{ "id": "58339217-406c-42b7-85ad-03f740da2837", "created_at": "2026-04-06T00:09:22.999166Z", "updated_at": "2026-04-10T03:38:06.363963Z", "deleted_at": null, "sha1_hash": "a0c1b9429df1b054c353a372bdc8e597acc288fd", "title": "Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2683622, "plain_text": "Contagious Interview | North Korean Threat Actors Reveal Plans\r\nand Ops by Abusing Cyber Intel Platforms\r\nBy Aleksandar Milenkoski, Sreekar Madabushi (Validin) \u0026 Kenneth Kinion (Validin)\r\nPublished: 2025-09-04 · Archived: 2026-04-05 14:07:41 UTC\r\nExecutive Summary\r\nNorth Korea-aligned threat actors actively monitor cyber threat intelligence to detect infrastructure\r\nexposure and scout for new assets. This analysis focuses on the abuse of cyber intelligence platforms by\r\nthe actors behind the Contagious Interview campaign cluster employing the ClickFix social engineering\r\ntechnique.\r\nThey operate in coordinated teams with real-time collaboration, likely using Slack and multiple\r\nintelligence sources such as Validin, VirusTotal, and Maltrail.\r\nAlthough aware their infrastructure is detectable, they make only limited changes to reduce detection and\r\ndisruption risk, while rapidly deploying new infrastructure in response to service provider takedowns.\r\nThis indicates a strategic focus on continuously replacing disrupted infrastructure with new assets to\r\nsustain operations and high victim engagement.\r\nFactors such as decentralized command and competitive internal incentives may limit the threat actors’\r\nability to consistently protect existing infrastructure at scale.\r\nSentinelLABS’ analysis suggests that the threat actors are effective at engaging targets; there were over 230\r\nvictims between January and March 2025, with the actual number likely being significantly higher.\r\nIn partnership with SentinelLABS and Validin, Reuters provides further coverage of the human dimension\r\nof this threat, exploring victim engagement methods and their personal impact.\r\nOverview\r\nIn collaboration with the internet intelligence platform Validin, SentinelLABS has been tracking activity on the\r\nplatform which we attribute with high confidence to North Korean threat actors involved in the Contagious\r\nInterview campaign cluster. This activity, which took place between March and June 2025, involved the threat\r\nactors examining cyber threat intelligence (CTI) information related to their infrastructure. Our unique visibility\r\nhas provided valuable insights into their operational practices, internal coordination, infrastructure management\r\nand deployment, and victimology.\r\nSentinelLABS continuously tracks North Korean-aligned threat actors, including their persistent interest in cyber\r\nthreat intelligence. As part of SentinelLABS’ broader efforts to identify and disrupt North Korean operations in\r\ncollaboration with partner organizations, SentinelLABS and Validin conducted a joint investigation, combining\r\nour threat intelligence expertise with Validin’s visibility into the threat actors’ activities on their platform, to better\r\nunderstand these activities and provide actionable intelligence supporting defensive actions.\r\nhttps://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/\r\nPage 1 of 18\n\nSentinelLABS and Validin observed an intensive and coordinated effort by Contagious Interview threat actors to\r\nregister and use Validin community access accounts within approximately 24 hours after Validin published a blog\r\npost on 11 March 2025. The post discusses the infrastructure of Lazarus, a suspected North Korean APT umbrella\r\ncluster associated with Contagious Interview activities. Validin’s community access portal provides free access to\r\ninfrastructure intelligence information.\r\nThe threat actors used Google Gmail addresses that we had already been tracking as Contagious Interview\r\nartifacts at the time of registration. Although Validin blocked the accounts shortly after registration, we observed\r\nthe threat actors persisting in their efforts to use Validin by creating accounts at later dates. At that point, we\r\nintentionally kept one account active over the long term to monitor and gather intelligence on their activities.\r\nWe observed that the Contagious Interview threat actors engaged in coordinated activity and likely operated in\r\nteams to investigate threat intelligence related to their infrastructure and to monitor for signs of detection.\r\nIndicators suggest they used multiple indicators of compromise (IOC) repositories and CTI platforms, including\r\nValidin, VirusTotal, and Maltrail. We also identified indicators of real-time teamwork, including possible use of\r\nthe Slack platform to coordinate their investigations.\r\nDespite thoroughly examining threat intelligence and identifying artifacts that can be used to discover their\r\ninfrastructure, the threat actors did not implement systematic, large-scale changes to make it harder to detect,\r\nthereby reducing its exposure to discovery and disruption. Instead, we observed only sporadic, limited-scale\r\nchanges targeting specific artifacts used to identify Contagious Interview infrastructure, while the threat actors\r\nrapidly deployed new infrastructure in response to service provider takedowns.