{
	"id": "20f1062f-569d-427c-a115-d6a1aa41043d",
	"created_at": "2026-04-06T00:11:54.275782Z",
	"updated_at": "2026-04-10T03:35:14.250901Z",
	"deleted_at": null,
	"sha1_hash": "d766b52e3d43a1267c5f0d446fff71bfabdf157b",
	"title": "The Job Offer That Wasn’t: How We Stopped an Espionage Plot - SecurityScorecard",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 207215,
	"plain_text": "The Job Offer That Wasn’t: How We Stopped an Espionage Plot -\r\nSecurityScorecard\r\nArchived: 2026-04-05 22:22:24 UTC\r\nDiscover how SecurityScorecard thwarted a sophisticated cyber-espionage plot disguised as a job offer. Learn\r\nabout the 'Contagious Interview' campaign, the tactics used by the Famous Chollima group, and essential\r\nstrategies to protect your organization from targeted attacks. Don't let your next career move become a trap—stay\r\ninformed and secure!\r\nIn cybersecurity, transparency matters—because none of us are immune. Increasingly, we’re seeing threat actors\r\nhone in on specific organizations. When we detected the recent “Contagious Interview” campaign targeting one\r\nof our own, our team acted fast to stop it in its tracks. We’re sharing this story so others can see how easily these\r\nattacks unfold—and how quickly they need to be stopped to protect the community.\r\nWhat if your next career move could be a trap? Imagine a job offer that seems perfect—right fit, right timing, and\r\nfrom a company you admire. But hidden behind that offer is a nation-state actor, ready to pull you into a cyber-espionage nightmare. That’s exactly what nearly happened to a SecurityScorecard developer in the “Contagious\r\nInterview” campaign. \r\nSecurityScorecard is exposing a sophisticated phishing operation led by one of the world’s most dangerous threat\r\ngroups: Famous Chollima. While they appeared to target intellectual property, their real aim may have been even\r\nbigger—stealing cryptocurrency. And they came alarmingly close to succeeding. \r\nThese attackers slip in unnoticed. They breach your systems. Before you even realize it, your data is gone and\r\nyour assets are drained. It’s not just money at stake—your business grinds to a halt, data is lost, and trust is\r\nshattered. It’s the panic of knowing your systems are compromised, and everything is on the line.\r\nLet’s walk through the intricate details of this incident, dissect the threat, and, more importantly, learn how to\r\nprotect what matters most—your data, your people, and your business.\r\nLooking for a detailed technical breakdown? Read the full analysis here\r\nThe “Contagious Interview” Campaign: What You Need to Know\r\nThe “Contagious Interview” campaign was a precision strike aimed at developers, engineers, and IT professionals,\r\nespecially those working at tech startups. These attackers don’t cast a wide net; they pick their targets carefully.\r\nhttps://securityscorecard.com/blog/the-job-offer-that-wasnt-how-we-stopped-an-espionage-plot/\r\nPage 1 of 5\n\nBefore making a move, they do their homework. They scour your social media, gathering every detail about you\r\n—your skills, connections, career goals—all to craft the perfect lure.\r\nIn this case, it all began with a LinkedIn message. On the surface, everything looked legitimate. A recruiter,\r\noffering what seemed like a dream opportunity: a role in a blockchain project. For a developer interested in crypto,\r\nit was the kind of offer that’s hard to pass up. What the developer didn’t know was that the recruiter’s profile had\r\nbeen compromised by attackers.\r\nThe developer was specifically targeted based on public LinkedIn data and their involvement in a crypto-related\r\nTelegram group. The attackers knew exactly who they were dealing with—what the developer did, what they were\r\ninterested in, and how to bait the hook just right. \r\nHow the Attack Unfolded: An Engineer’s Worst Nightmare\r\nInitial Contact via LinkedIn:\r\nA message popped up. A well-known tech company was scouting blockchain experts. The offer was enticing—too\r\ngood to pass up. The recruiter provided a link to a coding challenge, describing it as part of the technical interview\r\nprocess.\r\nTo move forward, they provided a link to a coding assessment, supposedly part of the technical interview process.\r\nThe developer, eager to advance their career in the crypto space, saw this as an opportunity too good to miss. So,\r\nthey clicked.\r\nThe Trap:\r\nThe coding test looked innocent enough—just a code review hosted on Bitbucket. But the Bitbucket account was\r\ncontrolled by the attackers. Hidden in the code was BeaverTail, a Remote Access Trojan (RAT) linked to Famous\r\nChollima. So when the developer cloned the code to their GitHub account from their corporate device—a serious\r\nbreach of company policy—the malware silently deployed.