Summary of Findings on Suspicious GitHub Activity Linked to DPRK IT Workers
This investigation seeks to analyze findings from previous research and identify profile image patterns and behavioral traits associated with DPRK-IT worker accounts on GitHub.
The investigations around the suspicious activity on GitHub began with this account: Onder kayabsi
https://www.linkedin.com/in/onder-kayabasi-772a33302/
After reviewing the profile, we noticed several inconsistencies across the individual’s history, profiles, and activity:
All the information profile image and description did not match
To understand more the behavior of the user, the best approach is to look the context (GitHub) and the behavior in it ( What is the reason?).
The account Kaan Kayabasi related to this user have one follower called: “Devmaster929”
This follower: Devmaster929, registered by: goodfriend9290@gmail.com
By checking who he follows, we see some accounts that seems to be fake recruiter profiles. If we check the list of followers mentioned before one by one, we can see there are many fake profiles farming different accounts, and apparently targeting developers in GitHub
Most of these accounts are new, share the same bio and uses women pictures. We also have to bear in mind these account are followed by “devmaster929”
In this profile we found at least 250 profiles posing as recruiters, most of these accounts were created in January of 2024:
Most of these accounts are created in 2024 and there is no activity in repositories but some of them are linked to legit LinkedIn profiles and other linked to suspicious Premiun Linkedin Accounts with low social activity and only repost activity.
Thus, it means that there is an operation of fake recruiters in GitHub and LinkedIn where we see some resemblance in the accounts and some patterns linked to their behavior related to the empty activity and low-quality activity also in their profiles.
This network of fake accounts on GitHub posing as recruiters, could be found thanks to the connection of the profile Onder Kayabsi with these suspicious accounts
However the activity of this user, was reported by a linkedIn user who manifested:
This report also support the initial hypothesis of a threat actor related to DPRK activities, since the method and the way of approach without forgetting their low-quality account, could induce to point to DPRK activities.
The user “onder Kayabsi” was confirmed by unit42 intelligence team at Palo Alto, in a report regarding that their activity its similar to the CL-STA-240 Contagious Interview campaign, a campaign related to the threat actors associated with the Democratic People’s Republic of Korea (DPRK).
“The attackers behind this campaign introduced a new Qt version of the BeaverTail malware as early as July 2024. The malware authors compiled BeaverTail variants for both Windows and macOS from the same source code using the Qt programming language.
North Korean threat actors are known to conduct financial crimes for funds to support the DPRK regime. This campaign may be financially motivated, since the BeaverTail malware has the capability of stealing 13 different cryptocurrency wallets.”
Fake developers related to Lazarus:
After the first investigation related to “Onder kanyabasi” his profile was deleted. However their interaction with other accounts, guide us towards more suspicious activity.
Upon analyzing several accounts, we identified one that had been created only a few months ago but had amassed a large following and hosted suspicious repositories. The profile on which we will focus our attention will be the purple one: Warmice71
The activity on these profiles ranges from numerous links and emails listed on the profile to a pattern of following several accounts that appear similar to each other. On the profile of Warmice71, there’s a repository at https://github.com/warmice71/vinci-store-product-scraping.
In this repository, we found videos that capture the screen, showing interactions with a client while performing work on UpWork
Here is a video Record_2024_01_19_11_56_26_32.mp4
In this interaction, he introduces himself as “Au WaiLun” and also shares an additional GitHub profile under the name “AI0228.
This profile uses the same image, and the activity appears similar to warmice71:
Considering that there is suspicious activity related to these two accounts and are also connected, we will analyze their followers and the accounts they follow to better understand a significant portion of the fake profile network.
Given this context, and seeing that there are similar accounts with matching skills, bios, images, and GitHub handles that follow each other as well as share several mutual connections:
https://github.com/AI0228
https://github.com/warmice71
https://github.com/niceDeve
https://github.com/codestar3524
https://github.com/topdev0215
https://github.com/Forest410
https://github.com/enzifiri
https://github.com/sunlight0902
https://github.com/ERTWENTY
Considering these patterns, I decided to analyze additional accounts with similar characteristics that also follow each other
Patterns and characteristics observed in GitHub accounts
Based on the accounts uncovered in this investigation, there is a significant number of profiles sharing specific characteristics: similar profile images, status. working from home,’ GitHub accounts with specific handles (e.g., Super, Dev, Happy, Smart, Top, Funny, King, Golden), close creation dates, and mutual following patterns, suggesting they form an interconnected network:
Additionally, we found a series of accounts using profile images featuring the number 1 or highlighted in gold and red.
