🇰🇵 KP4 malware families

nickel_alley

Also known asnickel_alley

NICKEL ALLEY is a North Korean government-linked threat group that operates on behalf of the North Korean government. The group targets professionals in the technology sector, especially software developers and Web3-related personnel, including developers in finance and technology and individuals on freelance platforms such as Upwork and Fiverr. Its activity is publicly tracked as the Contagious Interview campaign. NICKEL ALLEY uses fake job opportunities, fraudulent recruiter outreach, fake LinkedIn company pages, fake company websites, and coordinating GitHub accounts to lure victims into a fake interview or skills assessment process that results in malware execution. Reported delivery methods include ClickFix-style lures that instruct victims to run local commands, malicious or typosquatted npm packages, compromised npm repositories, cloned or downloaded GitHub repositories that victims are told to execute with commands such as npm install and npm start, and malicious Visual Studio Code tasks. The group has used PyLangGhost RAT, a Python-based successor to GoLangGhost RAT, and has also delivered BeaverTail and OtterCookie payloads. Reported PyLangGhost capabilities include arbitrary command execution, file exfiltration, system profiling, browser credential theft, cookie theft, and theft of Chrome cryptocurrency wallet extension data. Sophos assessed that cryptocurrency theft appears to be a primary objective, while also warning that the group may use initial access for supply chain compromise or corporate espionage. Known aliases directly mentioned in the content are CL-STA-0240 (Palo Alto), Tenacious Pungsan (Datadog), and Storm-1877 (Microsoft).

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Software & Services

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

21 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics22 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

1 technique

T1583

Acquire Infrastructure

T1583.001

Domains

TA0001

Initial Access

4 techniques

T1189

Drive-by Compromise

T1195×2

Supply Chain Compromise

T1195.001×3

Compromise Software Dependencies and Development Tools

T1199

Trusted Relationship

T1566

Phishing

T1566.003×3

Spearphishing via Service

TA0002

Execution

3 techniques

T1059

Command and Scripting Interpreter

T1059.001

PowerShell

T1059.003

Windows Command Shell

T1059.005

Visual Basic

T1059.006

Python

T1059.007

JavaScript

T1203

Exploitation for Client Execution

T1204×3

User Execution

TA0005

Stealth

1 technique

T1036×2

Masquerading

TA0006

Credential Access

1 technique

T1555

Credentials from Password Stores

TA0007

Discovery

1 technique

T1082

System Information Discovery

TA0009

Collection

1 technique

T1560

Archive Collected Data

TA0011

Command and Control

1 technique

T1105×2

Ingress Tool Transfer

TA0010

Exfiltration

1 technique

T1041

Exfiltration Over C2 Channel

ARSENAL

Associated malware families

4 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

PyLangGhost RATOver the last year, the group has used the popular ClickFix tactic to deliver PyLangGhost RAT malware via fake job skills assessment tasks. This involved the attacker-controlled web interface presenting an error informing the victim that they must run a command locally to fix the issue – a command that instead initiated a series of actions leading to PyLangGhost RAT. It previously used a GoLang-based version known as GoLangGhost RAT.2Apr 29, 2026

BeaverTailThe code in index.js implements the Node.js fetch API to send an HTTP request to that URL and retrieve BeaverTail malware.1Mar 24, 2026

GolangGhost RATPyLangGhost RAT was preceded by a GoLang-based version known as GoLangGhost RAT. Samples of GoLangGhost RAT were first observed in the wild around February 2025.1Mar 24, 2026

OtterCookieThe attacker-owned GitHub repositories often contain simple, obfuscated code for downloading BeaverTail or OtterCookie malware.1Mar 24, 2026

IOCS

Observables

32 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

32 IOCsView more in app

Domains

11 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+3

uri

7 total

•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

hash.md5

4 total

••••••••••••••••••••••••••••••••••••••

hash.sha1

4 total

••••••••••••••••••••••••••••••••••••••

hash.sha256

4 total

••••••••••••••••••••••••••••••••••••••

ip.v4

2 total

•••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

itproNews

Apr 29, 2026

North Korean hackers are duping freelance developers with fake interviews to steal cryptocurrency and deliver malware - Sophos warns the 'Nickel Alley' group is using LinkedIn, Upwork, and Fiverr to target victims | IT Pro

Targets software developers through fake job interview and recruitment lures to deliver malware and steal cryptocurrency, while also seeking initial access for supply chain compromise or corporate espionage.

lazarusholic blueskyNews

Mar 24, 2026

Post by @lazarusholic.bsky.social - Bluesky

Referenced as a named threat actor or activity cluster in a Sophos report title; no further operational details are provided in the content itself.

sophos blogNews

Mar 23, 2026

NICKEL ALLEY strategy: Fake it ‘til you make it | SOPHOS

Conducts Contagious Interview campaigns targeting technology professionals with fake job opportunities, fake LinkedIn/company pages, GitHub repositories, ClickFix lures, and malicious npm/typosquatted packages to deliver malware for cryptocurrency theft, supply chain compromise, and possible corporate espionage.

secureworks threat profilesNews

Dec 3, 2025

NICKEL ALLEY

Targets professionals in the technology sector using fake job opportunities and a fraudulent interview process to deliver malware as part of the Contagious Interview campaign.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping21

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal4

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables32

Domains, IPs, and hashes tied to this actor, refreshed continuously.