\r\nThis may reflect a focus on investing resources to maintain operational readiness and sustain the campaign’s high\r\nvolume of victim engagement by deploying new infrastructure rather than undertaking broad modifications to\r\nprotect existing infrastructure. Based on log files unintentionally exposed on several Contagious Interview servers,\r\nwe identified over 230 individuals affected during the period from January to March 2025, though the actual\r\nnumber is likely much higher.\r\nGiven the continuous success of their campaigns in engaging targets, it may be more pragmatic and efficient for\r\nthe threat actors to deploy new infrastructure rather than maintain existing assets. Potential internal factors, such\r\nas decentralized command structures or operational resource constraints, may restrict their capacity to rapidly\r\nimplement coordinated changes. Moreover, competitive pressures stemming from North Korea’s annual revenue\r\nquotas for cyber teams likely incentivize operatives to make isolated adjustments to the infrastructure under their\r\ncontrol in order to protect their own assets and outperform colleagues, rather than participate in centrally\r\ncoordinated, large-scale updates.\r\nThe threat actors also used Validin to scout and evaluate new infrastructure before acquisition, likely aiming to\r\navoid assets previously flagged as malicious, which would increase detection risk and reduce operational\r\neffectiveness once deployed. Following acquisition, they continued to monitor their assets for signs of detection\r\nthroughout their lifecycle. We were closely monitoring Contagious Interview infrastructure during its acquisition\r\nand deployment, which revealed repeated OPSEC failures, suggesting a lack of consistent operational security\r\ncontrols during the infrastructure setup phase.\r\nBackground | Contagious Interview and ClickFix\r\nhttps://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/\r\nPage 2 of 18\n\nFirst used in 2023 to label a campaign targeting job seekers, the term Contagious Interview has since been used\r\ninterchangeably in other contexts, including to refer to an APT group assessed to be a subset of the North Korean\r\numbrella group Lazarus.\r\nIn this post, we use Contagious Interview to refer to a cluster of campaigns, variants of the 2023 campaign, that\r\ntarget job applicants using diverse social engineering tactics to trick targets into executing malware.\r\nContagious Interview activities predominantly target individuals active in the cryptocurrency industry, aiming to\r\ngain access to their systems for various purposes, including intelligence collection and the theft of cryptocurrency\r\nassets. This supports North Korea’s efforts in evading sanctions and generating illicit revenue for financing its\r\nprojects, including missile programmes.\r\nContagious Interview campaigns have been typically associated with the umbrella threat cluster Lazarus. DTEX\r\nSystems has attributed these campaigns to a group referred to as Gwisin Gang, which likely emerged from an IT\r\norganization whose subordination within the North Korean state apparatus is still subject to assessment.\r\nRecent Contagious Interview campaigns, also referred to as ClickFake Interview, involve a social engineering\r\ntechnique known as ClickFix. We assess that the threat actors whose activities are discussed in this post are\r\ninvolved in these campaigns.\r\nClickFix typically proceeds as follows. A targeted job seeker receives an invitation to participate in a job\r\napplication process, directing them to a lure website where they are prompted to complete a skill assessment.\r\nDuring the assessment, the applicant encounters a fabricated error message, such as a camera access issue. They\r\nare then instructed to copy and paste command lines, often involving utilities like curl , to download and\r\nexecute a supposed update from a separate malware distribution server, unknowingly deploying malware in the\r\nprocess. This technique is discussed in more detail in previous research.\r\nAccount Registrations | Initial Activities\r\nThe threat actors started creating Validin community accounts on 12 March 2025 at 22:44:11 UTC, an activity\r\nwhich spanned a relatively short interval of approximately 15 minutes, suggesting a concentrated and coordinated\r\napproach. We present below the email addresses used for account registrations as well as the IP addresses from\r\nwhich the registrations were conducted. We attribute this activity to Contagious Interview threat actors based on\r\nmultiple indicators.\r\nEmail Address IP Address\r\njimmr6587[@]gmail.com 38.170.181[.]10\r\nexcellentreporter321[@]gmail.com 194.33.45[.]162\r\nrockstar96054[@]gmail.com 96.62.127[.]126\r\nrichardkdavis45[@]gmail.com 45.86.208[.]162\r\nfairdev610[@]gmail.com 70.39.70[.]194\r\nhttps://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/\r\nPage 3 of 18\n\nmarvel714jm[@]gmail.com 77.247.126[.]189\r\nmontessantiago9712[@]gmail.com 38.170.181[.]10\r\nhundredup2023[@]gmail.com 70.32.3[.]15\r\nhuzqur023[@]gmail.com 89.19.58[.]51\r\nA significant portion of the IP addresses used for registration, such as 194.33.45[.]162 , 70.39.70[.]194 ,\r\n70.32.3[.]15 , 38.170.181[.]10 , and 45.86.208[.]162 , have been associated with Astrill VPN, a VPN\r\nservice popular among North Korean threat clusters.