{ "id": "e59d81eb-2291-445c-9bd9-5b9530a77d15", "created_at": "2026-04-06T00:16:28.001969Z", "updated_at": "2026-04-10T13:12:34.437563Z", "deleted_at": null, "sha1_hash": "b27b62b421a14d85d700bd9109e54ac7e79f6910", "title": "Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 9245272, "plain_text": "Hacking Employers and Seeking Employment: Two Job-Related\r\nCampaigns Bear Hallmarks of North Korean Threat Actors\r\nBy Unit 42\r\nPublished: 2023-11-21 · Archived: 2026-04-02 10:57:37 UTC\r\nExecutive Summary\r\nUnit 42 researchers recently discovered two separate campaigns targeting job-seeking activities linked to state-sponsored\r\nthreat actors associated with the Democratic People’s Republic of Korea (DPRK), commonly known as North Korea. We\r\ncall the first campaign “Contagious Interview,” where threat actors pose as employers (often anonymously or with vague\r\nidentities) to lure software developers into installing malware through the interview process. This malware creates the\r\npotential for various types of theft. We attribute with moderate confidence that Contagious Interview is run by a North Korea\r\nstate-sponsored threat actor.\r\nWe call the second campaign “Wagemole,” where threat actors seek unauthorized employment with organizations based in\r\nthe US and other parts of the world, with potential for both financial gain and espionage. We attribute with high confidence\r\nthat Wagemole is a North Korea state-sponsored threat. Activity from both campaigns remains an ongoing active threat.\r\nhttps://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\nPage 1 of 20\n\nWe nicknamed the first campaign Contagious Interview because the threat actor attempts to infect software developers with\r\nmalware through a fictitious job interview. We originally discovered Contagious Interview through customer telemetry, and\r\nour research indicates it started as early as December 2022. Some of the infrastructure supporting this campaign remains\r\nactive, and this activity remains a consistent threat. The first campaign's objective is likely cryptocurrency theft and using\r\ncompromised targets as a staging environment for additional attacks. We track Contagious Interview as CL-STA-0240.\r\nWhile pivoting on indicators from Contagious Interview, we discovered exposed files on a different threat actor-controlled\r\ninfrastructure. These files indicate fraudulent job-seeking activity targeting a wide variety of United States (US) companies.\r\nThis trove of information includes resumes with different technical skill sets and multiple identities impersonating\r\nindividuals from various nations. It also includes common job interview questions and answers, scripts for interviews and\r\ndownloaded job postings from US companies. We call this separate campaign \"Wagemole\" and track it as CL-STA-0241.\r\nWhile we cannot determine the objective of this campaign, the US Department of Justice and Federal Bureau of\r\nInvestigation (FBI) have reported that North Korea uses remote workers to funnel wages to its weapons programs.\r\nhttps://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\nPage 2 of 20\n\nDuring our investigation of Contagious Interview, we discovered two new families of malware we named BeaverTail and\r\nInvisibleFerret. BeaverTail is JavaScript-based malware hidden inside Node Package Manager (NPM) packages.\r\nInvisibleFerret is a simple but powerful Python-based backdoor. Both are cross-platform malware that can run on Windows,\r\nLinux and macOS.\r\nThis article provides an overview of these two campaigns, and we examine the two new malware families, BeaverTail and\r\nInvisibleFerret.\r\nThis article also provides insight on how these threat actors are both seeking jobs and targeting job seekers to accomplish\r\ntheir goals. We provide recommendations for both job applicants and employers to consider when interviewing or applying\r\nfor remote jobs.\r\nFor example:\r\nDon’t use company-issued computers for personal activities.\r\nBe wary of GitHub accounts with few repositories or updates.\r\nConfirm the legitimacy of companies you’re applying for.\r\nThoroughly vet the identity of job applicants.\r\nPalo Alto Networks customers receive protection from the malware discussed in this article through our Next-Generation\r\nFirewall with Cloud-Delivered Security Services, including Advanced WildFire, DNS Security and Advanced URL\r\nFiltering.\r\nCL-STA-0240: Contagious Interview\r\nWhile investigating our telemetry, we discovered suspicious activity as early as March 2023 related to previously\r\nunidentified malware samples. Our investigation revealed two new malware families, and tactics used in this campaign align\r\nwith previously reported activity by North Korean threat actors, as noted in our Attribution section. We track this campaign\r\nas Contagious Interview or CL-STA-0240, and infrastructure for this campaign was established as early as December 2022.