DPRK UNK_DeadDrop (rel. Contagious Interview) — VS Code/Cursor tasks.json runOn:folderOpen auto-exec delivering Overlord Go C2 to developers; EU targets FR/DE/NL

campaign · campaign:unk-deaddrop-2026

Coverage timeline

first 2026-06-16 → last 2026-06-16

Briefs

1 distinct

Sources cited

2 hosts

Sections touched

active_threats

Co-occurring entities

see Related entities below

Story timeline

2026-06-16CTI Daily Brief — 2026-06-16
active_threatsFirst coverage. Proofpoint; Cursor executes folderOpen task silently; confirmed EU victims.

Where this entity is cited

active_threats1

Source distribution

proofpoint.com1 (50%)
thehackernews.com1 (50%)

Related entities

ChipSoft (Netherlands) healthcare software vendor — Embargo ransomware, 66 Dutch DPA notifications
incidentincident:chipsoft-embargo-2026×1
Die Linke (Germany) — Qilin ransomware, 1.5 TB claimed, DPA notified (April 2026)
incidentincident:die-linke-qilin-2026×1
Google Threat Intelligence Group AI Threat Tracker (May 2026) — first AI-generated zero-day exploit ITW; AI-augmented malware (CANFAIL, LONGSTREAM, PROMPTFLUX, HONESTCUE); state-actor Gemini abuse (UNC2814, APT45, APT27, UNC5673)
annual-reportannual-report:gtig-ai-threat-tracker-may-2026×1

All cited sources (2)

Items in briefs about DPRK UNK_DeadDrop (rel. Contagious Interview) — VS Code/Cursor tasks.json runOn:folderOpen auto-exec delivering Overlord Go C2 to developers; EU targets FR/DE/NL (1)

DPRK UNK_DeadDrop weaponises VS Code / Cursor auto-run to hit developers, including EU targets

From CTI Daily Brief — 2026-06-16 · published 2026-06-16 · view item permalink →

Proofpoint details UNK_DeadDrop, a North-Korea-aligned cluster (related to but distinct from Contagious Interview / Famous Chollima) that sent 250+ recruitment-themed phishing emails to ~100 finance, crypto, education and technology organisations over April–May 2026 (Proofpoint, 2026-06-15); the targeted geographies are a US majority followed by the UK, Australia, France, Germany and the Netherlands, among others (The Hacker News, 2026-06-16). The lure links to attacker-controlled GitHub/GitLab repositories carrying a .vscode/tasks.json with runOn: folderOpen; VS Code shows a workspace-trust prompt, but Cursor IDE executes the task silently with no prompt, dropping the open-source Overlord Go C2 that steals browser credentials and crypto wallets (The Hacker News, 2026-06-16). Mapped to T1566.002, T1195.001, T1059.004 and T1555.003.

Why it matters to us: public-sector and fintech development teams that have adopted Cursor are exposed to silent execution on repository open. Hunt for editor processes (code, cursor) spawning shell/script interpreters outside build directories (Sysmon EID 1 parent-image filter); enforce workspace-trust policy and restrict VSIX installation to an approved-publisher allowlist via enterprise policy.