Back to Intelligence

Void Dokkaebi Supply Chain Poisoning & Fox Tempest MSaaS: OTX Pulse Analysis

SA
Security Arsenal Team
May 21, 2026
6 min read

The latest OTX pulses indicate a convergence of sophisticated supply chain attacks and evasion techniques. The Void Dokkaebi (WageMole) group, a North Korean-aligned APT, has evolved from simple social engineering to active repository poisoning, using fake job interviews to lure developers into cloning malicious Git repositories that weaponize VS Code tasks.

Simultaneously, the Fox Tempest actor has been exposed as operating a Malware-Signing-as-a-Service (MSaaS) operation, abusing Microsoft Artifact Signing to generate fraudulent certificates for ransomware gangs like Rhysida and Akira. On a broader scale, a macOS ClickFix campaign is deploying AppleScript-based stealers via fake CAPTCHA pages, targeting high-value credentials and crypto wallets. Collectively, these pulses represent a shift toward abusing trusted development tools and code-signing infrastructure to bypass traditional security controls.

Threat Actor / Malware Profile

Void Dokkaebi (WageMole)

  • Objective: Initial access to technology and blockchain infrastructure sectors for intellectual property theft and supply chain propagation.
  • Distribution: Fake job interviews leading to cloning of malicious Git repositories.
  • Payload: DEV#POPPER RAT, InvisibleFerret, BeaverTail.
  • Mechanism: Utilizes malicious VS Code tasks. configurations to execute commands upon project opening. The malware performs worm-like propagation by tampering with Git history to infect subsequent cloners.

Fox Tempest

  • Objective: Financially motivated "Crime-as-a-Service" enabling ransomware distribution.
  • Distribution: Fraudulent code-signing certificates sold to cybercriminals.
  • Malware Families: Rhysida, Akira, Lumma Stealer, Vidar, BlackByte.
  • Mechanism: Abuses the Microsoft Artifact Signing API to generate valid-looking certificates, allowing malware to evade application control and signature-based defenses.

macOS ClickFix Operators

  • Objective: Credential harvesting and cryptocurrency theft.
  • Distribution: Fake browser CAPTCHA pages ("ClickFix") tricking users into running terminal commands.
  • Payload: AppleScript-based Infostealer.
  • Mechanism: Executes scripts that exfiltrate data from 12 browsers, 200+ extensions, and 16 crypto wallets, bypassing new macOS Terminal protections.

IOC Analysis

The provided IOCs highlight a multi-platform threat:

  • File Hashes: Multiple SHA256 hashes (e.g., 23e37cf4..., 77b1beb0...) correspond to the VS Code payloads (Windows/Linux) and macOS AppleScript droppers. These should be blocked at the endpoint and used for retroactive hunting in EDR telemetry.
  • Domains & URLs:
    • bull-run.fun / spot-wave.fun: C2 and lure infrastructure for the ClickFix campaign.
    • signspace.cloud: Infrastructure associated with Fox Tempest's signing operations.
    • gen.detect.by.nscloudsandbox.tr: A sandbox detection hostname likely used for anti-analysis evasion.
  • Operationalization: SOC teams should immediately ingest these hashes into EDR alerting and block the listed domains at the perimeter (DNS/Firewall). The presence of the .fun TLDs with recent registrations is a high-fidelity marker for the ClickFix campaign.

Detection Engineering

YAML
---
title: Potential Void Dokkaebi VS Code Task Execution
id: 91c7234b-5c3a-4d9a-9b0e-1f2c3d4e5a6b
description: Detects execution of suspicious commands via VS Code tasks., often associated with Void Dokkaebi repository poisoning.
status: experimental
date: 2026/05/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/void-dokkaebi
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\Code.exe'
        CommandLine|contains:
            - 'npm install'
            - 'node index.js'
            - 'git config'
            - 'powershell'
    condition: selection
falsepositives:
    - Legitimate developer build tasks
level: high
tags:
    - attack.execution
    - attack.t1059.001
    - void.dokkaebi
---
title: macOS ClickFix AppleScript Credential Access
id: a2b3c4d5-e6f7-8a9b-0c1d-2e3f4a5b6c7d
description: Detects AppleScript execution attempts to access Keychain or browser cookies, characteristic of the ClickFix campaign.
status: experimental
date: 2026/05/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/clickfix-macos
logsource:
    category: process_creation
    product: macos
detection:
    selection_img:
        Image|endswith: '/osascript'
    selection_cli:
        CommandLine|contains:
            - 'security find-generic-password'
            - '钥匙串' # Keychain in Chinese/other locales if translated
            - 'Library/Application Support/Google/Chrome'
            - 'Library/Application Support/Firefox'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative scripts
level: high
tags:
    - attack.credential_access
    - attack.t1055.001
    - clickfix
---
title: Fox Tempest Suspicious Code Signing Activity
id: f4e5d6c7-b8a9-0c1d-2e3f-4a5b6c7d8e9f
description: Detects processes with valid digital signatures but issued by suspicious or non-standard issuers often associated with MSaaS abuse.
status: experimental
date: 2026/05/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/fox-tempest
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Signed: true
        Issuer|contains:
            - 'Microsoft Artifact Signing' # Abuse of specific signing API
            - 'SignSpace' # Associated with Fox Tempest infrastructure
    filter_legit:
        Image|contains:
            - '\Windows\'
            - '\Program Files\'
    condition: selection and not filter_legit
falsepositives:
    - Low
level: critical
tags:
    - attack.defense_evasion
    - attack.t1059.001
    - fox.tempest