\r\nAdditionally, even before the account registrations, SentinelLABS and Validin were already tracking the email\r\naddresses fairdev610[@]gmail.com , richardkdavis45[@]gmail.com , rockstar96054[@]gmail.com ,\r\nexcellentreporter321[@]gmail.com , and hundredup2023[@]gmail.com as Contagious Interview artifacts. We\r\nfound these addresses in unintentionally exposed JavaScript scripts (Node.js applications) on Contagious\r\nInterview ClickFix malware distribution servers.\r\nWe have been tracking these Node.js applications under the ContagiousDrop moniker since their initial exposure.\r\nTypically implemented as app.js files, the applications distribute malware to targeted individuals and notify the\r\nthreat actors via email about victim engagement. This engagement includes information submission to Contagious\r\nInterview lure websites and the execution of commands, such as curl , as directed by the threat actors as part of\r\nthe ClickFix social engineering tactic. A ContagiousDrop sample is highlighted in previous research on\r\nContagious Interview activity published in April 2025. These applications will be discussed in greater detail later\r\nin this blog post.\r\nMoreover, some email addresses have been used for registering Contagious Interview domains pointing to lure\r\nwebsites. For example, marvel714jm[@]gmail.com and jimmr6587[@]gmail.com have been used to register the\r\npaxos-video-interview[.]com and skill-share[.]org domains, respectively.\r\nFinally, some email addresses were used to register Validin accounts from IP addresses that were also used to\r\nregister or log in to accounts with other email addresses we attribute with high confidence to Contagious\r\nInterview. For example, the account montessantiago9712[@]gmail.com was registered from the IP address\r\n38.170.181[.]10 , the same as jimmr6587[@]gmail.com .\r\nApproximately 15 minutes after the first observed account registration, Validin blocked the Contagious Interview\r\naccounts and subsequently prevented further community registrations originating from known Astrill VPN IP\r\naddresses or using Gmail accounts.\r\nAccount Registrations | Further Activities\r\nAfter likely realizing that their access to Validin had been blocked, Contagious Interview threat actors attempted\r\nto register community accounts again on 25 March 2025 (13 days after the initial registration activity) and 26\r\nApril 2025. This time, they also used non-Gmail email addresses, most likely in response to Validin blocking\r\nGmail-based registrations: info[@]versusx[.]us and invite[@]quiz-nest[.]com . We present below the email\r\nhttps://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/\r\nPage 4 of 18\n\naddresses used for Validin account registrations, along with the date, time, and originating IP addresses of these\r\nregistrations.\r\nEmail Address Date (UTC) Time (UTC) IP Address\r\ninfo[@]versusx[.]us 2025-03-25 13:33:01 181.59.180[.]84\r\nmvsolution9[@]gmail.com 2025-04-26 16:48:54 181.215.9[.]29\r\ninvite[@]quiz-nest[.]com 2025-04-26 16:51:29 181.215.9[.]29\r\nThe domain registration records for versusx[.]us include the email address brooksliam534[@]gmail.com ,\r\nwhich has also been used to register several Contagious Interview domains discussed in previous research, such as\r\nwillotalent[.]us and nvidia-release[.]us . Additionally, indicators suggest that the\r\nbrooksliam534[@]gmail.com account has been involved in publishing malicious npm (Node Package Manager)\r\npackages ( cors-app and cors-parser ) as part of a software supply chain campaign attributed to Contagious\r\nInterview threat actors.\r\nThe liambrooksman persona (brooksliam534[@]gmail.com) tracked as maintainer of cors-app and\r\ncors-parser\r\nWe observed the registration of invite[@]quiz-nest[.]com approximately two minutes after the threat actors\r\nattempted to register mvsolution9[@]gmail.com . The registration of mvsolution9[@]gmail.com failed due to\r\nmeasures Validin implemented following the March 2025 account registration activities. Both actions originated\r\nfrom the same IP address, 181.215.9[.]29 , suggesting the involvement of a single operator.\r\nmvsolution9[@]gmail.com has been used to register two Contagious Interview domains: evalassesso[.]com ,\r\nwhich Sekoia has also attributed to Contagious Interview, and speakure[.]com . The quiz-nest[.]com website,\r\nat least up to 24 May 2025, was implemented in a manner typical of Contagious Interview lure websites.\r\nWe also observed login attempts on 9 May 2025 using the excellentreporter321[@]gmail.com and\r\nmarvel714jm[@]gmail.com accounts, which had been blocked by Validin in March 2025.