{ "id": "82625259-cea2-40ed-b22e-dd8c765d3b2b", "created_at": "2026-04-06T01:30:24.306638Z", "updated_at": "2026-04-10T13:11:33.900164Z", "deleted_at": null, "sha1_hash": "a2f93627151b2f4861d95ccc169e793a69bf5114", "title": "Lazarus APT: Techniques for Hunting Contagious Interview | Validin", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2064772, "plain_text": "Lazarus APT: Techniques for Hunting Contagious Interview |\r\nValidin\r\nPublished: 2025-01-16 · Archived: 2026-04-06 01:13:50 UTC\r\nLazarus APT uses ClickFix social engineering to trick job seekers into executing\r\nmalicious code, and Validin helps find related infrastructure and mitigate the\r\nthreat.\r\nLazarus APT, a North Korean group, is using the ClickFix social engineering technique to trick job seekers into\r\ncopying and pasting malicious code onto their devices during fake video job interviews (\"Contagious Interview\").\r\nThis blog post shows how to expand and pivot from threat intelligence using Validin to detect likely-related\r\ninfrastructure and mitigate this threat.\r\nBackground\r\nOn December 28, 2024, a tweet by researcher @tayvano_ alerted the infosec community to a campaign using a\r\ntalent recruitment theme to spread malware via ClickFix social engineering. The campaign was attributed to\r\nLazarus APT due to similarities with Contagious Interview and domain registration patterns. This post describes\r\nhow the initial alert led to a hunt for Lazarus APT ClickFix techniques using Validin to pivot from the initial\r\nindicators to identify more domains registered for the campaign.\r\nLazarus APT and their Latest Campaign\r\nThe Lazarus Group is a North Korean umbrella of multiple threat actor groups (i.e. Bluenoroff, Andariel,\r\nKimsuky). Lazarus has been active since at least 2009 and is associated with the North Korean government’s\r\nReconnaissance General Bureau. They support the North Korean government through a combination of espionage,\r\nfinancial gain, and geopolitical disruption. Their financially motivated attacks usually target financial institutions,\r\ncryptocurrency firms, gambling platforms, and FinTech companies. Stolen funds from the APT’s operations are\r\nused to fund North Korea’s nuclear weapons and long-range missiles programs.\r\nThe Contagious Interview Campaign\r\nOne of the latest tracked campaigns of Lazarus, is the Contagious Interview, which started as early as December\r\n2022 as described by PAN Unit 42, and it is about North Korean actors contacting software developers through\r\njob search platforms. They pose as a prospective employer, inviting them to participate in an online interview in\r\nwhich the actors attempt to convince the victims to download and install backdoor malware (BeaverTail,\r\nInvisibleFerret, CivetQ, etc).\r\nhttps://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nPage 1 of 25\n\nFigure 1. Simplified Chain of Events for a Variation of the Contagious Interview Campaign\r\nOne of the most hyped social engineering techniques in the last quarter of 2024, ultimately abused first by Lumma\r\nStealer operators, was ClickFix. The ClickFix technique uses dialogue boxes containing fake error or\r\nreCAPTCHA messages to trick people into copying, pasting, and running malicious content on their own\r\ncomputer.\r\nFigure 2. ClickFix style “verification steps” to execute PowerShell.\r\nLazarus APT’s Latest Campaign Encompassing ClickFix as part of Contagious Interview\r\nThe Lazarus group appears to have updated its social engineering tactics by incorporating ClickFix into its\r\nContagious Interview campaign. This campaign targets job seekers with attractive pay ranges, often on platforms\r\nlike LinkedIn, Telegram, and Discord. As reported first by the researcher @tayvano_, the initial contact often\r\ncomes from a fake recruiter representing well-known companies, such as Kraken, MEXC, Gemini, and Meta,\r\nhttps://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nPage 2 of 25\n\npromoting attractive pay ranges on LinkedIn, Telegram, Discord, and other job posting sites. This approach\r\nentices victims to run malware on their devices.