\r\nThrough advertisements on job search platforms, the threat actor behind CL-STA-0240 targets software developers by\r\nposing as a prospective employer. The advertisements we can tie to this campaign are often anonymous or purposefully\r\nvague, with no real indicator of the employer they represent. Based on some of the file names of malware associated with\r\nthis campaign, we believe this threat actor might also impersonate legitimate AI, cryptocurrency and NFT-related companies\r\nor recruitment agencies. Like other threat actors, this threat actor could also reach potential victims through email, social\r\nmedia platforms, or chat channels on community forums used by software developers.\r\nAfter establishing contact, the threat actor invites the victim to participate in an online interview. The threat actor likely uses\r\nvideo conferencing or other online collaboration tools for the interview.\r\nDuring the interview, the threat actor convinces the victim to download and install an NPM-based package hosted on\r\nGitHub. The threat actor likely presents the package to the victim as software to review or analyze, but it actually contains\r\nmalicious JavaScript designed to infect the victim’s host with backdoor malware.\r\nBelow, Figure 1 summarizes the chain of events for CL-STA-0240.\r\nhttps://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\nPage 3 of 20\n\nFigure 1. Simplified chain of events for a CL-STA-0240 attack.\r\nTo better understand this chain of events, we should first understand how the threat actor abused GitHub for this campaign.\r\nGitHub Abuse for Contagious Interview\r\nDesigned as a collaborative space for software developers, GitHub is attractive to many developers because its basic service\r\noption is free. This also makes GitHub attractive to criminals. The threat actor behind Contagious Interview is one of many\r\ncriminals who have used GitHub’s free service plan to host innocent-looking repositories and use them as powerful tools for\r\ncompromise.\r\nThe threat actor behind Contagious Interview created different identities to host a number of GitHub repositories,\r\nestablishing an infrastructure to inspire trust by its intended victims. However, a closer examination reveals that these\r\nGitHub repositories are not as trustworthy as they might initially appear.\r\nThe free GitHub accounts used for Contagious Interview have only one repository that is not updated, while many legitimate\r\nsoftware developers host multiple repositories with several updates.\r\nFurther examination of suspicious repositories found during our investigation confirmed our initial assessment. A GitHub\r\nrepository’s Issues section often provides clues.\r\nBelow, Figure 2 shows comments in the Issues section of a repository used in Contagious Interview. The repository named\r\nreact-ecommerce was established under a GitHub user account named brainjobs35. This repository and account are no\r\nlonger active.\r\nhttps://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\nPage 4 of 20\n\nFigure 2. User comments in the Issues section of a suspicious GitHub repository.\r\nGitHub’s Insights feature also provides clues. Below Figure 3 shows GitHub users commenting through the Insights feature\r\nabout a malicious file named ServiceWorker.js related to the Contagious Interview campaign.\r\nFigure 3. Comments on GitHub Insights related to Contagious Interview.\r\nNPM, Open Source and Supply Chain Attacks\r\nhttps://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\nPage 5 of 20\n\nSoftware developers increasingly rely on third-party packages and libraries to streamline their projects. These provide an\r\navenue for supply chain attacks. Among these packages, NPM is a central hub for countless projects using JavaScript, with\r\n17 million developers worldwide according to the NPM website.\r\nThe open-source nature of NPM helps malicious actors find ways to inject harmful code in legitimate NPM packages and\r\ndistribute these packages through GitHub. Once installed, these compromised NPM packages act as subtle backdoors,\r\ngranting threat actors unauthorized access into targeted networks. GitHub and Phylum have recently reported similar attacks.\r\nMalicious NPM packages help the threat actor elude most traditional detection techniques, because:\r\nMost static and dynamic analysis detection engines cannot execute an NPM package in a Node.js runtime\r\nenvironment because this is not a supported file type.\r\nCloning a repository and running Node.js code is a normal, allowed operation in most software development teams\r\nthat will not be considered suspicious.\r\nAs a result, malicious JavaScript files in these NPM packages have a low or zero detection rate when submitting to a service\r\nlike VirusTotal.