\r\nBeaverTail went to work immediately, attempting to download a second malware, InvisibleFerret. This second-stage malware would have given the attackers deep access to the developer’s corporate device. So, the company’s\r\ndefenses stepped in.The security team acted fast, stopping the malware before it could deliver the full blow.\r\nThreat Actor Attribution: Famous Chollima\r\nFamous Chollima, a cyber-espionage group tied to North Korea is fueling a regime. North Korea’s hackers target\r\ncryptocurrency to evade international sanctions, funneling billions into the country’s nuclear weapons program.\r\nBy infiltrating tech companies and financial platforms through spear-phishing and custom malware, they\r\ntransform stolen digital assets into untraceable funds, strengthening one of the world’s most isolated and\r\ndangerous regimes. Each attack is a direct investment in global instability, with every stolen coin fueling a\r\ngrowing threat.\r\nIn this campaign, Famous Chollima once again proved their skill at exploiting public data sources like LinkedIn\r\nand Telegram. By gathering detailed information about their target, they crafted communications so personalized\r\nhttps://securityscorecard.com/blog/the-job-offer-that-wasnt-how-we-stopped-an-espionage-plot/\r\nPage 2 of 5\n\nand convincing that even a seasoned professional fell for the bait.\r\nSTRIKE Team: Swift, Decisive, and Effective\r\nAs the attack unfolded, SecurityScorecard’s STRIKE Team noticed unusual activity on the developer’s device.\r\nThe STRIKE Team didn’t hesitate—they moved fast, isolating the threat before it could dig deeper into the\r\nnetwork. \r\nThe STRIKE Team approached the attack with years of training and expertise. Every move was calculated,\r\ndrawing on years of experience and a deep understanding of how these threats unfold. The attackers, making their\r\nown moves, tried to spread malware, disrupt the network, and capture valuable data. \r\nBut the team anticipated their every step.\r\nThey secured systems, cut off infiltration points, and blocked the paths the attackers could take. Each action was\r\ndeliberate, countering the enemy’s strategy with precision and skill. \r\nThe attackers sought chaos, but the STRIKE Team responded with control.\r\nIn the final move, the team isolated the malware before it could spread, shutting down the attackers’ game entirely.\r\nWhat could have been a disaster was neutralized almost as soon as it began—the attackers never stood a chance.\r\nWhile not every detail of their incident response playbook can be disclosed, the core principles remain: isolate,\r\ncontain, and neutralize. In this case, the success of the response was in the speed, coordination, and preparation of\r\nthe team.\r\nIn this case—and as part of our ongoing commitment to transparency in the Infosec community—the SSC\r\nSTRIKE Team shares critical intelligence with the FBI to disrupt threat actor’s operations. This approach reflects\r\nour broader strategy to partner regularly with law enforcement, strengthening defense efforts across the board.\r\nTo prevent a breach like this from happening, security teams must reinforce every link in the chain—from\r\nemployee training to system safeguards. Flexibility in defense strategies and anticipating the attackers’ next move\r\nis critical when dealing with threat actors as skilled as Famous Chollima. \r\nWhether you’re building your team’s capabilities through internal training or calling in expert help, your defenses\r\nneed to be ready for anything.\r\nUnderstanding the Malware: BeaverTail and InvisibleFerret\r\nBeaverTail Malware:\r\nBeaverTail is a lightweight Remote Access Trojan (RAT) designed to give attackers full control over a\r\ncompromised machine. Once it’s running, it can log keystrokes, capture screenshots, and steal stored credentials.\r\nIn this case, BeaverTail was delivered through trojanized NodeJS code, cleverly hidden within what seemed to be\r\na legitimate coding challenge. Its role was to silently execute and lay the groundwork for further infiltration.\r\nhttps://securityscorecard.com/blog/the-job-offer-that-wasnt-how-we-stopped-an-espionage-plot/\r\nPage 3 of 5\n\nInvisibleFerret Malware:\r\nInvisibleFerret is a more advanced second-stage payload that Famous Chollima often uses in attacks like these. If\r\nsuccessfully installed, it provides long-term persistence, making it much harder to detect and remove. It’s also\r\nequipped for lateral movement, allowing the attackers to spread through the network and escalate the breach. In\r\nthis incident, InvisibleFerret was blocked before it could fully deploy, but had it succeeded, the damage could\r\nhave been far worse.\r\nOur defenses stopped this threat, and we’re sharing our lessons to help you stay safe. Cyber threats are relentless,\r\nbut you don’t have to face them alone. When stakes are high, SecurityScorecard’s STRIKE Team is ready to\r\nprotect your business—because every second counts.