\r\nThe threat actors’ shift to using non-Gmail addresses, along with their continuous attempts to bypass Validin’s\r\naccess controls, highlights their adaptability and persistent interest in Validin data. Recognizing their persistence\r\nin obtaining community access, we intentionally kept only the info[@]versusx[.]us account active to monitor\r\nhttps://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/\r\nPage 5 of 18\n\nsubsequent activity, determine their objectives, and gather further intelligence. Since then, the Contagious\r\nInterview threat actors have continued attempting to register new Validin accounts through the time of writing this\r\npost.\r\nAccount Registrations | Personas\r\nIn accordance with Validin’s policy for community accounts, the Contagious Interview actors completed\r\nregistration forms requesting information such as full name, affiliation, and reason for registration.\r\nAccount Full Name Affiliation Reason\r\nexcellentreporter321[@]gmail.com\r\nAndress Victor Pabon\r\nCarrascal\r\nDAG Find My Platform.\r\nfairdev610[@]gmail.com Fair Dev\r\nTalents\r\nVision\r\nReference\r\nhundredup2023[@]gmail.com Thomas Mitchell Baymax to find domain\r\nhuzqur023[@]gmail.com Hamza Starlink\r\nI will use this for\r\nphishing check\r\ninfo[@]versusx[.]us Noraida Versusx Research\r\ninvite[@]quiz-nest[.]com Anika Larkin Quiz Nest Google\r\njimmr6587[@]gmail.com jimmr Individual Github\r\nmarvel714jm[@]gmail.com Mar Vel Paxos Valisin\r\nmontessantiago9712[@]gmail.com Santiago Montes Personal Virus Checker\r\nmvsolution9[@]gmail.com Anika Larkin Test Ggle\r\nrichardkdavis45[@]gmail.com Richard Davis CreatDao /\r\nrockstar96054[@]gmail.com Rock Lee FWW Googling\r\nThe threat actors used a diverse range of names, from generic handles like jimmr to pop-culture references such\r\nas Rock Lee (a character from the Japanese anime series Naruto), Mar Vel (likely referring to Mar-Vell, a\r\nCaptain Marvel character from Marvel Comics), and Santiago Montes (the main protagonist of the animated\r\ntelevision series Santiago of the Seas), as well as more elaborate, seemingly legitimate full names like Andress\r\nVictor Pabon Carrascal . The reuse of the name Anika Larkin for two different accounts, invite[@]quiz-nest[.]com and mvsolution9[@]gmail.com , combined with both accounts being registered from the same IP\r\naddress ( 181.215.9[.]29 ) within approximately two minutes, suggests the involvement of a single individual.\r\nSome affiliations correspond to fake hiring platforms operated by Contagious Interview. For example, Quiz\r\nNest aligns with the domain quiz-nest[.]com , while Paxos corresponds to domains such as paxos-video-https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/\r\nPage 6 of 18\n\ninterview[.]com and paxosassessments[.]com . The account marvel714jm[@]gmail.com , which used the\r\nPaxos affiliation, was also used to register the domain paxos-video-interview[.]com . This suggests the actors\r\nleveraged their own infrastructure and fabricated brands to create a more convincing facade of legitimacy.\r\nIn addition to these fake platforms, the threat actors also used names of legitimate, well-known companies such as\r\nStarlink , as well as vague descriptors like Individual or Personal .\r\nSome of the stated reasons for registration provide direct insight into the threat actors’ primary objective:\r\ninvestigating threat intelligence information related to their infrastructure. For example, pretexts such as\r\nResearch ,  To find domain , and Find My Platform indicate their interest in exploring Validin’s data.\r\nValidin Use | Activity Across Multiple Platforms\r\nThe majority of accounts began using the Validin platform immediately after registration. In total, we observed 57\r\nunique search terms across all categories supported by the platform, including domain names, hashes, URLs, web\r\nmetadata, keywords, and IP addresses.\r\nThe threat actors did not search for any IOCs reported in Validin’s blog post, which we suspect triggered their\r\ninitial interest in the platform. Therefore, we assess the post only brought Validin to their attention, after which\r\nthey integrated Validin into a broader workflow for investigating threat intelligence related to their operations by\r\nleveraging multiple sources.\r\nWe observed indicators suggesting that the threat actors used additional IOC repositories and platforms alongside\r\nValidin to conduct comprehensive investigations. These included VirusTotal and the apt_lazarus.txt file,\r\nwhich is part of the Maltrail project and publicly available on GitHub. This file is regularly updated with domain\r\nnames, IP addresses, and URLs attributed to the Lazarus umbrella APT cluster, as well as sources providing\r\nattribution information or context, such as social media, blog posts, and other threat intelligence platforms\r\n(including VirusTotal and Validin). VirusTotal is a malware analysis service and threat intelligence platform that\r\naggregates detection results, reputation assessments, and contextual information for files, URLs, domains, and IP\r\naddresses from a wide range of detection engines, third-party tools, and its user community.