Web3

“The dev branch was a threshold; crossing it woke the hook.” Executive Summary This report analyzes a recruitment-themed malware delivery attempt that abused a developer review workflow. A LinkedIn recruiter persona using the name Bill Johnson, CTS sent the target a LimeWire file-sharing URL for an archive named AI-Powered_RWA_Finance_Platform.zip: hxxps://limewire[.]com/d/Fw4jF#TNRRfGHC7h The lure framed the work as a review of an abandoned AI-powered real-world-asset finance platform. The actor claimed prior developers were poor at Git and pointed the reviewer at a repository snapshot where the master branch was incomplete. The repository README then instructed the reviewer to run: ...

“This was not a new work, but an old hand returning by familiar paths.” Executive Summary A threat actor operating a LinkedIn recruiter persona, assessed with low-to-medium confidence as DPRK-linked and consistent with Contagious Interview / TraderTraitor-style activity, targeted developers through a multi-stage social engineering lure. The initial LinkedIn message delivered a Google Drive-hosted project overview / job description PDF and a Calendly scheduling link. The malicious GitHub repository, Dravion-Core hosted under the organisation Intraverse-Dev-Tech-Hub, was subsequently shared during the follow-on call rather than in the initial message. The repository deploys two independent execution routes that deliver the same payload via separate C2 infrastructure, in a structure near-identical to TP-2026-004 (BetPoker). ...

“The table is set like an altar, and whoso sits there is counted among the damned.” Executive Summary A threat actor operating under the GitHub organisation LimitBreakOrgs used a repository named bet_ver_1, publicly described as “BetPoker”, as a malicious Web3 gaming assessment project. The organisation name appears designed to resemble limitbreakinc, the legitimate GitHub organisation associated with Limit Break Inc., a Web3 gaming company. The preserved repository presents as a Web3 poker and sports betting platform and contains two independent execution routes: one through a VS Code folder-open task, and one through backend startup via npm start. ...