Listen to this Post

In the ever-evolving landscape of cybersecurity threats, North Korea continues to push the boundaries of digital espionage. Recent findings from Silent Push Threat Analysts have unveiled a new and dangerously deceptive campaign known as “Contagious Interview.” This operation, attributed to a subdivision of the infamous Lazarus Group, is aimed at exploiting job seekers in the cryptocurrency industry through sophisticated social engineering and malware deployment.
By posing as legitimate tech firms, these state-sponsored hackers are not just stealing data—they’re hijacking trust, exploiting ambition, and manipulating the very fabric of remote hiring practices. The campaign showcases North Korea’s chilling fusion of psychological manipulation and technical prowess, signaling a new frontier in cyber warfare.
The Mechanics of the “Contagious Interview” Campaign
- State-Backed Actors: An offshoot of the Lazarus Group is behind this latest threat, targeting job-seeking developers and professionals in the cryptocurrency and blockchain ecosystem.
2. Fake Companies Identified:
– BlockNovas LLC
– Angeloper Agency
– SoftGlide LLC
These firms are entirely fraudulent, created to lure and compromise job applicants.
- Platform Infiltration: Attackers operate through popular platforms like Upwork, Freelancer.com, and CryptoJobsList, where they pose as recruiters offering high-paying roles.
4. Synthetic Profiles:
– Use of AI-generated images
– Fake LinkedIn profiles
- Fictitious resumes created with tools like Remaker AI
– Cloned websites and plagiarized portfolios
5. The Infection Process:
- Victims are guided through detailed fake interview processes.
- Tasks include uploading credentials, video intros, or performing coding tests.
- These tests involve downloading malware-laced code from GitHub or fake domains like
apply-blocknovas[.]site.
6. Advanced Malware Tools Identified:
– BeaverTail: JavaScript-based loader and info-stealer.
- InvisibleFerret: A cross-platform malware with persistence and credential theft capabilities.
- OtterCookie: Possibly used for deeper infiltration and system surveillance.
7. Targets & Payloads:
– Extracts credentials from browsers, crypto wallets, keyrings.
- Can install reverse shells, keyloggers, and communicate with C2 servers via encrypted channels.
- Modular Design: Malware can evolve post-installation, receiving new modules from command servers to adjust attack strategies.
-
Infrastructure Overlap: All three companies share the same backend—identical dashboards, IP ranges, and hosting providers linked to North Korean APT operations.
10. Operational Security Failures:
– Sloppy domain records.
– Overlapping user interfaces across fake firms.
– Traceable digital footprints despite VPN obfuscation.
11. Real-World Consequences:
– Victims report theft of cryptocurrency.
– Systems enlisted into botnets.
– Widespread compromise of professional devices.
12. Call to Action:
– Verify job offers and company credentials thoroughly.
– Avoid executing code from unverified sources.
- Use behavioral analytics and updated threat intelligence feeds to detect malicious activity.
What Undercode Say:
The revelation of this campaign underscores a broader, more unsettling shift in cyber warfare: psychological exploitation is now weaponized alongside technical tools. North Korea’s Lazarus Group isn’t merely coding malware—they’re scripting a narrative that appeals to the hopes and dreams of aspiring developers. That narrative is a digital trap.
The use of professional platforms like Upwork and Freelancer.com as vectors is particularly alarming. These platforms are built on trust, making them ripe for abuse. With convincing AI-generated visuals, resumes, and cloned websites, the attackers blur the line between legitimate opportunity and digital threat.
BeaverTail and InvisibleFerret aren’t just programs—they represent a strategic evolution. Malware isn’t just stealing passwords anymore; it’s living inside systems, silently watching, adapting, and evolving with every new deployment. Their cross-platform design ensures maximum reach, and their encryption techniques make detection difficult even for seasoned cybersecurity teams.
The malicious payloads are structured modularly, which is a hallmark of advanced persistent threats. Attackers can dynamically shift focus—exfiltrating wallets one day, deploying spyware the next—without needing a fresh breach.
North Korea’s use of residential proxies and VPNs like Astrill shows a solid grasp of evasion tactics. They understand the blue team’s playbook, and they’re actively rewriting it. The attackers are no longer hiding in shadows; they’re disguised as opportunity, professionalism, and ambition.
What’s even more insidious is how these operations exploit the economic pressures of tech workers. In a gig economy, a well-paying crypto job is highly enticing. By exploiting this desperation, Lazarus turns economic vulnerability into a security weakness.
Furthermore, the campaign’s infrastructure points to ongoing failure in international cybersecurity coordination. Despite the fake firms sharing backend tools and servers traceable to known North Korean IP blocks, they’ve managed to stay online long enough to compromise systems globally.
Undercode’s stance is clear: the tech and crypto industries must re-evaluate their trust models. Job offers should be scrutinized as potential phishing attacks. Employers must verify recruiter identities. Platforms must implement stronger vetting for job postings.
From a defense standpoint, network monitoring and heuristic analysis are no longer optional. Developers and IT teams must educate themselves on behavioral anomalies in code and network traffic. And perhaps most crucially, we must normalize skepticism when engaging online—especially when money, software, and trust intersect.
This is not just a cybercrime issue—it’s a national security concern with global implications.
Fact Checker Results:
- Verified links to Lazarus Group activity via infrastructure and malware samples.
- Confirmed fake companies with cloned digital assets and AI-generated recruiter profiles.
- Documented financial loss and crypto wallet compromise from victims engaging in fake job interviews.
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.pinterest.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2