\r\nFurthermore, NPM can be easily installed on multiple operating systems, allowing threat actors to maximize their attack\r\nsurface when distributing a malicious NPM package.\r\nThe Act of Compromise\r\nDuring the interview process, victims prepare their development environment. In the attacks we investigated, most\r\ndevelopers used Visual Studio Code with a set of plugins like Code Helper, along with Git and Node.js extensions. This\r\nincludes NPM.\r\nAfter these basic system requirements are met, the threat actor asks the victim to install the malicious NPM package posing\r\nas legitimate software on GitHub. This malicious NPM package contains JavaScript for newly discovered malware we have\r\nnamed BeaverTail.\r\nBeaverTail steals information, and it retrieves additional malware as its second-stage payload. This payload is a cross-platform backdoor we have named InvisibleFerret.\r\nThe next section provides analysis and insight into the loader, BeaverTail.\r\nBeaverTail Analysis\r\nDistributed as JavaScript inside NPM packages, BeaverTail serves two purposes.\r\nInformation stealer\r\nLoader\r\nAs an information stealer, BeaverTail targets cryptocurrency wallets and credit card information stored in the victim’s web\r\nbrowsers. As a loader, BeaverTail retrieves and runs the next stage of malware, InvisibleFerret.\r\nThe BeaverTail JavaScript file inside an NPM package is heavily obfuscated to evade detection. The threat actor might\r\nupload an entire malicious NPM package to GitHub or they might also inject BeaverTail code into other developer’s\r\nlegitimate NPM projects. Figure 4 shows an example of this injected script.\r\nhttps://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\nPage 6 of 20\n\nFigure 4. BeaverTail’s obfuscated JavaScript, injected into the NPM file of a legitimate developer’s project.\r\nIn addition to the heavily obfuscated code illustrated in Figure 4, the BeaverTail also requires human interaction to execute\r\ndue to its dependency on the Node.js environment. These characteristics help the malware to evade detection.\r\nOnce the malicious NPM package is successfully installed on a Windows, Linux or macOS host, BeaverTail collects basic\r\nsystem information. This threat also searches the victim’s web browser for extensions associated with cryptocurrency\r\nwallets, like Binance and Coinbase. Table 1 shows the full list below.\r\nBrowser Extension ID Browser Extension Name Target Browser\r\nfhbohimaelbohpjbbldcngcnapndodjp  Binance Wallet Chrome\r\naeachknmefphepccionboohckonoeemg Coin98 Wallet Chrome\r\nhnfanknocfeofbddgcijnmhnfnkdnaad  Coinbase Wallet Chrome\r\nhifafgmccdpekplomjjkcfgodnhcellj  Crypto.com Wallet Chrome\r\nnkbihfbeogaeaoehlefnkodbefgpgknn  Metamask Wallet Chrome\r\nejbalbakoplchlghecdalmeeeajnimhm  MetaMask Wallet Microsoft Edge\r\nbfnaelmomeimhlpmgjnjophhpkkoljpa Phantom Wallet Chrome\r\nhttps://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\nPage 7 of 20\n\nfnjhmkhhmkbjkkabndcnnogagogbneec  Ronin Wallet Chrome\r\nibnejdfjmmkpcnlpebklmnkoeoihofec TRON Wallet Chrome\r\nTable 1. Browser extensions for cryptocurrency wallets BeaverTail searches for.\r\nBeaverTail also checks for a Solana cryptocurrency wallet, searching for ~/.config/solana/id.json.\r\nWhile performing data exfiltration and loading InvisibleFerret, BeaverTail generates the following web traffic as described\r\nbelow in Table 2.\r\nURL Pattern Description Save Location\r\nhxxp://\u003cc2_server\u003e:1224/keys\r\nHTTP POST\r\nrequest sends\r\ndata collected\r\nby BeaverTail \r\nNot applicable\r\nhxxp://\u003cc2_server\u003e:1224/uploads\r\nHTTP POST\r\nrequest sends\r\nother collected\r\ninformation\r\nlike Solana\r\ncryptocurrency\r\nwallet data\r\nNot applicable\r\nhxxp://\u003cc2_server\u003e:1224/node/\u003cnode_js_runtime_environment_version\u003e\r\nHTTP GET\r\nrequest for\r\nhelper DLL\r\nfiles when\r\ndecrypting\r\ncredentials\r\nstored in\r\nChrome, if\r\nneeded\r\n%USERPROFILE%\\store.node\r\nhxxp://\u003cc2_server\u003e:1224/pdown\r\nHTTP GET\r\nrequest for\r\nPython\r\nexecutable and\r\nassociated\r\nlibraries\r\n%TEMP%\\p.zi or\r\n%HOMEPATH%\\.pyp\\\r\nhxxp://\u003cc2_server\u003e:1224/client/\u003ccampaign_id\u003e\r\nHTTP GET\r\nrequest for\r\nInvisibleFerret\r\n%HOMEPATH%\\.npl or ~/.npl\r\nTable 2. Infection traffic generated by BeaverTail malware.\r\nAt this stage, the threat actor has been able to successfully drop a silent, simple and cross-platform backdoor on the victim\r\nmachine.