{ "id": "b1949c4c-656b-4111-ac8c-c2bae1194567", "created_at": "2026-04-06T00:18:06.160569Z", "updated_at": "2026-04-10T13:11:52.500771Z", "deleted_at": null, "sha1_hash": "18bf79b069c2e1f1de59d9ac9822780c608334f9", "title": "Subgroup: Operation Contagious Interview - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 90188, "plain_text": "Subgroup: Operation Contagious Interview - Threat Group Cards:\r\nA Threat Actor Encyclopedia\r\nArchived: 2026-04-05 22:08:49 UTC\r\nHome \u003e List all groups \u003e Subgroup: Operation Contagious Interview\r\n APT group: Subgroup: Operation Contagious Interview\r\nNames\r\nOperation Contagious Interview (Palo Alto)\r\nWagemole (Palo Alto)\r\nTenacious Pungsan (Datadog Security Research)\r\nNickel Tapestry (SecureWorks)\r\nUNC5267 (Mandiant)\r\nWaterPlum (NTT)\r\nPurpleBravo (Recorded Future)\r\nStorm-0287 (Microsoft)\r\nJasper Sleet (Microsoft)\r\nCountry North Korea\r\nMotivation Information theft and espionage\r\nFirst seen 2020\r\nDescription\r\nA subgroup of Lazarus Group, Hidden Cobra, Labyrinth Chollima.\r\n(Palo Alto) Unit 42 researchers recently discovered two separate campaigns targeting\r\njob-seeking activities linked to state-sponsored threat actors associated with the\r\nDemocratic People’s Republic of Korea (DPRK), commonly known as North Korea.\r\nWe call the first campaign “Contagious Interview,” where threat actors pose as\r\nemployers (often anonymously or with vague identities) to lure software developers\r\ninto installing malware through the interview process. This malware creates the\r\npotential for various types of theft. We attribute with moderate confidence that\r\nContagious Interview is run by a North Korea state-sponsored threat actor.\r\nWe call the second campaign “Wagemole,” where threat actors seek unauthorized\r\nemployment with organizations based in the US and other parts of the world, with\r\npotential for both financial gain and espionage. We attribute with high confidence that\r\nWagemole is a North Korea state-sponsored threat. Activity from both campaigns\r\nremains an ongoing active threat.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=6a507717-ba17-44cb-af22-ebc5aea59b67\r\nPage 1 of 5\n\nObserved\nTools used BeaverTail, InvisibleFerret, OtterCookie, PylangGhost.\nOperations performed\nJul 2024\nHow a North Korean Fake IT Worker Tried to Infiltrate Us\nSep 2024\nTenacious Pungsan: A DPRK threat actor linked to Contagious\nInterview\nOct 2024\nContagious Interview: DPRK Threat Actors Lure Tech Industry Job\nSeekers to Install New Variants of BeaverTail and InvisibleFerret\nMalware\nOct 2024\nDPRK IT Workers Expanding in Scope and Scale\nNov 2024\nFake North Korean IT Worker Linked to BeaverTail Video Conference\nApp Phishing Attack\nNov 2024\nNew 'OtterCookie' malware used to backdoor devs in fake job offers\nNov 2024\nBeaverTail and Tropidoor Malware Distributed via Recruitment Emails\nDec 2024\nmacOS FlexibleFerret | Further Variants of DPRK Malware Family\nUnearthed\nJan 2025\nNorth Korean APT Lazarus Targets Developers with Malicious npm\nPackage\nFeb 2025 Lazarus Group Targets Organizations with Sophisticated LinkedIn\nRecruiting Scam\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=6a507717-ba17-44cb-af22-ebc5aea59b67\nPage 2 of 5\n\nFeb 2025\nAdditional Features of OtterCookie Malware Used by WaterPlum\nMar 2025\nLazarus Strikes npm Again with New Wave of Malicious Packages\nMar 