kql
// Hunt for ClickFix C2 connections and Fox Tempest infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("bull-run.fun", "spot-wave.fun", "signspace.cloud") 
       or RemoteDomain in ("bull-run.fun", "spot-wave.fun", "signspace.cloud")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| extend IoCType = "C2_Domain"
| order by Timestamp desc


powershell
# IOC Hunt Script for Void Dokkaebi & ClickFix Payloads
# Requires Administrator privileges

$TargetHashes = @(
    "23e37cf4e2a7d55ed107b3bc3eb7812a0e3d8f90b23b0c8f549d5c10d089a2c8",
    "834a92277f1bd82d4d473ac0aa2ddb23208a3a8763a576b882e7326c42bc5412",
    "77b1beb083e4e2074402742ef2d677835072acf0e7ddd9ee8206e5a2c76b1ca5",
    "c07a15640065580e3bbff86eb567050e1a9e9847e2034ff00953ce7eeb2eec41",
    "11af4566539ad3224e968194c7a9ad7b596460d8f6e423fc62d1ea5fc0724326",
    "f0668ce925f36ff7f3359b0ea47e3fa243af13cd6ad9661dfccc9ff79fb4f1cc",
    "f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55"
)

$SearchPaths = @(
    "$env:USERPROFILE\Downloads",
    "$env:APPDATA",
    "$env:TEMP",
    "C:\ProgramData",
    "$env:LOCALAPPDATA\Microsoft\VSCode"
)

Write-Host "[+] Scanning for Void Dokkaebi and ClickFix Payload Hashes..." -ForegroundColor Cyan

foreach ($Path in $SearchPaths) {
    if (Test-Path $Path) {
        Write-Host "[?] Scanning $Path..." -ForegroundColor DarkGray
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $Hash = Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue
            if ($TargetHashes -contains $Hash.Hash) {
                Write-Host "[!!!] MALICIOUS FILE DETECTED: $($_.FullName)" -ForegroundColor Red
                Write-Host "    Hash: $($Hash.Hash)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Scanning for VS Code Task Tampering..." -ForegroundColor Cyan
$VsCodeTasksPath = "$env:APPDATA\Code\User\tasks."
if (Test-Path $VsCodeTasksPath) {
    $Content = Get-Content $VsCodeTasksPath -Raw
    if ($Content -match "git clone|npm install|node index|powershell.*-enc") {
        Write-Host "[!!!] SUSPICIOUS TASKS.JAVA CONTENT DETECTED AT: $VsCodeTasksPath" -ForegroundColor Yellow
    }
}


# Response Priorities

*   **Immediate:** 
    *   Block all domains (`bull-run.fun`, `spot-wave.fun`, `signspace.cloud`) at the DNS and Proxy level.
    *   Initiate a hash hunt across all endpoints for the SHA256 indicators provided.
    *   Isolate any developer machines showing signs of VS Code executing child processes (PowerShell/CMD) triggered by `tasks.`.

*   **24h:** 
    *   If credential theft is suspected (ClickFix), force a password reset and MFA re-enrollment for accounts accessed from compromised macOS devices.
    *   For Void Dokkaebi targets, rotate GitHub/SSH keys and API tokens stored on potentially compromised developer workstations.
    *   Review code-signing certificate logs for any abuse of the "Microsoft Artifact Signing" API.

*   **1 Week:** 
    *   Implement application control policies to restrict VS Code from spawning unauthorized shells.
    *   Update security awareness training to include "Fake Job Interview" supply chain attacks and "Fake CAPTCHA" browser scams.
    *   Enforce strict review policies for internal code repositories and third-party dependencies.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptvoid-dokkaebifox-tempestclickfixsupply-chainapt-reports

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action