\r\nhttps://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\nPage 8 of 20\n\nInvisibleFerret: A Cross-Platform Python Backdoor\r\nInvisibleFerret is newly discovered malware retrieved and executed by BeaverTail NPM packages. Cross-platform malware\r\nwritten in Python, InvisibleFerret consists of various components with the following functions:\r\nFingerprinting\r\nRemote control\r\nKeylogging\r\nData exfiltration\r\nBrowser stealing capabilities\r\nDownloading the AnyDesk client if required for additional control\r\nFigure 5 presents a diagram that reveals the modular nature of InvisibleFerret, showing an initial script and two additional\r\ncomponents that perform different functions.\r\nFigure 5. Diagram revealing the initial script and two components of InvisibleFerret.\r\nInitial Script\r\nBeaverTail downloads the InvisibleFerret script using the URL structure from the final row in Table 2. An example of a URL\r\nto download InvisibleFerret follows:\r\nhxxp://\u003cc2_server\u003e:1224/client/\u003ccampaign_id\u003e\r\nThe initial script for InvisibleFerret is saved under the user’s home directory, named .npl and executed using Python. An\r\nexample of the command line to run this file on a Windows host is:\r\nC:\\Users\\$USER$\\.pyp\\python.exe C:\\Users\\$USER$\\.npl\r\nThe initial script for InvisibleFerret uses obfuscated data. An example is shown below in Figure 6.\r\nhttps://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\nPage 9 of 20\n\nFigure 6. Example of Python script for InvisibleFerret.\r\nThe bottom section of Figure 6 shows a decoding routine that is consistent across all script files used for InvisibleFerret and\r\nits components:\r\nThe first eight characters of the temp string represent a key for decoding.\r\nThe remainder of the temp string is converted from Base64.\r\nThe result is processed through an XOR loop using the eight character key.\r\nThis initial script installs the required Python modules using pip, and it also defines variables, establishing values to identify\r\nthe command and control (C2) server and port.\r\nThe main objective of the initial script is to retrieve and run two different components of InvisibleFerret. These components\r\nare downloaded and saved as shown in Table 3.\r\nRequest for Component Save Location\r\nhxxp://\u003cc2_server\u003e:1224/payload/\u003ccampaign_id\u003e Local file path .n2/pay\r\nhttp://\u003cc2_server\u003e:1224/bow/\u003ccampaign_id\u003e Local file path .n2/bow\r\nTable 3. Infection traffic generated by BeaverTail malware.\r\nOf note, the second component is only downloaded when the operating system is not macOS.\r\nInvisibleFerret Components\r\nThe first component for InvisibleFerret collects system data to create a fingerprint, then sends this data to a C2 server. The\r\nfirst component collects:\r\nInternal IP address\r\nIP geolocation information\r\nSystem information including OS version, release, host and user information\r\nIt sends this information to the server in JSON format.\r\nhttps://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\nPage 10 of 20\n\nThe second component for InvisibleFerret deploys remote control and information stealing capabilities. Once executed, it\r\nprepares the environment by installing the following Python packages, if they are not already present on the system:\r\npyWinhook: Python wrapper for out-of-context input hooks in Windows that provides callbacks for global mouse and\r\nkeyboard events.\r\npyperclip: Cross-platform Python module for copy and paste clipboard functions.\r\npsutil: Cross-platform Python library for process and system monitoring.\r\npywin32: Python for 32-bit Windows extensions.\r\nC2 Communications\r\nInvisibleFerret establishes a connection with the C2 server over TCP traffic and periodically checks in and waits for further\r\ninstructions. This traffic consists of JSON messages.\r\nThe infected host checks in using heartbeat messages with JSON content using code and args keys with a code value of 0 as\r\nillustrated below in Figure 7. This heartbeat message also contains a campaign identifier (sType) and the victim’s hostname\r\n(sHost).\r\nFigure 7. Diagram for a heartbeat C2 message.\r\nThe C2 server returns JSON data instructing the backdoor with the next actions to take. The JSON response contains the\r\nsame two main keys:\r\ncode: A value specifying an action or command\r\nargs: A string or JSON dictionaries with multiple key value pairs containing the required arguments for the specified\r\ncommand\r\nInvisibleFerret implements a total of eight commands described below in Table 4.\r\nCommand Description\r\nssh_cmd\r\nChecks if the args value is equal to delete and if so, closes the session. To notify the C2 server, it sends\r\nthe message string [close].\r\nssh_obj\r\nCommand execution. Extracts the command value from args['cmd'] and runs it. JSON results sent to the\r\nC2 server with code value 1 and args indicating the results.\r\nssh_clip\r\nSend contents of keylogger buffer and clipboard data. Reports to C2 server with JSON code value 3 and\r\nargs containing the collected data.