\r\nThe very first search term used by the threat actors was the keyword TalentCheck , entered on 12 March 2025 at\r\n22:44:40 UTC. TalentCheck is the title of multiple Contagious Interview websites, including\r\nskillcheck[.]pro , talentcheck[.]pro , and vidassesspro[.]com . The keyword was first published as an\r\nartifact identifying Contagious Interview websites approximately one day earlier by Maltrail in\r\napt_lazarus.txt , on 11 March 2025 at 11:18:22 UTC. This suggests that the threat actors likely used Validin to\r\ninvestigate what additional information the platform could provide based on the TalentCheck keyword they first\r\nobserved in apt_lazarus.txt .\r\nhttps://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/\r\nPage 7 of 18\n\nTalentCheck in apt_lazarus.txt\r\nMost of the search terms the threat actors used in Validin had been published exclusively in apt_lazarus.txt at\r\nthe time of the search and were queried shortly after their appearance in the file, sometimes within less than an\r\nhour. This supports our assessment that the Contagious Interview actors closely monitored apt_lazarus.txt and\r\nused Validin to gather further details and contextual information.\r\nIn addition to Maltrail, we suspect that the Contagious Interview threat actors also use VirusTotal, or monitor what\r\ninformation about their infrastructure and malware is available on the platform, in conjunction with Validin. For\r\nexample, the account richardkdavis45[@]gmail.com queried Validin for the URL\r\nhttps[://]robinhood[.]evalvidz[.]com/invite/fZ6j8A2k on 12 March 2025 at 22:59:20 UTC, just a few\r\nminutes after the exact same URL was first submitted to VirusTotal at 22:54:24 UTC.\r\nBased on log files, we were able to reconstruct the exact navigation paths of the Contagious Interview threat\r\nactors within Validin. We observed a strong interest in external references that provide attribution information for\r\nspecific search terms, which Validin displays in the Reputation Factors panel on the search results page. For\r\nmost of the domains they searched, the threat actors visited every available external reference, demonstrating a\r\ndetermined effort to conduct thorough CTI investigations by gathering information from multiple sources.\r\nReconstructed navigation path of the jimmr6587[@]gmail.com account\r\nValidin Use | Team Collaboration\r\nWe observed multiple accounts searching for the same terms within a very short time frame, indicating a\r\ncoordinated and collaborative effort involving multiple individuals. In addition, we identified strong indicators\r\nhttps://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/\r\nPage 8 of 18\n\nthat the threat actors were using Slack, a messaging platform commonly used for team communication and\r\ncollaboration, to coordinate their activities.\r\nWhen investigating patterns of account activity and search behavior using Validin log data, we observed that the\r\njimmr6587[@]gmail.com account was the first to search for the domain webcamfixer[.]online on 12 March\r\n2025 at 22:54:19 UTC, followed by excellentreporter321[@]gmail.com (22:55:17 UTC),\r\nrockstar96054[@]gmail.com (22:55:25 UTC), richardkdavis45[@]gmail.com (22:55:43 UTC), and\r\nfairdev610[@]gmail.com (22:55:55 UTC).\r\nOur cross-examination of web server log data revealed that the search by jimmr6587[@]gmail.com was followed\r\nby requests to Validin from Slack Robots for the same URL generated by the search ( /detail?\r\ntype=dom\u0026find=webcamfixer[.]online ). Slack Robots retrieve web content when a user posts a URL in a channel\r\nor direct message, displaying summary information such as the page title, meta description, and a preview image.\r\nThese Slack Bot requests were followed by requests to the same URL from the IP addresses from which the\r\naccounts excellentreporter321[@]gmail.com , rockstar96054[@]gmail.com , richardkdavis45[@]gmail.com ,\r\nand fairdev610[@]gmail.com had logged in. The timing of these requests aligns with each account’s respective\r\nsearch for webcamfixer[.]online as recorded in Validin logs.\r\nWeb server log data\r\nThis suggests that the individual operating the jimmr6587[@]gmail.com account searched for\r\nwebcamfixer[.]online in Validin, pasted the resulting URL into Slack, and that the individuals behind the other\r\naccounts subsequently clicked on the shared link in quick succession.\r\nValidin Use | Limited Infrastructure Changes\r\nDespite thoroughly investigating CTI information and identifying artifacts that could be used to discover their\r\ninfrastructure, we did not observe any systematic or widespread actions by the Contagious Interview threat actors\r\nto make their infrastructure more difficult to discover and to protect it against detection and disruption. We\r\nobserved only sporadic changes of limited scale that did not significantly reduce the infrastructure’s visibility to\r\ndefenders and threat researchers.\r\nFor example, after searching in Validin for the keyword SkillMaster , which is the title of multiple Contagious\r\nInterview websites, the threat actors changed the title of only one site, skillmasteryhub[.]us , from\r\nhttps://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/\r\nPage 9 of 18\n\nSkillMaster to SkillUp a few hours after the search. This change was not applied to other websites with the\r\nsame title, such as VidHireHub[.]com .