An Overview of North Korea’s “Contagious Interview” Malware Campaign

In recent months, cybersecurity researchers have uncovered a sophisticated campaign, dubbed “Contagious Interview,” orchestrated by North Korea–linked threat actors. Under the guise of legitimate cryptocurrency consulting firms, these adversaries have built an elaborate network of front companies, fake social media profiles, and AI-generated personas to lure skilled IT professionals into a faux hiring process. Once engaged, victims are tricked into downloading malware that establishes long-term access to their systems, harvesting sensitive data, and compromising cryptocurrency wallets.

This article delves into the various facets of the Contagious Interview operation: how the front companies operate, the malware families in use, the infrastructure underpinning the scheme, and the broader strategic motivations driving North Korean cybercriminals.

Front Companies as Malware Distribution Platforms

North Korean operators have registered at least three shell firms in the cryptocurrency consulting sector:

BlockNovas LLC

• Domain: blocknovas[.]com
• Claimed history: “12+ years” in operation (despite only one year of official registration)
• Personnel: 14 listed employees, most of whom are fictitious personas generated or enhanced by AI tools like Remaker.

Angeloper Agency

• Domain: angeloper[.]com
• Purpose: Presents itself as a boutique blockchain advisory service, using a polished website and LinkedIn page to appear legitimate.

SoftGlide LLC

• Domain: softglide[.]co
• Tactics: Employs fake job postings on major platforms (LinkedIn, Facebook, GitHub) to advertise coding assignments, video-based assessments, and “browser camera test” tasks.

These front companies serve as the initial touchpoint: unsuspecting developers apply for positions, submit résumés, and are invited to complete technical assessments. It is during these assessments—often disguised as Zoom-style video interviews—that malicious payloads are delivered.

Malware Families and Infection Chains

Silent Push, a cybersecurity firm that published an in-depth analysis of Contagious Interview, identified three primary malware families deployed in this campaign:

BeaverTail (JavaScript Stealer/Loader)

• Delivery: JavaScript payload included in “interview tools” or “coding assignment” packages.
• Function: Contacts a command-and-control (C2) server at lianxinxiao[.]com to fetch additional modules.
• Capabilities: System reconnaissance, reverse shell, module download for browser data theft, and remote installation of AnyDesk.

InvisibleFerret (Python Backdoor)

• Persistence: Cross-platform support for Windows, Linux, and macOS.
• Features: Surreptitious execution, data exfiltration, remote command execution.

OtterCookie

• Role: Secondary payload occasionally dropped by the BeaverTail loader.
• Use case: Cookie theft, credential harvesting, and session hijacking.

Some infection chains also deliver additional tools such as FROSTYFERRET and GolangGhost, through video assessment lures tied to the ClickFake Interview tactic documented by Sekoia.

Malicious Infrastructure and Anonymization Techniques

The sophistication of Contagious Interview extends beyond malware code. The threat actors maintain a multi-layered infrastructure designed for resilience and concealment:

Domain Dashboard and Monitoring

• A “Status Dashboard” hosted on a BlockNovas subdomain provides real-time monitoring of four malicious domains (including angeloperonline[.]online and softglide[.]co).

Password-Cracking Management

• The subdomain mail. blocknovas[.]com runs Hashtopolis, an open-source distributed password-cracking system, indicating preparation for large-scale credential attacks.

AI-Generated Personas

• Profile images and team member bios are created with AI tools (e.g., Remaker), enabling realistic but fake LinkedIn, GitHub, and Medium accounts.

VPNs, Proxies, and RDP Chains

• Use of commercial VPNs (Astrill), residential proxies, and dozens of VPS servers accessed via RDP to mask operational origins.
• The analysis uncovered five Russian IP ranges assigned to providers in Khasan and Khabarovsk, routed through multiple anonymization layers.

Geographic and Strategic Context

Though the malware campaign is global in scope, telemetry suggests most operator activity originates from:

• China
• Russia (particularly the Far East regions near the North Korea border)
• Pakistan

The clustering of anonymization infrastructure in Russian border areas raises the possibility of tacit cooperation or infrastructure sharing between DPRK and Russian entities, though confidence remains low to medium.

Strategically, these operations serve two complementary objectives:

1. Intelligence collection: Stealing proprietary code, internal documents, and user credentials from high-value tech targets.
2. Financial gain: Harvesting cryptocurrency via wallet compromise, then funneling proceeds back to DPRK coffers—often by coercing recruited “employees” to remit a portion of their (illicit) salaries.

Real-World Impact and Law Enforcement Response

Victimization of Developers

At least one blockchain developer reported a compromised MetaMask wallet in September 2024 after engaging with a BlockNovas interview process.

FBI Seizure of BlockNovas Domain

On April 23, 2025, U.S. authorities seized blocknovas[.]com as part of a broader disruption of North Korean cyber operations. The FBI’s complaint highlighted the use of fake job postings to distribute cross-platform malware.

Parallel DPRK “Wagemole” Scheme

Contagious Interview represents one side of North Korea’s recruitment-for-malware paradigm. On the other side lies “Wagemole”:

• Definition: AI-assisted creation of bogus IT professional personas who secure legitimate remote roles at major companies.
• Mechanism: Facilitators use generative AI for interview scheduling, transcription, translation, and persona management—assigning multiple DPRK nationals to roles while skimming salaries.

Okta researchers warn that GenAI tools optimize every step—from résumé crafting to real-time translation, enabling a small facilitator cell to manage dozens of candidate personas simultaneously.

Mitigation and Defensive Recommendations

Organizations and job seekers can adopt several best practices to guard against Contagious Interview–style scams:

For Hiring Managers

• Validate vendor domains: Cross-check company registration dates and use WHOIS history tools (e.g., Wayback Machine) to flag anomalous “long-standing” claims.
• Verify candidate identities: Insist on institutional email addresses rather than public-domain or newly created accounts.
• Sandbox assessments: Run any code-assignment tools within isolated virtual machines lacking access to sensitive credentials or network shares.

For Job Seekers

• Scrutinize URLs: Be wary of slight misspellings (e.g., “blocknovas[.]co” vs “blocknovas[.]com”) and unexpected domain registrations.
• Use dedicated devices: Conduct technical interviews on a separate system without access to personal wallets or corporate VPNs.
• Question AI-generated profiles: Look for inconsistencies in team pages, such as generic stock photos or overly polished LinkedIn histories.

Conclusion

The Contagious Interview campaign illustrates the evolving sophistication of DPRK cyber operations. By blending social engineering, AI-generated personas, and multi-stage malware delivery, North Korean threat actors have crafted a highly effective method to infiltrate target networks and exfiltrate valuable data. As law enforcement agencies move to dismantle the infrastructure exemplified by the recent FBI seizure of BlockNovas, security teams and job seekers alike must stay vigilant against deceptively polished job interview lures.

Through a combination of rigorous domain vetting, isolated testing environments, and heightened awareness of AI-driven deception, organizations can disrupt these malicious recruitment schemes and protect both their personnel and intellectual property.