In the other hand, there are accounts also displaying some intriguing shared characteristics:
Example #1: Full stack developers and Blockchain developers using this image of a minion:
Example #2: Full stack developers and Blockchain developers using similar images:
https://github.com/Seniorcoder72
https://github.com/SMILES00714
https://github.com/WhiteRabbit130
https://github.com/WebRabbit1796
https://github.com/supercoder-0923
https://github.com/hudesdev
https://github.com/bstar0406Given this context of an interconnected network of GitHub accounts that share several characteristics and are linked to a threat actor, we can deepen our analysis to identify additional accounts within this network. By detailing more of these accounts, we can gain a better understanding of how this network operates
Analyzing GitHub accounts related to DPRK-Lazarus Developers
Considering the findings from these investigations regarding the methods and techniques used by the threat actor for self-identification, we will analyze confirmed profiles linked to Lazarus to determine if any of these established accounts follow the accounts associated with this network.
We will take ZachXBT’s investigation as an example, which highlights GitHub accounts linked to Lazarus’s activities:
#1 — Case
ZachXBT shares alias and GitHub account: light-fury
If we check some of his context regarding (Followers/following)
In his followers, we can see some accounts that use this type of image in their github account, and also uses some of the words related to their most common github handles:
Even without examining the repositories of these accounts, certain keywords in their GitHub handles and their profile images closely resemble those of accounts previously identified as linked to Lazarus.
In this same account of Light-fury, in his followers the account:
In his followers, we can see the accounts we already discovered:
Likewise, the account “light-fury”, is following some interesting accounts, that appears to be more “Senior blockchain developers” ”Full Stack”:
Most of these account seems familiar to what we have described, and share the same skills as we previously mentioned
#2 — Case
Another example illustrating this network in confirmed DPRK accounts is found in ZachXBT’s investigation, where he shares the GitHub handles of DPRK-linked developers:
If we check the account related to Willie lee:
In his followers, we can see some suspicious accounts:
Among his followers, there are accounts displaying specific keywords, profile images, suspicious activities, and skills that suggest a pattern rather than mere coincidence:
The account shows a suspicious following pattern, with a high number of newly created accounts and some we already identified:
This type of activity is neither typical nor logical for a legitimate account.
#3 — Case
Other example based on the same investigation by Zach, is the user Naoki Murano:
In the publication By Zach, 2 researchers pointed out that Naoki Murano could also be linked to the GitHub account 0xb10ckdev.
blackbigswan conducted a search on GitHub, uncovering the following findings
Tayvano also pointed into this GitHub handle as to be related to Naoki Murano:
Having this in mind, after checking the profile of Naoki Murano, under the handle of: 0xb10ckdev
If we check who he follows, there is an interesting account:
After checking the followers of ororopickpocket, there are some accounts, for example: https://github.com/capitalist42
After checking the followers of capitalist42, we can see some accounts we already identified:
Considering that most of these accounts are clearly connected within 2 or 3 degrees to certain accounts acting as nodes, they collectively form a large cluster. This cluster includes accounts belonging to fake recruiters as well as fake developer accounts.
This approach aims to generate intelligence on how these fraudulent campaigns may be organized, often by posing as recruiters or developers. It provides insight into the threat actor’s tactics and early-stage operations within the kill chain, highlighting the unique attributes and strategies they use in reconnaissance and the early distribution of malware.
Identifying Lazarus-linked GitHub accounts associated with this campaign:
One key aspect highlighted in this analysis is the ability to track the threat actor through their self-identification, in this case on GitHub and their account profile. We have found that images provide an interesting and valuable dimension for analyzing the account. Likewise, examining their followers and who they follow can offer further insights into their true environment and context
Next, an identification and segmentation of various GitHub accounts linked to these suspicious activities is carried out. These accounts share certain patterns and are generally clustered or connected under nodes like “AI0228” and “warmice71.”