\r\nFigure 3. Sample Interaction with the Fake Recruiter\r\nAfter exchanging some information, the threat actor eventually drops a link to a fake Willo website (Video\r\nInterviewing Screening Software) to continue the hiring process by answering some questions as part of the\r\ncandidate’s evaluation. Next, a long form of questions is presented to the candidate asking things relevant to the\r\nrole.\r\nhttps://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nPage 3 of 25\n\nFigure 4. Sample Job Description\r\nFigure 5. Sample Long Form Question\r\nThe last step is to record a video answer to the last question. By clicking the Request Camera Access button, a\r\npop-up is displayed that guides the victim on how to enable access (the ClickFix technique) by attaching\r\nmalicious code to be copied that installs malware on their device (payloads vary for Mac, Windows, and Linux\r\ndevices).\r\nhttps://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nPage 4 of 25\n\nFigure 6. Requesting Access to Camera\r\nFigure 7. ClickFix Pop-up Displaying Malicious Code\r\nInfrastructure Hunting\r\nThe objective in this report is to identify further Lazarus infrastructure that is used to deliver its payloads to\r\npotential victims. Let’s create a project on Validin to collect our findings through the hunting process:\r\nhttps://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nPage 5 of 25\n\nFigure 8. Project Creation Menu\r\nFigure 9. Project Details Menu\r\nWe’ll populate it with our known indicators to be used as starting pivot points:\r\nFigure 10. Adding Indicators to Project Menu\r\nhttps://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nPage 6 of 25\n\nFigure 11. Adding First Indicators\r\nFigure 12. Confirmation of Indicators Insertion\r\nFigure 13. Final View of the Project with its Indicators\r\nNow let’s inspect the willointerview[.]com  domain by clicking on it to see what we can extract from it to help\r\nus identify more domains serving ClickFix with this theme.\r\nhttps://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nPage 7 of 25\n\nFigure 14. Overview Information of the willointerview[.]com Domain\r\nFrom this screen (Reputation Tab), several information can be observed about this domain. For example, the\r\nReputation Score and Factors (which flag this as associated with APT Lazarus), DNS records, FQDN, ETLD,\r\nRegistration, etc. In each tab there is more detailed information. An important thing to notice is that each\r\nkey/value field is a potential pivot point.\r\nOSINT: The OSINT sources/lists where the indicator was referenced.\r\nFigure 15. Osint Tab\r\nResolutions: Domain resolutions associated with the domain indicator. i.e. NS (Name Server), A (IPv4)\r\nresolutions. Here we can observe the IPv4 resolution which is 23.254.244[.]74 . Notice the information\r\nhttps://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nPage 8 of 25\n\non the side panel that also includes information on the estimated pivot count (a really useful feature to\r\ndetermine if this attribute is commonly observed).\r\nFigure 16. Resolutions Tab\r\nSubdomains: The subdomains for the domain indicator.\r\nFigure 17. Subdomain Tab\r\nDNS Records: The DNS records for the associated domain indicator. Shows information like if the domain\r\nhas MX (Mail eXchange), or other records like SPF that can be seen from the next figure (also a potential\r\npivot point).\r\nhttps://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nPage 9 of 25\n\nFigure 18. DNS Records Tab\r\nHost Connections: Information regarding relationships between the investigated indicators. I.e.\r\nthe following is the connection between Domain and IPv4.