2025\nFrom Contagious to ClickFake Interview: Lazarus leveraging the\nClickFix tactic\nApr 2025\nLazarus Expands Malicious npm Campaign: 11 New Packages Add\nMalware Loaders and Bitbucket Payloads\nApr 2025\nContagious Interview (DPRK) Launches a New Campaign Creating\nThree Front Companies to Deliver a Trio of Malware: BeaverTail,\nInvisibleFerret, and OtterCookie\nMay 2025\nFamous Chollima deploying Python version of GolangGhost RAT\nJun 2025\nAnother Wave: North Korean Contagious Interview Campaign Drops\n35 New Malicious npm Packages\nJul 2025\nContagious Interview Campaign Escalates With 67 Malicious npm\nPackages and New Malware Loader\nCounter operations\nMay 2024\nUS woman allegedly aided North Korean IT workers infiltrate 300\nfirms\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=6a507717-ba17-44cb-af22-ebc5aea59b67\nPage 3 of 5\n\nAug 2024\nDepartment Disrupts North Korean Remote IT Worker Fraud Schemes\nThrough Charges and Arrest of Nashville Facilitator\nDec 2024\nUS offers $5 million for info on North Korean IT worker farms\nDec 2024\nSouth Korea sanctions 15 North Koreans for IT worker scams,\nfinancial hacking schemes\nJan 2025\nTwo North Korean Nationals and Three Facilitators Indicted for Multi-Year Fraudulent Remote Information Technology Worker Scheme that\nGenerated Revenue for the Democratic People’s Republic of Korea\nJun 2025\nDOJ moves to claim $7.74 million tied to North Korean IT worker\nscheme\nJun 2025\nDOJ raids 29 ‘laptop farms’ in operation against North Korean IT\nworker scheme\nJul 2025\nSanctions Imposed on DPRK IT Workers Generating Revenue for the\nKim Regime\nJul 2025\nUS hits senior North Korean officials with sanctions, $3 million\nbounties\nInformation\n\ne48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/2024-10-01-\nsecurity-advisory.pdf\u003e\nLast change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=6a507717-ba17-44cb-af22-ebc5aea59b67\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=6a507717-ba17-44cb-af22-ebc5aea59b67\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=6a507717-ba17-44cb-af22-ebc5aea59b67" ], "report_names": [ "showcard.cgi?u=6a507717-ba17-44cb-af22-ebc5aea59b67" ], "threat_actors": [ { "id": "32e2c6f9-a1f5-42bc-ac1d-5d9dc301cf0e", "created_at": "2025-08-07T02:03:25.078429Z", "updated_at": "2026-04-10T02:00:03.811418Z", "deleted_at": null, "main_name": "NICKEL ALLEY", "aliases": [ "CL-STA-0240 ", "Purplebravo Recorded Future", "Storm-1877 ", "Tenacious Pungsan " ], "source_name": "Secureworks:NICKEL ALLEY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "ef59a0d9-c556-4448-8553-ed28f315d352", "created_at": "2025-06-29T02:01:57.047978Z", "updated_at": "2026-04-10T02:00:04.744218Z", "deleted_at": null, "main_name": "Operation Contagious Interview", "aliases": [ "Jasper Sleet", "Nickel Tapestry", "Operation Contagious Interview", "PurpleBravo", "Storm-0287", "Tenacious Pungsan", "UNC5267", "Wagemole", "WaterPlum" ], "source_name": "ETDA:Operation Contagious Interview", "tools": [ "BeaverTail", "InvisibleFerret", "OtterCookie", "PylangGhost" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434686, "ts_updated_at": 1775826712, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/18bf79b069c2e1f1de59d9ac9822780c608334f9.pdf", "text": "https://archive.orkl.eu/18bf79b069c2e1f1de59d9ac9822780c608334f9.txt", "img": "https://archive.orkl.eu/18bf79b069c2e1f1de59d9ac9822780c608334f9.jpg" } }