\r\nWebsite title change on 13 March 2025, as seen in Validin\r\nMany of the Contagious Interview domains that the threat actors searched for in Validin were taken down by their\r\nrespective registrars shortly after the search activity. Some may have been voluntarily deactivated by the threat\r\nactors themselves, likely to avoid seizure or further investigation, particularly if the domains were linked to their\r\noperational security. For example, the A DNS record for the domain careerquestion[.]com was removed just a\r\nfew hours after the threat actors searched for it in Validin and confirmed its association with their operation.\r\nThe lack of systematic changes to their infrastructure, despite the threat actors’ thorough examination of CTI\r\ninformation, suggests several possible explanations.\r\nGiven the continuous success of the campaign in engaging job applicants, the threat actors may be prioritizing\r\nmaintaining operational readiness and meeting their objectives by rapidly deploying new assets to replace\r\ndisrupted infrastructure, rather than undertaking large-scale targeted changes. We observed a high rate of new\r\ninfrastructure deployment by the Contagious Interview threat actors alongside losses of existing infrastructure due\r\nto actions by service providers, which supports this assessment.\r\nThere may be internal limitations, such as a lack of a central authoritative command structure or resource\r\nconstraints affecting their ability to modify infrastructure rapidly and at scale. Additionally, the North Korean\r\nregime sets annual earnings quotas for cyber teams, requiring them to self-fund while meeting revenue targets.\r\nThese quotas likely incentivize operatives to continually seek new income sources, fostering intense competition\r\nwithin teams. As a result, individuals managing only portions of the Contagious Interview infrastructure may\r\nmake limited changes aimed at evading detection of the infrastructure they oversee, thereby gaining advantages\r\nover colleagues, rather than engaging in coordinated, large-scale modifications.\r\nValidin Use | New Infrastructure And OPSEC Failures\r\nThe activity patterns of the info@versusx[.]us account on Validin, which we intentionally kept active over the\r\nlong term, suggest that the threat actors used the platform not only to monitor for signs of detection related to their\r\nexisting infrastructure, but also:\r\nTo scout and evaluate new infrastructure prior to purchase, highly likely to determine whether it had been\r\npreviously reported as malicious. This helps the threat actors avoid acquiring assets already labeled as\r\nmalicious, which would increase the risk of detection and reduce the effectiveness of their operations once\r\ndeployed.\r\nTo monitor newly acquired infrastructure throughout its lifecycle for any indicators of detection.\r\nhttps://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/\r\nPage 10 of 18\n\nFor instance, on March 25, 2025, we observed the info@versusx[.]us account searching for the domain names\r\nhiringassessment[.]net , hiringassessment[.]com , hireassessment[.]com , easyjobinterview[.]org , and\r\nscreenquestion[.]org . All of these domains were available for purchase at the time. These names align with the\r\nrecruitment-related themes typically used in Contagious Interview activities.\r\nThe info@versusx[.]us account also searched for multiple domains shortly after they were purchased and\r\ncontinued monitoring them for signs of detection after deploying web content. One example is\r\nskillquestions[.]com , which was first queried on March 25, 2025, at 17:33:34 UTC, just minutes before it was\r\nregistered at 17:41:14 UTC. Additional searches occurred shortly before content was deployed on April 23, 2025,\r\nand continued periodically until May 6, 2025. According to Validin data, the skillquestions[.]com website\r\nremained operational until at least May 13, 2025, at 20:44:27 UTC.\r\nOur continuous monitoring of the planning, acquisition, and deployment of new Contagious Interview\r\ninfrastructure allowed us to identify OPSEC mistakes made by the threat actors throughout the process. We\r\nobserved multiple instances of such errors, including the unintended exposure of files and directory contents,\r\nwhich indicate poor OPSEC practices during infrastructure deployment and provide further insight into their\r\noperations.\r\nFor example, api.release-drivers[.]online was exposing its web root directory, the files it contained, and\r\ntheir associated modification timestamps. This included error logs from a Node.js application stored in\r\n/home/relefmwz/api.release-drivers[.]online/ , indicating that the threat actors used the username\r\nrelefmwz . The exposed timestamps provide insight into when the Contagious Interview operators deployed\r\ncontent to the server, allowing us to reconstruct their activity timeline.\r\nExposed web root directory of api.release-drivers[.]online\r\nFurther, several newly deployed ClickFix malware distribution servers, such as api.camdriverhelp[.]club and\r\napi.drive-release[.]cloud , were exposing ContagiousDrop applications along with the log files they had\r\ngenerated. These files contain information on affected individuals, allowing us to gain valuable insights into the\r\nvictimology of the campaigns.