How to Identify a Suspicious GitHub Account Associated with DPRK Threat Actors
We can also identify a GitHub account based on its actual context — such as country, connections, social networks, and social activity — and analyze its relationships within that context, including follower and following patterns.
When analyzing an account to determine if it might be related to a group threat actor like Lazarus, it’s essential to consider the following aspects:
- Creation Date: Many accounts were created between May and the end of 2023, exhibiting sporadic or unusual repository activity. However, there have also been instances where stolen accounts are used or purchased from other actors operating on GitHub who offer these services.
- Follow/Followers: These accounts are often interconnected, frequently following “node” accounts that serve as hubs within the network. Examine the follower and following patterns up to 2 or 3 degrees to identify any anomalies within their immediate context.
- Suspicious Repository Activity: Common patterns include excessive forking, starring empty profiles, hosting identical repositories, and sharing similar “projects.”
- Bio:Many profiles tend to feature generic descriptions, such as “Full Stack Developer” with “+5 to +8 years of experience.” Additionally, it’s common to see broken social media links or profiles that overly promote their social media presence, which seems unusual.
- Personality: Most of these profiles lack a distinct identity and are not highly personalized. Many descriptions and organizational structures on their GitHub profiles appear identical or generic
- Skills: Frequently listed skills include “Full Stack Blockchain Developer,” “Full-Stack Software Engineer,” “AI/ML Engineer,” and “Senior AI & Full Stack Developer.”
- Social Networks: Indicators of inactivity include LinkedIn profiles with minimal engagement, fake GitHub profiles linked to legitimate accounts, suspicious Instagram/Facebook accounts, and a general lack of recent social activity.
- Context: Red flags include broken links, irregular GitHub statistics, AI-generated profile images, profiles based in Latin America with seemingly mismatched Asian appearances, and accounts lacking historical data.
- Logical Pattern: Activities unrelated to the account’s stated purpose, mismatched skill sets, and inconsistencies in knowledge domains.
- Internal Association: Connections to specific organizations, interest in certain groups, and a pattern of forking projects tied to particular organizations-companies.
- External Association: The presence of these accounts on other social networks or freelance platforms like Upwork, and connections to associated accounts that engage in freelance work.
This approach could also help in identifying suspicious accounts by highlighting key characteristics and connections within their netw.
What do accounts linked to this suspicious campaign look like?
Based on our investigation, we have identified certain patterns in the creation of these accounts, such as creation dates, skills, similar images in profiles, comparable bios, and analogous GitHub handles, among other aspects.
Regarding their self-identification through images, we have found and classified their accounts based on how they present themselves.
Some aspects to consider in this image classification:
- It is clear that not all accounts using some of these images are connected to the campaign of suspicious GitHub accounts associated with DPRK threat actors.
- “Superstar” is a name they consistently use in their campaign (GitHub handle, profile images, text found) and this has been repeatedly observed among them.
- We found that these profiles, which have a substantial following, often tend to identify themselves with images featuring the number one, frequently complemented by gold and red colors and stars.
- There are also profile images linked to anime, movies, and other themes, where these accounts are interconnected. Furthermore, these profiles are commonly found among the followers of these accounts.
- While there is a diverse range of images, many accounts follow the pattern of presenting themselves as “developers” while aligning with a specific image.
In our classification of images, which seems to indicate the existence of the some kind of categories or ranks among their accounts. Additionally, there are groups of accounts with specific images that appear to serve certain functions:
Most of the following GitHub accounts list their skills as ‘Full Stack Developer’ or ‘Blockchain Engineer,’ among the most popular titles
Among the identified accounts, we’ve observed six distinct types of profile images frequently used for self-identification. These images and identities often correlate with specific account behaviors. For instance, some accounts exclusively follow female profiles, while others boast over 50,000 followers. Certain accounts actively monitor their targets, and many appear to be interconnected through shared followers or those they follow
1. Star — SuperStar
Among the most significant accounts, it has been observed that those featuring images with the number one, golden spikes, and stars appear to function as nodes or clusters. Considering the context of the actor, it is possible that these accounts, which have many followers, are used to monitor the activities of “lower-tier” entities. Additionally, since these accounts may serve as intelligence units, they could be essential for coordinating attacks and assessing the effectiveness of the units involved in the campaigns
- Among the most significant accounts, it has been observed that those featuring images with the number one, golden spikes, and stars appear to function as nodes or clusters. Considering the context of the actor, it is possible that these accounts, which have many followers, are used to monitor the activities of “lower-tier” entities. Additionally, since these accounts may serve as intelligence units, they could be essential for coordinating attacks and assessing the effectiveness of the units involved in the campaigns
- Role as Nodes or Clusters: The repeated use of symbols representing leadership or dominance (like gold stars and medals) suggests that these accounts may act as central nodes within a network. They could play a strategic role by gathering followers and acting as influential points within broader networks. These central accounts could be used to coordinate or observe the actions of associated or subordinate accounts (“lower-tier” entities) by directing their activity and gathering information.
