{ "id": "54ca6b6a-da7d-49f6-a6c6-cfdf571b3000", "created_at": "2026-04-06T00:15:57.951419Z", "updated_at": "2026-04-10T03:36:17.207765Z", "deleted_at": null, "sha1_hash": "fc53b5fac43299d7e26d75e68e099e033998c8ce", "title": "North Korean remote workers landing jobs in the West | ThreatLabz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 920504, "plain_text": "North Korean remote workers landing jobs in the West |\r\nThreatLabz\r\nBy Seongsu Park\r\nPublished: 2024-11-04 · Archived: 2026-04-02 11:03:33 UTC\r\nTechnical Analysis\r\nContagious Interview campaign as initial attack vector\r\nThe initial infection method for the Contagious Interview campaign has been well-documented by the security\r\nindustry and remains largely unchanged, so it will not be covered in detail here. ThreatLabz has since observed\r\nnew Contagious Interview campaign attacks, where a threat actor posted a job opening for a full-stack developer\r\non part-time hiring platforms, like Freelancer. As part of the interview process, applicants were asked to solve a\r\ncoding problem on GitHub and submit their results. However, the GitHub repository, which is controlled by the\r\nattacker, contained malicious JavaScript code named “BeaverTail”. The figure below shows a fake job opportunity\r\nposted as part of the Contagious Interview attack.\r\nhttps://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west\r\nPage 1 of 10\n\nFigure 2: Fake job opening that delivers a malicious NPM package thus initiating an Contagious Interview\r\ncampaign infection.\r\nThe threat actors aggressively contact potential victims through social media platforms, focusing on web,\r\ncryptocurrency, and AI developers. Additionally, the threat actors heavily rely on source code publishing platforms\r\nto host malicious files such as GitHub, GitLab, and BitBucket.\r\nBeaverTail and InvisibleFerret infection chain\r\nThe JavaScript executed by the initially delivered package, BeaverTail, has undergone minimal changes since its\r\ninitial discovery. For a long time, the threat actor used a malicious NPM package as an initial infection vector.\r\nHowever, while closely monitoring this campaign, we discovered they have adopted different file types to deliver\r\nthe payload, like macOS applications and Windows Installers disguised as chat applications as shown in the figure\r\nbelow. \r\nFigure 3: BeaverTail and InvisibleFerret infection chain\r\nBeaverTail has adopted a new obfuscation technique to evade detection utilizing a JavaScript-obfuscator to mask\r\nits strings and functions. In some cases, additional malicious code is retrieved from attacker-controlled servers and\r\ndynamically executed by extracting the  cookie property from the fetched JSON data and ran via the  eval\r\nfunction. This highlights the effort the threat actor has put into further evading detection.\r\nThe Python script retrieved by BeaverTail can download additional Python scripts from the  /payload and  /bow\r\nURIs, including the main backdoor script and a script for stealing browser data. The main backdoor script,\r\nInvisibleFerret, has two components: sending basic system information and executing backdoor functionalities.\r\nThe threat actor uses InvisibleFerret to exfiltrate data from victims, as shown in the figure below.\r\nhttps://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west\r\nPage 2 of 10\n\nFigure 4: Contagious Interview campaign, which utilizes InvisibleFerret to exfiltrate data from a victim.\r\nUpon execution, the InvisibleFerret script starts keylogging in a separate thread. The keylogging thread checks for\r\nchanges in the active window, logs key presses, and captures clipboard content during copy and paste operations.\r\nAfter that, the threat actor usually delivers  ssh_clip (sends stored keylogging data to the C2 server)\r\nor  ssh_env (sends predefined sensitive data to the FTP server) commands to collect basic information from the\r\nvictim and verify that the compromised host is valuable. \r\nThe threat actor may collect basic information about the victim using the aforementioned functionalities and begin\r\nto exfiltrate additional files if the victim is deemed a valuable target. For additional data collection, specific files\r\nare uploaded based on commands from the operators. The table below shows the commands supported by\r\nInvisibleFerret.