\r\nContagiousDrop Applications\r\nhttps://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/\r\nPage 11 of 18\n\nThe ContagiousDrop applications, typically implemented in app.js files , are deployed on ClickFix malware\r\ndistribution servers such as api.drive-release[.]cloud . These applications run servers that listen on configured\r\nports to handle incoming HTTP GET and POST requests, executing different functions based on the specific\r\nrequest path.\r\nThe ContagiousDrop applications deliver malware disguised as software updates or essential utilities. They\r\ndistribute a tailored payload based on the victim’s operating system (Windows, macOS, or Linux), system\r\narchitecture, and method of interaction with the server, such as the use of the curl command.\r\nOperating system-specific malware delivery\r\nIn addition to delivering malware, the ContagiousDrop applications feature an integrated email notification\r\nsystem. These notifications, sent from a configured email address such as designedcuratedamy58[@]gmail.com ,\r\nprovide the Contagious Interview threat actors with insights into victim engagement and interaction patterns and\r\nare delivered to their configured recipient addresses. For example, an email is triggered when an affected\r\nindividual starts a fake skill assessment or executes a curl command to download a file from the ClickFix\r\nmalware distribution server.\r\nhttps://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/\r\nPage 12 of 18\n\nEmail notification recipients\r\nFurthermore, these applications record victim information across multiple files and interaction points, effectively\r\nbuilding a victimology database and logging victim activities. For example, initial and later engagements are\r\ncaptured in client_ips_start_test.json and client_ips_submit.json , including details such as full name,\r\nemail address, IP address, phone number, and the date of interaction. Malware download initiations are logged in\r\nfiles such as client_ips_start.json and client_ips_mac_start.json , which capture operating system–\r\nspecific payload delivery.\r\nLogging to client_ips_start_test.json\r\nContagiousDrop | Victimology\r\nBased on ContagiousDrop log files we retrieved, we identified over 230 individuals who engaged with Contagious\r\nInterview lures between mid-January and the end of March 2025. This figure is based on log files from only a few\r\nContagious Interview servers; therefore, the actual number of affected individuals is likely significantly higher.\r\nTheir engagement spanned multiple stages of the attack, including completing fake assessment tests and\r\nprogressing to the infection phase via the ClickFix technique.\r\nMost of the affected individuals work in roles related to cryptocurrency and blockchain technologies, primarily\r\nwithin the marketing and finance sectors, and are geographically distributed worldwide. They engaged with lures\r\ninvolving various job positions, such as Portfolio Manager, Investment Manager, and Senior Product Manager,\r\nacross a range of impersonated companies including Archblock, Robinhood, and eToro.\r\nhttps://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/\r\nPage 13 of 18\n\nContagious Interview victimology\r\nIn addition to entries related to victim activity, the ContagiousDrop logs also contain records likely generated\r\nduring testing of lure deployment and campaign infrastructure by the Contagious Interview threat actors\r\nthemselves. They used email addresses and persona names we have associated with them, such as\r\nawesomium430[@]gmail.com (found in ContagiousDrop code) and Richard Davis. Other names, such as test ,\r\ntest user , and Lazaro , indicate internal testing activity, with Lazaro likely being derived from the name of\r\nthe North Korean umbrella threat cluster associated with Contagious Interview activities: Lazarus.\r\nLog entries\r\nhttps://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/\r\nPage 14 of 18\n\nConclusions\r\nNorth Korean threat groups actively examine CTI information to identify threats to their operations and improve\r\nthe resilience and effectiveness of their campaigns, depending on their operational priorities. In addition to the\r\nactors behind the Contagious Interview campaign cluster, SentinelLABS has also observed other North Korean\r\ngroups demonstrating interest in threat intelligence prior to the activities discussed in this post. In 2024, we\r\nretrieved malware associated with ScarCruft, likely designed to target consumers of threat intelligence reporting,\r\nsuch as threat researchers and other cybersecurity professionals. We suspect the actors aimed to gain insights into\r\nnon-public CTI and defensive strategies.\r\nIn this post, we disclose indicators and TTPs that enable the sustained tracking of the Contagious Interview threat\r\nactors. While we expect them to alter their methods as a result, the expanding scale and broad targeting of these\r\noperations suggests greater benefit in empowering the wider public to effectively defend than there is in hoarding\r\nactionable intelligence indefinitely. SentinelLABS maintains other methods of tracking these evolving campaigns.