\r\nFigure 19. Host Connections Tab\r\nHost Responses: Information regarding HTTP Response Data.\r\nFigure 20. Host Responses Tab\r\nCT Stream: Certificate Transparency information such as certificate fingerprints, common names and\r\ntimestamps.\r\nhttps://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nPage 10 of 25\n\nFigure 21. CT Stream Tab\r\nContinuing with the hunt, by selecting the Resolutions tab and clicking on the IPv4 23.254.244[.]74 , we pivot\r\nto the IP hosting the domain.\r\nFigure 22. 23.254.244[.]73 Indicator Information\r\nAs we can see, this IP belongs to AS 54290 Hostwinds. Use of the Hostwinds ASN dedicated servers is a common\r\ntactic in Lazarus campaigns. Let’s select Host Connections to see if there are any interesting and unique\r\nfingerprints.\r\nhttps://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nPage 11 of 25\n\nFigure 23. Host Connections Tab of the 22 23.254.244[.]73 Indicator\r\n1st Method of Identifying Further Infrastructure: HTML Feature Pivoting\r\nBy scrolling a bit down, we can see a really unique type of host-meta header, present in the legitimate website for\r\nWillo.\r\nFigure 24. Willo HOST-META Header as an Interesting Pivot\r\nBy clicking on it to pivot and selecting the Host Connections tab, we observe additional domains with similar\r\nnaming conventions and IPv4 addresses that share this exact host-meta header (136 total). This great pivot was\r\nfirst identified and reported by @500mk500.\r\nhttps://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nPage 12 of 25\n\nFigure 25. Host Connections Tab of the HOST-META Header\r\nFrom there we can further filter the returned values to see only the domains.\r\nFigure 26. Type Filtering only for META-HOST\r\nhttps://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nPage 13 of 25\n\nFigure 27. META-HOST Results\r\nAs we can see, there are similar domain registration patterns (already flagged as Lazarus related) containing also\r\nother keywords, such as crypto, assess, willo, blockchain, interview, talent, hiring, etc. Also, there are domains\r\nhosted on the Cloudfront CDN.\r\nIt is really important to notice here as a general principle that some pivots may contain false positives (i.e.\r\nin these results there are also legitimate domains of Willo that need to be filtered out from your project).\r\nThose are potentially related indicators and further verification is needed to be considered an Indicator of\r\nCompromise. For example, this post from the researcher @banthisguy9349 suggests querying for this path\r\non a suspected domain to confirm abuse: /video-questions/create/531fbaedf67046d6904478f15d3e7142\r\nhttps://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nPage 14 of 25\n\nFor example, for the following domain: www.vid.willoassess[.]com * *the following page was displayed by\r\ncombining it with the aforementioned URI that confirmed it was part of the campaign:\r\nFigure 28. Screenshot of the URI hxxps[://]www.vid.willoassess[.]com/video-questions/create/531fbaedf67046d6904478f15d3e7142\r\nNext, we can manually select the domains of interest (excluding false positives as mentioned), and add them to\r\nour project.\r\nFigure 29. Adding the Domain Indicators to the Project Menu\r\nAnother really useful feature is the Timeline View, where we can observe the First \u0026 Last Seen timestamps of the\r\ndomains containing this meta-host value. The following figure depicts the difference between Willo’s legitimate\r\nhttps://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nPage 15 of 25\n\ndomain and the malicious domains. It can also be observed that the malicious domains generated activity\r\nbeginning no later than mid-December 2024.\r\nFigure 30. Timeline View of the HOST-META Relationship with the Domains\r\nNext, we can return to the Table View and filter again for META-IP, to observe other hosting patterns.