\r\nhttps://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\nPage 11 of 20\n\nssh_run\r\nDownloads and runs the browser stealer component. Reports to C2 server with JSON code value 4 and\r\nargs containing the file path for this component.\r\nssh_upload\r\nUpload data to a C2 server. Subcommands include:\r\nUpload all contents of a specific directory.\r\nUpload specific files.\r\nUpload files matching a given pattern looking recursively in a given folder.\r\nContents are uploaded to an actor-controlled FTP server, provided in the JSON response using the\r\nfollowing args:\r\nhn: FTP host.\r\nun: Username.\r\npw: Password.\r\nThe logic contains exclusion lists for specific files and folders as well as a list of paths that are\r\nspecifically uploaded when found. These paths show focus not only in documents (.xls, .doc, etc.) but\r\nalso in cryptocurrency specific file paths (metamask, wallet, etc.).\r\nWhile uploading contents, the backdoor keeps sending requests with JSON data with code value 5 and\r\nargs value indicating the state of the upload.\r\nssh_kill\r\nKill Chrome and Brave browser processes. When done, send JSON with code value 6 and args value\r\nindicating these processes are terminated.\r\nssh_any\r\nDownload and run a malicious binary for AnyDesk. Before downloading AnyDesk, send JSON\r\ncontaining code value 7 and args value to indicate the victim’s OS.\r\nssh_env\r\nCollect content specific folders (“Documents” and “Downloads” for Windows, /home and /Volumes for\r\nothers) and upload these files to the FTP server.\r\nTable 4. Commands for InvisibleFerret.\r\nWhen InvisibleFerret finishes its tasks, it reports the results to the C2 server. This report uses the same JSON code and args\r\nparameters with specific values outlined above in Table 4.\r\nKeylogger Functionality\r\nInvisibleFerret also starts a keylogger to continually collect keyboard, mouse and clipboard data in a buffer that can be\r\nrequested at any time from the C2 server using the command ssh_clip described above.\r\nBrowser Stealer Functionality\r\nBased on Python, InvisibleFerret targets popular web browsers on Windows, Linux and macOS to steal login credentials and\r\nother sensitive data. This functionality includes retrieving a browser’s login data, decrypting the information and stealing the\r\nvictim’s login credentials. InvisibleFerret can also retrieve credit card information used by the victim through a web\r\nbrowser.\r\nAfter collecting this information, InvisibleFerret sends the data to a C2 server using the JSON format with various keys\r\nrepresenting the content, as shown below in Figure 8.\r\nhttps://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\nPage 12 of 20\n\nFigure 8. JSON format used for sending stolen browser data.\r\nFollow-Up Malware: AnyDesk\r\nWhen the ssh_any command is received, InvisibleFerret downloads an additional script using the following URL pattern:\r\nhttp://\u003cc2_server\u003e:1224/adc/\u003ccampaign_id\u003e\r\nThis script is stored on the C2 server with the following filename:\r\nany_\u003ccampaign_id\u003e.py\r\nInvisibleFerret stores the file on disk for execution under the following directory.\r\n.n2/adc\r\nThis file uses the same obfuscation seen in other scripts used for InvisibleFerret.\r\nThis script retrieves an AnyDesk binary from the C2 server if it is not already present on the victim’s host. This process\r\nupdates AnyDesk’s configuration and restarts the program if it was already running.\r\nWhile pivoting on infrastructure associated with this Contagious Interview campaign, we discovered files used for a separate\r\nactivity. We have nicknamed this separate campaign “Wagemole” and track it as CL-STA-0241.\r\nCL-STA-0241: Wagemole\r\nWhile pivoting on GitHub infrastructure associated with Contagious Interview (CL-STA-0240), we discovered files\r\naccidentally exposed on a GitHub repository on a different GitHub account. These files include:\r\nResumes with fake identities, impersonating individuals of various nationalities\r\nFrequently asked job interview questions and answers\r\nSelf-introduction scripts including personal information of the impersonated identity\r\nCopies of IT job opening posts from US companies\r\nScanned copy of a stolen US Permanent Resident Card\r\nA list of unidentified account seller contacts\r\nTimestamps on the files indicate this campaign started as early as August 2022, and the timestamps run through early\r\nDecember 2022. While we have not noticed further updates for this batch of files, this activity remains an ongoing threat.\r\nThese files indicate another campaign applying for remote IT jobs using fake identities, which we are calling Wagemole.\r\nInformation from some of the documents indicate this threat actor is associated with North Korea. Resumes from these files\r\nindicate targets include a wide range of US companies and freelance job marketplaces. This activity is likely related to a\r\nrecent report that North Korea uses remote workers to funnel wages to its weapons programs.