\r\nBased on our observations, the Contagious Interview threat actors do not implement systematic changes to their\r\ninfrastructure based on the CTI information they consume from multiple sources, which could make their\r\noperations harder to detect or disrupt. Despite this, they continue to achieve a relatively high success rate in\r\nattracting job seekers through fraudulent employment offers and skill assessment tests. Their operational strategy\r\nappears to prioritize promptly replacing infrastructure lost due to takedown efforts by service providers, using\r\nnewly provisioned infrastructure to sustain their activity.\r\nTherefore, a critical element in mitigating this threat is the human factor. It is important that job seekers,\r\nparticularly those within the cryptocurrency sector, exercise heightened vigilance when engaging with\r\nemployment offers and associated assessments.\r\nIn addition, infrastructure service providers play an important role in disrupting Contagious Interview operations.\r\nContinuous and effective actions against the threat actors’ infrastructure can significantly reduce their capacity to\r\ncarry out attacks. Close collaboration and coordination between service providers and the threat intelligence\r\ncommunity are crucial to mitigating the impact of these activities. SentinelLABS and Validin remain committed to\r\nsharing timely and actionable threat intelligence to support these collaborative efforts.\r\nIndicators of Compromise\r\nEmail Addresses (Contagious Interview Operators)\r\nadmin[@]quickproassess[.]com\r\nawesomium430[@]gmail.com\r\nbetosoto2819[@]gmail.com\r\nbrooksliam534[@]gmail.com\r\nchris[@]wegrowup[.]us\r\ndaisukeokitsugu[@]gmail.com\r\ndenys[@]gmail.com\r\ndesignedcuratedamy58[@]gmail.com\r\nhttps://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/\r\nPage 15 of 18\n\ndzsignzdcuatzdamy[@]gmail.com\r\neliteengineer0523[@]gmail.com\r\nexcellentreporter321[@]gmail.com\r\nfairdev610[@]gmail.com\r\nghostmaxim777[@]outlook.com\r\nhundredup2023[@]gmail.com\r\nhuzqur023[@]gmail.com\r\ninfo[@]versusx[.]us\r\ninvite[@]quiz-nest[.]com\r\njimmr6587[@]gmail.com\r\njohnkane84830[@]gmail.com\r\nlegendaryaladdin[@]motionassess[.]com\r\nmarvel714jm[@]gmail.com\r\nmaxwell[@]gmail.com\r\nmontessantiago9712[@]gmail.com\r\nmvsolution9[@]gmail.com\r\nphoenixfire471[@]gmail.com\r\nrichardkdavis45[@]gmail.com\r\nrockstar96054[@]gmail.com\r\nrodriguezjamesdaniel0807[@]gmail.com\r\nrv882866.hstgr.cloud[@]glitchmedic[.]com\r\nsinbad[@]hirelytics360[.]com\r\nthedrgn1011[@]gmail.com\r\ntrevorgreer9312[@]gmail.com\r\nyudaiaoyama14[@]gmail.com\r\n \r\nIP Addresses\r\nValue Note\r\n181.215.9[.]29 Used for account registration and logging into Validin\r\n181.53.13[.]189 Used for logging into Validin\r\n181.59.180[.]84 Used for account registration and logging into Validin\r\n194.33.45[.]162 Used for account registration and logging into Validin\r\n216.24.215[.]231 Used for logging into Validin\r\n38.170.181[.]10 Used for account registration and logging into Validin\r\n45.86.208[.]162 Used for account registration and logging into Validin\r\n70.32.3[.]15 Used for account registration and logging into Validin\r\nhttps://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/\r\nPage 16 of 18\n\n70.39.70[.]194 Used for account registration and logging into Validin\r\n77.247.126[.]189 Used for Validin account registration\r\n89.19.58[.]51 Used for account registration and logging into Validin\r\n96.62.127[.]126 Used for account registration and logging into Validin\r\nContagious Interview Domains\r\ncareerquestion[.]com\r\nevaluateiq[.]com\r\nhirelytics360[.]com\r\nmotionassess[.]com\r\nnvidia-release[.]us\r\npaxos-video-interview[.]com\r\npaxosassessments[.]com\r\nquickproassess[.]com\r\nquiz-nest[.]com\r\nrobinhood[.]evalvidz[.]com\r\nskill-share[.]org\r\nskillcheck[.]pro\r\nskillmasteryhub[.]us\r\nskillquestions[.]com\r\ntalentcheck[.]pro\r\nversusx[.]us\r\nvidassesspro[.]com\r\nVidHireHub[.]com\r\nwebcamfixer[.]online\r\nwillotalent[.]us\r\n \r\nClickFix Malware Distribution Servers\r\napi.camdriverhelp[.]club\r\napi.drive-release[.]cloud\r\napi.release-drivers[.]online\r\nglitchmedic[.]com\r\n \r\nDomains Scouted by Contagious Interview Operators\r\neasyjobinterview[.]org\r\nhireassessment[.]com\r\nhiringassessment[.]com\r\nhttps://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/\r\nPage 17 of 18\n\nhiringassessment[.]net\r\nscreenquestion[.]org\r\nSHA-1 Hashes\r\nValue Note\r\n24042a8eea9b9c20af1f7bae00296b44968a068f ContagiousDrop application (app.js)\r\n44ddabf5b5d601077936a130a2863a96d2af1c8e ContagiousDrop application (app.js)\r\n4a8bfa28d46ae14e45a50e105e2d34f850ffa96c ContagiousDrop application (app.js)\r\nSource: https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/\r\nhttps://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/" ], "report_names": [ "contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434162, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a0c1b9429df1b054c353a372bdc8e597acc288fd.pdf", "text": "https://archive.orkl.eu/a0c1b9429df1b054c353a372bdc8e597acc288fd.txt", "img": "https://archive.orkl.eu/a0c1b9429df1b054c353a372bdc8e597acc288fd.jpg" } }