\r\nFigure 31. Type Filtering only for META-IP\r\nhttps://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nPage 16 of 25\n\nFigure 32. META-IP Results\r\nAdditional Autonomous Systems are represented, such as AS 30860, AS 27956, AS 16509, AS47583, and AS\r\n54290. Those can provide insights into hosting preferences for Lazarus, or possibly different threat actor clusters.\r\nWe can view these statistics by clicking on Show Summary:\r\nFigure 33. Summary of ASNs\r\n2nd Method of Identifying Further Infrastructure: Bulk Search\r\nNow that we have seen other IPv4 addresses hosting such malicious domains, we would like to search those IPv4\r\naddresses to see if they host other domains with similar naming conventions that bypassed the security\r\ncommunity’s radars. We will manually select the IPv4 addresses of interest (excluding Amazon ASN and ASNs\r\nwith high estimated pivots for resource efficiency), and add them to Bulk Search.\r\nhttps://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nPage 17 of 25\n\nFigure 34. Selection of IPv4 Addresses and Insertion to Bulk Search\r\nFigure 35. Adding indicators to Bulk Search\r\nFigure 36. Submitting the Indicators to Bulk Search for initial enrichment\r\nNow we will set the settings for the Bulk Search. We want to see only A records associations (IPv4 to DNS), and\r\nsince we know the timeline of the activity pretty much, we will only consider timestamps of December.\r\nhttps://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nPage 18 of 25\n\nFigure 37. Setting Options for Bulk Searching\r\nFigure 38. Bulk Search Results\r\nIn the results View we can see other domains associated with Lazarus (based on reputation) and some that also\r\nhave the same naming convention that could indicate potential association. Of course, verification is necessary.\r\nWe conclude with adding to our project the new findings from this search.\r\n3rd Method of Identifying Further Infrastructure: Lookalike Domain Search\r\nhttps://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nPage 19 of 25\n\nAnother useful feature is the Lookalike Domain Search. From there we can use search terms, domain names or\r\nregex patterns to identify further domains of interest. From the previous batches of indicators collected with the\r\nprevious two methods, we know some of the most common keywords Lazarus uses to register their domains for\r\nthis campaign. Thus, we can combine them with multiple ways to further identify domains. Let’s take for example\r\nthe following regex:\r\n/(assess|willo|wilo|talent|hiring|interview|blockchain|crypto|recruit|candidate|video)\\-?\r\n(assess|willo|wilo|talent|hiring|interview|blockchain|crypto|recruit|candidate|video)\\.\r\n(com|us|org|pro)/\r\nExplanation of the regex: Some of the most relevant keywords regarding Willo, hiring and blockchain topics\r\nappended with or without dash, with the same pairs of keywords ending in a .com , .us , .org , .pro  TLD\r\n(as commonly observed) - a good starting point.\r\nAlso, we refine the loopback to search only 40 days back since we know the campaign started in December 2024,\r\nand select the FQDNs option to search for any depth.\r\nWe can observe that we have results related to Lazarus! We can also dig deeper and investigate\r\nother candidates. Consider the following regexes:\r\n/(willo|wilo|hiring|blockchain|crypto)\\-?(assess|talent|hiring|interview)\\.\r\n(com|us|org|pro)/  (better combined keywords)\r\n/app\\.(willo|wilo|hiring|blockchain|crypto)\\-?(assess|talent|hiring|interview)\\.[a-z]+/ (app\r\nsubdomain + combined keywords + TLD agnostic)\r\n/(willo|wilo|hiring|blockchain|crypto)\\-?(video|candidate|talent|interview)\\.[a-z]+/  (willo \u0026\r\nblochain hiring themes + TLD agnostic)\r\nhttps://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nPage 20 of 25\n\n/(video|candidate|talent|interview)\\-?(willo|wilo|hiring|blockchain|crypto)\\.[a-z]+/  (reversed\r\norder willo \u0026 blochain hiring themes + TLD agnostic)\r\nWe conclude by adding our newly identified indicators to our project.