\r\nLessons Learned and Best Practices: How to Protect Against These Attacks\r\n1. Limit Public Information Sharing:\r\nDevelopers and other high-value employees need to be careful about what they share online. Attackers\r\noften piece together profiles from LinkedIn and similar platforms to customize their phishing attacks.\r\nLimiting publicly available information can reduce your exposure to targeted campaigns.\r\n2. Security Awareness Training:\r\nCompanies should continually refresh their security awareness programs to include phishing and job-based\r\nsocial engineering scenarios. Employees need to be taught how to spot and verify unsolicited job offers or\r\ninterview requests, especially when these involve unfamiliar downloads or links.\r\n3. Customized Endpoint Security:\r\nEDR tools are effective, but they must be tuned to detect real threats in your specific environment. Alerts\r\nshould not be dismissed as routine without proper investigation. Visibility into endpoint traffic and forensic\r\ncapabilities are critical for understanding the attacker’s tactics and stopping them before they can escalate.\r\n4. Corporate Device Policies:\r\nStrict policies regarding corporate device usage are essential. Personal activities should never be conducted\r\non company devices, especially when interacting with unknown or untrusted contacts online. Using non-approved software on corporate systems opens the door to potential security risks.\r\n5. Credential Management:\r\nEnforce the use of multi-factor authentication (MFA) and apply strict credential management policies.\r\nCredentials should be rotated regularly, particularly for employees working on sensitive projects or\r\naccessing cloud services. This adds a layer of defense against potential breaches.\r\nFinal Thoughts\r\nThe “Contagious Interview” campaign is a reminder that even the smallest click can open the door to a major\r\nbreach. It’s like being handed a red pill from The Matrix—once you’re in, there’s no turning back. This attack\r\nwasn’t just a one-off event; it shows how attackers exploit trust and ambition to slip into the most secure\r\nenvironments.\r\nFor businesses, it’s time to adopt a zero-trust mindset. Verify everything—every device, every user—before it’s\r\ntoo late. The real takeaway? Stay a step ahead. Train your people, lock down your systems, and don’t rely on hope\r\nhttps://securityscorecard.com/blog/the-job-offer-that-wasnt-how-we-stopped-an-espionage-plot/\r\nPage 4 of 5\n\nto defend your network.\r\nWant to ensure your organization stays safe and ahead of threats? Don’t leave security to chance. Contact the\r\nexperts at SecurityScorecard today and together we’ll keep your company secure.\r\nGood luck and stay vigilant!\r\nSteve Cobb\r\nSource: https://securityscorecard.com/blog/the-job-offer-that-wasnt-how-we-stopped-an-espionage-plot/\r\nhttps://securityscorecard.com/blog/the-job-offer-that-wasnt-how-we-stopped-an-espionage-plot/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://securityscorecard.com/blog/the-job-offer-that-wasnt-how-we-stopped-an-espionage-plot/"
	],
	"report_names": [
		"the-job-offer-that-wasnt-how-we-stopped-an-espionage-plot"
	],
	"threat_actors": [
		{
			"id": "7187a642-699d-44b2-9c69-498c80bce81f",
			"created_at": "2025-08-07T02:03:25.105688Z",
			"updated_at": "2026-04-10T02:00:03.78394Z",
			"deleted_at": null,
			"main_name": "NICKEL TAPESTRY",
			"aliases": [
				"CL-STA-0237 ",
				"CL-STA-0241 ",
				"DPRK IT Workers",
				"Famous Chollima ",
				"Jasper Sleet Microsoft",
				"Purpledelta Recorded Future",
				"Storm-0287 ",
				"UNC5267 ",
				"Wagemole "
			],
			"source_name": "Secureworks:NICKEL TAPESTRY",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "4fc99d9b-9b66-4516-b0db-520fbef049ed",
			"created_at": "2025-10-29T02:00:51.949631Z",
			"updated_at": "2026-04-10T02:00:05.346203Z",
			"deleted_at": null,
			"main_name": "Contagious Interview",
			"aliases": [
				"Contagious Interview",
				"DeceptiveDevelopment",
				"Gwisin Gang",
				"Tenacious Pungsan",
				"DEV#POPPER",
				"PurpleBravo",
				"TAG-121"
			],
			"source_name": "MITRE:Contagious Interview",
			"tools": [
				"InvisibleFerret",
				"BeaverTail",
				"XORIndex Loader",
				"HexEval Loader"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d05e8567-9517-4bd8-a952-5e8d66f68923",
			"created_at": "2024-11-13T13:15:31.114471Z",
			"updated_at": "2026-04-10T02:00:03.761535Z",
			"deleted_at": null,
			"main_name": "WageMole",
			"aliases": [
				"Void Dokkaebi",
				"WaterPlum",
				"PurpleBravo",
				"Famous Chollima",
				"UNC5267",
				"Wagemole",
				"Nickel Tapestry",
				"Storm-1877"
			],
			"source_name": "MISPGALAXY:WageMole",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434314,
	"ts_updated_at": 1775792114,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d766b52e3d43a1267c5f0d446fff71bfabdf157b.pdf",
		"text": "https://archive.orkl.eu/d766b52e3d43a1267c5f0d446fff71bfabdf157b.txt",
		"img": "https://archive.orkl.eu/d766b52e3d43a1267c5f0d446fff71bfabdf157b.jpg"
	}
}