\r\nBelow, Figure 9 shows one of the resumes.\r\nhttps://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\nPage 13 of 20\n\nFigure 9. Example of a resume from this infrastructure.\r\nEach fake resume has a different US phone number for personal contact, specifically using Voice over Internet Protocol\r\n(VoIP) numbers. Some resumes include links to a LinkedIn profile and links to GitHub content. Figure 10 shows a GitHub\r\nrepository one of the job seekers has maintained.\r\nhttps://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\nPage 14 of 20\n\nFigure 10. GitHub repository maintained by one of the fraudulent job seekers.\r\nThese GitHub accounts appear well maintained and have a lengthy activity history. These accounts indicate frequent code\r\nupdates and socialization with other developers. As a result, these GitHub accounts are nearly indistinguishable from\r\nlegitimate accounts.\r\nA portion from one of the phone interview preparation scripts is shown below in Figure 11. This document indicates the\r\ntarget is a job that requires at least some on-site presence. As indicated in Figure 11, the job seeker claims to be based in the\r\nUS and tells the interviewer they are currently out of the country visiting family overseas due to COVID but can start\r\nworking remotely.\r\nFigure 11. Part of the interview preparation script.\r\nThese documents are not limited to remote IT jobs at US-based companies. Some of the documents indicate this threat actor\r\nalso seeks freelance jobs in multiple marketplaces, targeting a broader scale of global markets that include Africa.\r\nThese fraudulent job seekers have maintained multiple accounts for email, freelance websites, source code repositories and\r\njob agency platforms. As a tactic to win job bids and hide their true identity, these job seekers have also sought to purchase\r\nor borrow accounts with a high reputation in account seller marketplaces.\r\nFigure 12 shows a message on a freelance job platform from one of the job seekers used in this campaign. Figure 13 shows\r\nmessage activity with an underground marketplace seeking to purchase or rent high reputation accounts on freelance job\r\nplatforms.\r\nhttps://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\nPage 15 of 20\n\nFigure 12. Actor seeking work on a freelance job platform.\r\nhttps://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\nPage 16 of 20\n\nFigure 13. Messages from an underground market for freelance platform accounts.\r\nAmong the copies of US job postings hosted on this infrastructure, the largest portion is for IT and recruiting. Jobs for IT\r\nservices and solutions might provide the threat actor behind Wagemole additional opportunities for downstream supply\r\nchain attacks. Recruiting jobs could provide more personal identity materials such as job applicant IDs, resumes and other\r\npersonal data that attackers could further use in the Wagemole campaign.\r\nAttribution\r\nThe tactics, techniques and procedures (TTPs) observed in both Contagious Interview (CL-STA-0240) and Wagemole (CL-STA-0241) align with previous activity attributed to North Korea state-sponsored APTs. However, the confidence level of\r\nour attribution is different for the two campaigns.\r\nFor Wagemole activity, several of the documents we discovered contain information that more definitively points to North\r\nKorea. Many of the passwords associated with these documents were made through Korean language typed on a US\r\nkeyboard, and some passwords include words only used in North Korea. Furthermore, Korean keyboard language settings\r\nwere found on computers used by threat actors behind these campaigns.\r\nThese documents indicate similar activity as reported by numerous media outlets based on US government and FBI\r\nannouncements.\r\nFor these reasons, we assess with high confidence that Wagemole can be attributed to a North Korea-sponsored APT, which\r\nwe track as CL-STA-0241.\r\nContagious Interview also bears the hallmarks of a North Korean threat actor. For example, a North Korean group\r\npreviously posed as job recruiters for Meta using similar tactics to infect job seekers with malware. Operation Dream Job\r\nrun by the North Korean APT Lazarus Group reportedly used social media to trick victims into installing a trojanized VNC\r\nhttps://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\nPage 17 of 20\n\napp as part of a fake job interview. North Korea-sponsored APT groups have often posed as job recruiters to infect potential\r\nvictims with backdoor malware.