\r\nConclusion\r\nLazarus is a sophisticated group of threat actors, constantly refining their TTPs to achieve their objectives and\r\nsupport their country’s agenda. It is up to us, security researchers to identify their behaviours and patterns and\r\ndetect their infrastructure before it gets weaponized. In this blog we analyzed the new Lazarus campaign as part of\r\nContagious Interview, utilizing the ClickFix social engineering technique. Through Validin’s Search, Bulk\r\nSearch and Lookalike Domain Search, we identified Lazarus’ domain registration and hosting patterns. We shared\r\nfurther Indicators of Compromise along with the methodology on how to hunt malicious infrastructure.\r\nReady to level up your threat hunting, threat attribution, and incident response efforts? Validin’s premium\r\nindividual and enterprise solutions offer powerful tools, affordable pricing, and unparalleled insights to help your\r\nteam work smarter and faster.\r\nContact us today to explore enterprise options and see how Validin can empower your threat intelligence team.\r\nConnect with the author: Follow Efstratios on X.\r\nIndicators\r\nweb[.]videoscreening[.]org\r\nvideoscreening[.]org\r\napp[.]videoscreening[.]org\r\nwww[.]intervu-talent[.]pro\r\nwww[.]talentassesspro[.]com\r\nwww[.]app[.]videoforrecruitment[.]com\r\nvideoforrecruitment[.]com\r\napp[.]videoforrecruitment[.]com\r\nblockchain-assess[.]com\r\nwww[.]app[.]willotalents[.]org\r\nwillotalents[.]org\r\napp[.]willotalents[.]org\r\napp[.]willocandidate[.]com\r\nwebmail[.]complexassess[.]com\r\nwebdisk[.]complexassess[.]com\r\ncpcontacts[.]complexassess[.]com\r\ncpcalendars[.]complexassess[.]com\r\ncpanel[.]complexassess[.]com\r\ncomplexassess[.]com\r\nautodiscover[.]complexassess[.]com\r\nrobinhood[.]vinterview[.]org\r\nwww[.]app[.]vinterview[.]org\r\nhttps://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nPage 21 of 25\n\napp[.]vinterview[.]org\r\napp[.]willotalentes[.]com\r\nwww[.]api[.]wtalents[.]us\r\napi[.]wtalents[.]us\r\ncpanel[.]wtalents[.]us\r\nwilloassessment[.]com\r\nwww[.]gemini-willoassessment[.]com[.]willoassessment[.]com\r\ngemini-willoassessment[.]com[.]willoassessment[.]com\r\nhiring[.]willoassessment[.]com\r\nwww[.]consensys[.]willoassessment[.]com\r\ngeminiskill[.]willoassessment[.]com\r\nwww[.]hiring[.]willoassessment[.]com\r\napi[.]willoassessment[.]com\r\ngemini[.]willoassessment[.]com\r\nconsensys[.]willoassessment[.]com\r\nwww[.]gemini[.]willoassessment[.]com\r\nwww[.]app[.]willotalent[.]xyz\r\napp[.]willotalent[.]xyz\r\nwww[.]api[.]nvidia-release[.]us\r\napi[.]nvidia-release[.]us\r\nwww[.]willorecruit[.]com\r\ncpcontacts[.]willorecruit[.]com\r\ncpcalendars[.]willorecruit[.]com\r\nwww[.]app[.]willorecruit[.]com\r\napp[.]willorecruit[.]com\r\nwebmail[.]willorecruit[.]com\r\nmail[.]willorecruit[.]com\r\ncpanel[.]willorecruit[.]com\r\nwebdisk[.]willorecruit[.]com\r\nwillorecruit[.]com\r\nwww[.]willotalentes[.]com\r\nwww[.]app[.]willotalentes[.]com\r\nwillotalentes[.]com\r\nwillocandidates[.]com\r\nwww[.]fundcandidates[.]com\r\napp[.]willohiring[.]com\r\nwww[.]willocandidate[.]com\r\nwww[.]app[.]willocandidate[.]com\r\nwillocandidate[.]com\r\nwww[.]api[.]nvidia-release[.]org\r\nwww[.]willotalent[.]us\r\nwww[.]app[.]willotalent[.]us\r\napp[.]willotalent[.]us\r\nwillotalent[.]us\r\nwww[.]willotalent[.]pro\r\nwww[.]app[.]willotalent[.]pro\r\napp[.]willotalent[.]pro\r\nhttps://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nPage 22 of 