,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[383,834,10,229,338,337,42,247,836,835],"class_list":["post-359","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-abuse","tag-autorun","tag-code","tag-deploy","tag-hackers","tag-korean","tag-malware","tag-north","tag-stoatwaffle","tag-tasks"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/359","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=359"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/359\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/360"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=359"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=359"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=359"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}