- Usernames and Roles: Usernames continue to focus on common developer keywords like “Full Stack Developer,” “AI Engineer,” “Super Dev,” and various references to technology stacks or roles.
- Campaing association: The term “SuperStar” has been coined for a campaign targeting GitHub accounts linked to fake developers, as many of these accounts — often using specific images — are associated with activities of the North Korean APT group, Lazarus.
- It has been observed that these suspicious GitHub accounts are followed by or follow many other accounts that form a network likely associated with the activities of the North Korean APT group, Lazarus. If not directly connected, these “SuperStar” accounts may appear among the followers or followed accounts within two or three degrees of separation from the suspicious account.
- Additionally, in the following repository, a screenshot of a group member possibly reveals the use of “SuperStar” in the computer’s name, further underscoring the relevance of this term: https://github.com/orgs/Finalgoal231/discussions/69
2. AI-generated images or avatars
Many profiles use AI-generated images or avatars, which may be intentionally chosen to obscure the user’s identity or add visual appeal.
- Usernames and Descriptions: The accounts often have generic usernames or employ developer-centric keywords like “Full Stack Developer,” “Senior Dev,” or domain-specific tags like “Blockchain.” Their bios typically feature broad and appealing job descriptions that seem crafted to attract followers or create an impression of expertise.
- Activity: These profiles are more likely to interact with repositories, leave comments, contribute code, and follow trending repositories or popular tech stacks like Blockchain, AI, or Full-Stack Development, reflecting an effort to engage with and be visible within key communities.
3. Minion Avatars:
Multiple instances of these profiles have been identified. Some of these GitHub accounts are linked to LinkedIn profiles (verified connections) but exhibit no typical social activity on that platform.
This lack of interaction raises suspicion, especially given their claimed experience levels. Generally, accounts with such credentials would have higher activity levels. Monitoring these types of accounts through associations can indicate suspicious behavior, as many of these profiles lack repositories or noteworthy content that would typically warrant someone choosing to “follow” them on GitHub.
- Use of Minion Avatars: All the accounts display different variations of Minion characters. In suspicious activity contexts, it gives the impression of being part of a coordinated network.
- Generic Usernames and Roles: Usernames include elements like “Dev,” “Engineer,” or generic names paired with Minion references. Some descriptions reference broad technical roles like “Full Stack Developer” or “Senior Engineer,” with vague but appealing descriptions like “10+ years of experience,” targeting developer communities without revealing much specific information
- These accounts could be part of a coordinated network using Minion avatars.. This tactic might serve to obscure their true purpose, promote a sense of community, and establish a base of followers. When combined with high follower counts, vague but enticing job descriptions, and developer-centric keywords, these accounts could be involved in deceptive activities like amplifying repositories, gathering intelligence, or even executing coordinated influence operations within the GitHub community.
4. Cartoon-style avatars:
These GitHub profiles exhibit some characteristics that might indicate suspicious or inauthentic activity
- Unusual Consistency in Avatars: Many of these accounts have similar bunny-themed avatars, which could indicate they were generated or chosen in bulk for visual uniformity, possibly as part of a bot network.
- Inconsistent Information: Some of these accounts list generic job titles (e.g., “Full Stack Developer”) and brief descriptions without specifics. Real developer profiles on GitHub usually have personalized descriptions or links to real projects and repositories.
The use of cartoon bunny avatars, especially when combined with low activity and generic profile information, could suggest that these accounts are part of a coordinated network, likely created for non-legitimate purposes such as boosting followers or creating the appearance of activity around specific users or projects..
