ICIC
KP

DevPopper

Medium ConfidenceHigh Threat

DEV#POPPER • Famous Chollima

DevPopper is a North Korean threat campaign targeting software developers through fake job interviews and malicious npm packages. The operation involves creating fake companies and job postings to lure developers into downloading malware-laden coding tests or development tools. This campaign represents North Korea's evolving tactics to target the cryptocurrency and technology sectors through supply chain and social engineering attacks.

Origin: North Korea
Sponsor: RGB (Reconnaissance General Bureau)
Active: 2023 - Present
Victims: 100+ developers
Advanced
Active
Financial GainEspionage
Risk Assessment
70
Composite Risk Score
High Risk
ARCS Compliance70
Escalation Risk72
Grievance Index78
Infrastructure Impact60
History & Evolution

DevPopper is a North Korean threat campaign targeting software developers through fake job interviews and malicious npm packages. The operation involves creating fake companies and job postings to lure developers into downloading malware-laden coding tests or development tools. This campaign represents North Korea's evolving tactics to target the cryptocurrency and technology sectors through supply chain and social engineering attacks.

Targeting

Target Sectors

TechnologyCryptocurrencySoftware Development

Target Regions

GlobalUnited StatesEurope
Attribution & Affiliations

Attributed to RGB (Reconnaissance General Bureau) (North Korea). Attribution confidence: Medium.

Intelligence Assessment
High
Threat Level
Moderately
Targeting
Moderately
Adaptability
High
Persistence
Continuous
Op Tempo
Active
Status

Future Outlook

DevPopper is expected to continue operations targeting Technology sectors.

Timeline of Key Events
2023
Major

First observed activity of DevPopper

2024
Moderate

Continued active operations

Related Threat Groups
KPLazarus Group
Shared infrastructure

Overlapping C2 infrastructure and tooling

KPKimsuky
Shared sponsor

Both operate under RGB