\r\nCommands Description\r\nsdira Upload all files from a specified directory and its subdirectories.\r\nsdir Upload all files from a specified directory.\r\nsfile Upload a single file.\r\nsfinda Find and upload files matching a pattern in a directory and its subdirectories.\r\nsfindr Find and upload files matching a pattern in a directory (non-recursive).\r\nhttps://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west\r\nPage 3 of 10\n\nCommands Description\r\nsfind Find and upload files matching a pattern in the current directory and its subdirectories.\r\nTable 1: InvisibleFerret backdoor commands used to exfiltrate files from a victim.\r\nUsing these file upload capabilities, the threat actor typically exfiltrates PDF documents, image files, and source\r\ncode. Source code is often a target, because developers sometimes store credentials such as login IDs and\r\npasswords in plain text. Furthermore, by exfiltrating source code from victims, mainly those associated with\r\ncryptocurrency or web development, the threat actor can reuse the exfiltrated data for other campaigns, or\r\npotentially access and steal cryptocurrency.\r\nIn August 2024, the InvisibleFerret malware author added new backdoor commands, additional exfiltration\r\ntargets, and communication channels. One new command internally called  ssh_zcp , copies browser data like\r\nextensions and cryptocurrency wallet data. InvisibleFerret also copies application data directories for\r\ncryptocurrency wallets and password manager applications, targeting specific paths based on the operating\r\nsystem.\r\nFor Windows ( .7z format): Uses the  py7zr.SevenZipFile library to compress and encrypt files with\r\nthe provided password.\r\nFor non-Windows systems (.zip format): Uses the  pyzipper.AESZipFile library to create a ZIP archive\r\nwith AES encryption, defaulting to the password  123 .\r\nAfter creating the ZIP archive, InvisibleFerret sends the file to a Telegram chat using the provided token and chat\r\nID. InvisibleFerret also uploads the ZIP archive to the specified FTP server with a  zdat_ prefix. The threat actor\r\nused FTP for exfiltration for an extended period. However, they have now removed the functionality for\r\nexfiltrating stolen data to an FTP server. Instead, InvisibleFerret now exclusively uses the HTTP protocol for file\r\nexfiltration via the  /uploads URI. All of these changes suggest that InvisibleFerret is still under active\r\ndevelopment.\r\nWe recently discovered that the InvisibleFerret Python script has been modified. Now, its backdoor functionalities\r\nhave been updated and heavily focused on executing an AnyDesk client (such as updating its password salt).\r\nAdditionally, InvisibleFerret added a capability to create Startup scripts for different operating systems.\r\nCommands Description\r\nAA\r\nCollects cryptocurrency-related browser extensions and sends them to the C2 server through\r\nthe  /uploads URI.\r\nhttps://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west\r\nPage 4 of 10\n\nCommands Description\r\nAO Collects browser stored data and sends it to the C2 server through the  /uploads URI.\r\nAB\r\nCollects configuration data from  service.conf and  system.conf , and sends it to the C2\r\nserver.\r\nAb Checks if the  C:/Program Files (x86)/AnyDesk/AnyDesk.exe file exists.\r\nAC\r\nUpdates  pwd_hash ,  pwd_salt , and  token_salt configuration values for the AnyDesk\r\nclient.\r\nAP\r\nGathers system information and AnyDesk configuration files, then sends this data to the C2\r\nserver via the  /info URI.\r\nAQ\r\nGathers installed programs and running processes, and sends them to the C2 server via\r\nthe  /data URI.\r\nAR\r\nExtracts data from Microsoft Sticky Notes and sends that data to the C2 server via the  /data\r\nURI.\r\nAD Downloads additional payloads from the  /bow URI.\r\nn\r\nSet up a Startup script for different operating systems, such as Linux, Windows, and macOS.\r\nLinux: Sets up a  .desktop entry to run the script at Startup in GNOME-based Linux\r\nenvironments.