25\n\nwillotalent[.]pro\r\nwww[.]willointerview[.]com\r\nwww[.]willoassess[.]com\r\nwww[.]talent[.]willoassess[.]com\r\nwww[.]tal[.]willoassess[.]com\r\nwww[.]gemini[.]willoassess[.]com\r\ngemini[.]willoassess[.]com\r\nwilloassess[.]com\r\nwww[.]willohiring[.]com\r\nwww[.]app[.]willohiring[.]com\r\nwww[.]gemini[.]willohiring[.]com\r\ngemini[.]willohiring[.]com\r\nwww[.]meta[.]willohiring[.]com\r\nmeta[.]willohiring[.]com\r\nwillohiring[.]com\r\nwww[.]willohiringtalent[.]org\r\nwww[.]app[.]willohiringtalent[.]org\r\napp[.]willohiringtalent[.]org\r\nwww[.]gemini[.]willohiringtalent[.]org\r\ngemini[.]willohiringtalent[.]org\r\nwillohiringtalent[.]org\r\nwww[.]willoassess[.]org\r\nwww[.]willo-interview[.]us\r\nwww[.]talent[.]willo-interview[.]us\r\ntalent[.]willo-interview[.]us\r\nwww[.]app[.]willo-interview[.]us\r\napp[.]willo-interview[.]us\r\nwillo-interview[.]us\r\nwww[.]intro-crypto-assess[.]com\r\ncpcontacts[.]intro-crypto-assess[.]com\r\ncpcalendars[.]intro-crypto-assess[.]com\r\nwebmail[.]intro-crypto-assess[.]com\r\nmail[.]intro-crypto-assess[.]com\r\ncpanel[.]intro-crypto-assess[.]com\r\nwebdisk[.]intro-crypto-assess[.]com\r\nintro-crypto-assess[.]com\r\nwww[.]blockchain-assess[.]com\r\nd20zx0lguyxj2p[.]cloudfront[.]net\r\nd1yzmjg018adwf[.]cloudfront[.]net\r\nd12rlkj8v5mwse[.]cloudfront[.]net\r\nd3o9p0hkd7eul5[.]cloudfront[.]net\r\nwilio-talent[.]net\r\nwilloassess[.]net\r\nwww[.]wtalents[.]us\r\nwww[.]app[.]wtalents[.]us\r\napp[.]wtalents[.]us\r\nmail[.]wtalents[.]us\r\nhttps://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nPage 23 of 25\n\nwtalents[.]us\r\nwww[.]willomexcvip[.]us\r\nwww[.]app[.]willomexcvip[.]us\r\napp[.]willomexcvip[.]us\r\nmail[.]willomexcvip[.]us\r\nwww[.]werhiring[.]willomexcvip[.]us\r\nwerhiring[.]willomexcvip[.]us\r\nwillomexcvip[.]us\r\nwww[.]hiringtalent[.]pro\r\napp[.]hiringtalent[.]pro\r\nfinal[.]hiringtalent[.]pro\r\nhiringtalent[.]pro\r\nintervu-talent[.]pro\r\nwww[.]talentcompetency[.]com\r\ntalentcompetency[.]com\r\nwww[.]app[.]willoassessment[.]com\r\napp[.]willoassessment[.]com\r\nwww[.]geminiskill[.]willoassessment[.]com\r\nwww[.]api[.]willoassessment[.]com\r\nwww[.]wilo-talent[.]com\r\napp[.]wilo-talent[.]com\r\nwilo-talent[.]com\r\nwww[.]complexassess[.]com\r\nmail[.]complexassess[.]com\r\nwww[.]app[.]willoassess[.]com\r\napp[.]willoassess[.]com\r\nwww[.]vid[.]willoassess[.]com\r\nvid[.]willoassess[.]com\r\nwww[.]robinhood[.]intro-crypto-assess[.]com\r\nwww[.]vid[.]intro-crypto-assess[.]com\r\nvid[.]intro-crypto-assess[.]com\r\nwww[.]app[.]blockchain-assess[.]com\r\napp[.]blockchain-assess[.]com\r\nwww[.]vid[.]blockchain-assess[.]com\r\nvid[.]blockchain-assess[.]com\r\nfundcandidates[.]com\r\nwww[.]app[.]blockchain-checkup[.]com\r\napp[.]blockchain-checkup[.]com\r\ntalentassesspro[.]com\r\nwww[.]willo-video[.]com\r\nwillo-video[.]com\r\nwww[.]robinhood[.]vinterview[.]org\r\nvinterview[.]org\r\nwww[.]hiringinterview[.]org\r\nwww[.]app[.]hiringinterview[.]org\r\napp[.]hiringinterview[.]org\r\nhiringinterview[.]org\r\nhttps://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nPage 24 of 25\n\nwww[.]interviewnest[.]org\r\nwww[.]app[.]interviewnest[.]org\r\napp[.]interviewnest[.]org\r\ninterviewnest[.]org\r\nwilloassess[.]org\r\nwww[.]app[.]videoscreening[.]org\r\nwww[.]web[.]videoscreening[.]org\r\nwillovideorec[.]com\r\nwillointerview[.]com\r\napi[.]nvidia-release[.]org\r\nSource: https://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nhttps://www.validin.com/blog/inoculating_contagious_interview_with_validin/\r\nPage 25 of 25\n\n https://www.validin.com/blog/inoculating_contagious_interview_with_validin/ \nFigure 25. Host Connections Tab of the HOST-META Header\nFrom there we can further filter the returned values to see only the domains.\nFigure 26. Type Filtering only for META-HOST \n Page 13 of 25", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.validin.com/blog/inoculating_contagious_interview_with_validin/" ], "report_names": [ "inoculating_contagious_interview_with_validin" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439024, "ts_updated_at": 1775826693, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a2f93627151b2f4861d95ccc169e793a69bf5114.pdf", "text": "https://archive.orkl.eu/a2f93627151b2f4861d95ccc169e793a69bf5114.txt", "img": "https://archive.orkl.eu/a2f93627151b2f4861d95ccc169e793a69bf5114.jpg" } }