\r\nIn the course of our research into Contagious Interview, we also observed indicators that the developer of BeaverTail and\r\nInvisibleFerret corresponded or collaborated with other GitHub accounts, where we found direct association with\r\nWagemole. We track the threat actor behind Contagious Interview as CL-STA-0240, and attribute with moderate confidence\r\nthat this is also a North Korea state-sponsored threat actor.\r\nIn light of this analysis, we attribute with a moderate level of confidence that both campaigns trace to North Korea state-sponsored threat actors.\r\nConclusion\r\nUnit 42 researchers investigated suspicious activity from our telemetry and discovered these two campaigns, Contagious\r\nInterview and Wagemole, which we track as CL-STA-0240 and CL-STA-0241 respectively. In the process, we discovered\r\ntwo new malware families we have named BeaverTail and InvisibleFerret used in the Contagious Interview campaign.\r\nSoftware developers are often the weakest link for supply chain attacks, and fraudulent job offers are an ongoing concern, so\r\nwe expect continued activity from Contagious Interview. Furthermore, Wagemole represents an opportunity to embed\r\ninsiders in targeted companies. We will continue to monitor our telemetry for further activity from these and other\r\ncampaigns.\r\nRecommendations and Protections\r\nWhat is an effective strategy against these threats? For Contagious Interview and many other threats, software developers\r\nshould not use a company-issued computer for personal or non-work related activities like job interviews. Personal activity\r\non a company-issued computer can provide opportunities for threat actors to access a company's network through malware.\r\nDevelopers should also be suspicious of GitHub accounts containing a single repository with little or no updates. Threat\r\nactors frequently abuse free services like GitHub to distribute malware. Also, no one should install unknown files from\r\nunverified sources on their work or home computers.\r\nJob applicants should exercise due diligence to confirm the existence and legitimacy of companies offering job interviews,\r\nand also confirm that prospective interviewers actually work for the companies they claim to represent. It is also wise to be\r\ncautious of downloading and installing unusual types of communications software or of downloading software packages as a\r\nprerequisite for obtaining an interview.\r\nFor Wagemole, employers should thoroughly vet all job applicants. Fake identities are an increasing concern on job-related\r\nsocial media platforms, and threat actors can easily generate an alias for remote work. If in-person interviews are not an\r\noption, use teleconferencing to interview job applicants. Be aware of anyone who applies for an on-site job, states they are\r\ncurrently out of the area and then offers immediate availability for remote work. For remote-only roles, employers should be\r\nsuspicious of anything that seems unusual with any job applicant during the hiring process.\r\nPalo Alto Networks customers receive protection from malware discussed in this article through products like Cortex XDR\r\nand our Next-Generation Firewall with Cloud-Delivered Security Services that include Advanced WildFire, Advanced\r\nThreat Prevention and Advanced URL Filtering.\r\nNext-Generation Firewall with the Advanced Threat Prevention security subscription can help block the malware's C2 traffic\r\nwith best practices via the following Threat Prevention signatures: 86817, 86818, 86819.\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team or call:\r\nhttps://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\nPage 18 of 20\n\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this\r\nintelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more\r\nabout the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nSHA256 hashes for files associated with BeaverTail:\r\n09a508e99b905330a3ebb7682c0dd5712e8eaa01a154b45a861ca12b6af29f86\r\n0ce264819c7af1c485878ce795fd4727952157af7ffdea5f78bfd5b9d7806db1\r\n104926c2c937b4597ea3493bccb7683ae812ef3c62c93a8fb008cfd64e05df59\r\n1123fea9d3a52989ec34041f791045c216d19db69d71e62aa6b24a22d3278ef9\r\n121ca625f582add0527f888bb84b31920183e78c7476228091ff2199ec5d796b\r\n12c0f44a931b9d0d74a2892565363bedfa13bec8e48ff5cd2352dec968f407ee\r\n1b21556fc8ecb9f8169ba0482de857b1f8a5cb120b2f1ac7729febe76f1eea83\r\n1c905fa3a108f4c9bc0578882ce7af9682760b80af5232f130aa4f6463156b25\r\n1f9169492d18bffacebe951a22495d5dec81f35b0929da7783b5f094efef7b48\r\n2618a067e976f35f65aee95fecc9a8f52abea2fffd01e001f9865850435694cf\r\n40645f9052e03fed3a33a7e0f58bc2c263eeae02cbc855b9308511f5dc134797\r\n41a912d72ba9d5db95094be333f79b60cae943a2bd113e20cc171f86ebcb86cf\r\n4c465e6c8f43f7d13a1b887ff26d9a30f77cf65dd3b6f2e9f7fe36c8b6e83003\r\n4c605c6ef280b4ed5657fe97ba5b6106b10c4de02a40ae8c8907683129156efd\r\n592769457001374fac7a44379282ddf28c2219020c88150e32853f7517896c34\r\n