5. Profiles with Anime Avatars:
These GitHub profiles also show signs of potentially suspicious or coordinated behavior, with similarities to the previous batch of images described
- An interesting aspect of these profiles with “anime avatars” is their tendency to engage actively on GitHub, not only in communities but also in social interactions. It appears that profiles using these types of images demonstrate a certain level of autonomy and expertise, as their contributions to other repositories often reveal advanced knowledge in areas like Blockchain.
- It’s important to note that using anime avatars as profile pictures is common across the internet. However, when multiple profiles share similarities in skills, images, profile creation dates, followed accounts, and other characteristics, they deviate from typical patterns and behaviors. These overlapping factors raise questions about the authenticity and intentions behind these accounts.
- Anime-style Avatars: A high concentration of anime-themed profile pictures suggests a possible pattern. While anime avatars are common among some users, the similar styles across these profiles can indicate they were chosen from a shared source, which is often seen in bot networks.
- Generic Profile Descriptions: Many accounts list vague titles like “Full Stack Developer” or “Blockchain Developer” without showcasing projects, repositories, or specific achievements. Authentic GitHub profiles usually highlight contributions or link to actual code repositories.
- Follower-to-Following Ratios: Some profiles have unusually high follower counts despite minimal activity. This could indicate artificial boosting or reciprocal following within a network to create the appearance of credibility.
6. Real Identities / fake human profiles:
The GitHub accounts shown here also exhibit some indicators that may suggest they are not authentic. Here’s an analysis of suspicious characteristics:
- Professional Headshot-style Avatars: Unlike the typical developer profile images, these accounts use professional headshots or casual photos that appear unrelated to the GitHub platform. While this alone isn’t a red flag, a pattern of using similar real-looking images, especially if sourced from unrelated sources or stock photos, could point to the use of fake or “borrowed” identities.
- Low Activity and High Follower-to-Following Ratios: Some accounts have follower and following numbers that don’t align with actual contributions or repositories, suggesting they may be part of a network or were created to follow or boost other accounts artificially.
- Location and Background Inconsistencies: The profiles show a mix of diverse locations and job titles without verifiable links to actual projects or companies. This spread of locations and titles could indicate an attempt to appear internationally diverse or legitimate, while actual activity may be minimal.
- External Links and Contact Information: Some profiles include contact information or links to freelancing platforms, which could be legitimate, but in some cases, it’s used to create a perception of authenticity. If these links lead to minimal or duplicate portfolios, it could be another indication of a fake network.
7. suspended accounts related to this network:
These accounts are currently suspended and are among the followers or following lists of accounts linked to activity associated with the Lazarus Group.
- An important aspect to highlight is that many of these suspended accounts fit into the segmentation we discussed regarding the identifiers they use for themselves.
- The widespread suspension could indicate suspicious or coordinated behavior, possibly part of Lazarus’s tactics, which include creating multiple accounts to carry out social engineering attacks, spread malicious code, or manipulate repository metrics. This type of activity aligns with known strategies by North Korean threat actors who use compromised or fake developer accounts on platforms like GitHub to conduct cyber operations.
Conclusion
Combining unconventional threat-hunting techniques, such as image analysis and human intelligence (HUMINT), can enhance the ability to track threat actors more effectively.
- Image analysis, like tracking specific visual elements such as icons or images, allows researchers to identify and link threat actors across campaigns, even when they attempt to evade detection. Similarly, HUMINT focuses on gathering intelligence from social engineering, insider interactions, and open-source human behavior, adding context that purely technical indicators often miss.
- Together, these methods show the potential of combining technical and behavioral insights to detect and anticipate threats earlier. However, they are often underutilized, as traditional threat hunting tends to focus mainly on network and endpoint indicators. Emphasizing HUMINT and image analysis could improve early threat detection and adversary profiling.
- Analyzing alternative methods, such as images, photos, videos, and conversations in the early stages of the kill-chain, is an underutilized approach in threat hunting. By considering the attacker’s context, we can gain valuable insights into their tactics across various social networks. Individuals from countries with strict internet control and isolation often exhibit distinctive cultural and online behavior patterns, making these aspects both valuable and intriguing to study.