61dff5cbad45b4fe0852ac95b96b62918742b9c90dd47c672cbe0d1dafccb6c5\r\n6465f7ddc9cf8ab6714cbbd49e1fd472e19818a0babbaf3764e96552e179c9af\r\n6b3fce8f2dad7e803418edd8dfc807b0252705c11ec77114498b01766102e849\r\n700a582408cbda7ee79723b3969b8d10d67871ea31bb17c8ca3c0d94b481aa8c\r\n709820850127201a17caab273e01bb36ce185b4c4f68cd1099110bb193c84c42\r\n72ebfe69c69d2dd173bb92013ab44d895a3367f91f09e3f8d18acab44e37b26d\r\n75f9f99295f86de85a8a2e4d73ed569bdb14a56a33d8240c72084f11752b207e\r\n785f65f1853a08b0e86db5638fbd76e8cad5fe1359655716166a76035261c0be\r\n7b718a46ae4de09ed4f2513df6e989afe1fbb1a0f59511a4689fac5e1745547d\r\n7f8bb754f84a06b3e3617dd1138f07a918d11717cc63acaef8eb5c6d10101377\r\n845d7978682fa19161281a35b62f4c447c477082a765d6fedb219877d0c90f31\r\n9867f99a66e64f6bce0cfca18b124194a683b8e4cb0ced44f7cb09386e1b528d\r\n9ae24a1912e4b0bab76ae97484b62ea22bdc27b7ea3e6472f18bf04ca66c87de\r\na2f8de3c5f5f6ecbf29c15afd43a7c13a5bf60023ecb371d39bcca6ceef1d2b7\r\nb5f151f0a4288e148fd10e19c78399f5b7bdff2ad66940fadd20d6eae4b7518b\r\nb833f40b2f3439f317cf95980b29bddd2245d2acc2d5c11e9690dd2fa4289585\r\nc8c11f9b308ea5983eebd8a414684021cc4cc1f67e7398ff967a18ae202fb457\r\nceb59dbaf58a8de02f9d5e9b497321db0a19b7db4affd5b8d1a7e40d62775f96\r\nd8f065d264b1112d6ee3cf34979289e89d9dcb30d2a3bd78cc797a81d3d56f56\r\ndb6e75987cabdbfc21d0fdcb1cdae9887c492cab2b2ff1e529601a34a2abfd99\r\nhttps://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\nPage 19 of 20\n\nde42155e14a3c9c4d919316d6ba830229533de5063fcd110f53e2395ef3aa77a\r\ne2a940c7d19409e960427749519dc02293abe58a1bef78404a8390f818e40d08\r\nfc9bb03998a89524ce5a0f859feb45806983aa4feb5f4d436107198ca869ff6f\r\nff620bd560485c13a58a0de941bd3e52943036e6a05306e928f7c626998822fb\r\nSHA256 hashes for DLL files downloaded by BeaverTail:\r\nda6d9c837c7c2531f0dbb7ce92bfceba4a9979953b6d49ed0862551d4b465adc\r\n2d8a5b637a95de3b709780898b7c3957f93d72806e87302f50c40fe850471a44\r\nc5a73896dc628c23a0b6210f50019445e2b8bfc9770f4c81e1fed097f02dfade\r\nSHA256 hashes for files associated with InvisibleFerret:\r\n35434e903bc3be183fa07b9e99d49c0b0b3d8cf6cbd383518e9a9d753d25b672\r\n305de20b24e2662d47f06f16a5998ef933a5f8e92f9ecadf82129b484769bbac\r\n39e7f94684129efce4d070d89e27508709f95fa55d9721f7b5d52f8b66b95ceb\r\nab198c5a79cd9dedb271bd8a56ab568fbd91984f269f075d8b65173e749a8fde\r\n444f56157dfcf9fc2347911a00fe9f3e3cb7971dccf67e1359d2f99a35aed88e\r\n4f50051ae3cb57f10506c6d69d7c9739c90ef21bfb82b14da6f4b407b6febac0\r\n276863ee7b250419411b39c8539c31857752e54b53b072dffd0d3669f2914216\r\n617c62da1c228ec6d264f89e375e9a594a72a714a9701ed3268aa4742925112b\r\nc547b80e1026d562ac851be007792ae98ddc1f3f8776741a72035aca3f18d277\r\n03185038cad7126663550d2290a14a166494fdd7ab0978b98667d64bda6e27cc\r\n2d300410a3edb77b5f1f0ff2aa2d378425d984f15028c35dfad20fc750a6671a\r\n92aeea4c32013b935cd8550a082aff1014d0cd2c2b7d861b43a344de83b68129\r\nDomain and IPs associated with the Contagious Interview campaign:\r\nblocktestingto[.]com\r\n144.172.74[.]48\r\n144.172.79[.]23\r\n167.88.168[.]152\r\n167.88.168[.]24\r\n172.86.123[.]35\r\n45.61.129[.]255\r\n45.61.130[.]0\r\n45.61.160[.]14\r\n45.61.169[.]187\r\nUpdated Dec. 1, 2023, at 2:40 p.m. PT to expand product protections. \r\nUpdated Aug. 23, 2024, at 12:20 p.m. PT to correct numbering in Attribution section. \r\nUpdated Aug 28, 2024, at 7:43 a.m. PT to correct number in Table 3. \r\nSource: https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\nhttps://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA", "MITRE" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/" ], "report_names": [ "two-campaigns-by-north-korea-bad-actors-target-job-hunters" ], "threat_actors": [ { "id": "32e2c6f9-a1f5-42bc-ac1d-5d9dc301cf0e", "created_at": "2025-08-07T02:03:25.078429Z", "updated_at": "2026-04-10T02:00:03.811418Z", "deleted_at": null, "main_name": "NICKEL ALLEY", "aliases": [ "CL-STA-0240 ", "Purplebravo Recorded Future", "Storm-1877 ", "Tenacious Pungsan " ], "source_name": "Secureworks:NICKEL ALLEY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "ef59a0d9-c556-4448-8553-ed28f315d352", "created_at": "2025-06-29T02:01:57.047978Z", "updated_at": "2026-04-10T02:00:04.744218Z", "deleted_at": null, "main_name": "Operation Contagious Interview", "aliases": [ "Jasper Sleet", "Nickel Tapestry", "Operation Contagious Interview", "PurpleBravo", "Storm-0287", "Tenacious Pungsan", "UNC5267", "Wagemole", "WaterPlum" ], "source_name": "ETDA:Operation Contagious Interview", "tools": [ "BeaverTail", "InvisibleFerret", "OtterCookie", "PylangGhost" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434588, "ts_updated_at": 1775826754, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b27b62b421a14d85d700bd9109e54ac7e79f6910.pdf", "text": "https://archive.orkl.eu/b27b62b421a14d85d700bd9109e54ac7e79f6910.txt", "img": "https://archive.orkl.eu/b27b62b421a14d85d700bd9109e54ac7e79f6910.jpg" } }