\r\nWindows: Creates a batch file ( queue.bat ) in the Startup folder to run a Python\r\nscript.\r\nmacOS: Creates a  com.avatar.update.wake.plist file to run the script on Startup via\r\nLaunchAgents.\r\nTable 2: Commands supported by a newly discovered InvisibleFerret backdoor.\r\nhttps://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west\r\nPage 5 of 10\n\nDistribution of operation systems infected by Contagious Interview\r\nThreatLabz has identified over 140 victims compromised by the Contagious Interview campaign within a two-month period. Interestingly, over half of these victims used Windows machines, while the other half used non-Windows systems, including Linux and macOS. This indicates that the campaign successfully compromised\r\nmultiple platforms by leveraging OS-independent scripts such as JavaScript and Python. The figure below shows\r\nthe distribution of victims’ systems.\r\nFigure 5: Distribution of operating systems infected by the Contagious Interview campaign.\r\nThe threat group exfiltrated cryptocurrency-related files from most of the victims. By targeting developers in the\r\ncryptocurrency industry, the threat group occasionally obtained files containing login credentials for critical\r\nsystems. Furthermore, victims were not restricted to specific countries. Many of the victim developers were from\r\nIndia, Pakistan, Kenya, Nigeria, Spain, and Russia.\r\nNorth Korean IT workers use WageMole to secure remote jobs in other countries\r\nWhile monitoring the Contagious Interview campaign closely, we analyzed an associated campaign named\r\nWageMole being perpetrated by the same threat group. The WageMole campaign leverages a combination of\r\nsocial engineering and technology to secure legitimate remote job opportunities and earn money through their\r\ndevelopment skills. After a thorough investigation, we organized their operational process into several stages, all\r\nof which are shown in the figure below and discussed in detail.\r\nhttps://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west\r\nPage 6 of 10\n\nFigure 6: Operational process of WageMole campaign organized into stages.\r\nPreparation\r\nWageMole threat actors’ first step in applying for a job involves creating fake personas. WageMole threat actors\r\nobtain fake passports or other forms of identification, either through the Contagious Interview campaign or by\r\npurchasing them from real individuals. Occasionally, they hire foreign nationals residing in the U.S. In addition,\r\nWageMole threat actors create fake driver's licenses to verify their identity. In these cases, they appear to use\r\nstolen driver's licenses, altering only the photo on the ID while leaving the rest of the information unchanged.\r\nWageMole threat actors prepare study guides for the job interview process that include self introductions, work\r\nhistory, and answers to technical questions, as shown below. \r\nSelf introduction: As a full-stack engineer, talk about Spring Boot, React/Next developer, Larvel,\r\nSymfony, Node.js, TypeScript, WordPress, ASP.NET, etc.\r\nWorking experience: Describe teamwork experience, best and worst experience, a challenging project,\r\ndevelopment process, Agile/Scrum environment experience, difference between frontend and backend,\r\nJava Spring Boot developing experience, how to solve an issue, how to learn new technology, the reason to\r\nhire you, etc.\r\nTechnical questions: Explain React.js, Flutter, Backend API development, and AI.\r\nGeneral questions: Additional questions to ask employers for the hiring process and roles.\r\nWhen WageMole threat actors created this study guide, we believe they used generative AI to derive the solutions\r\nto each question because: \r\nThe answers are well-written and well-structured, and some of the answers start with “Certainly!”.\r\nMost of the paragraphs are numbered and exhibit a formal style.\r\nWhen creating fake identity cards and passports, WageMole threat actors used an AI face editor to modify\r\nthe person's photo. This included adding a smile, making the person look more professional, removing the\r\nbackground, and making the threat actor appear more Western.\r\nWageMole threat actors create multiple versions of their resume for different roles, like full-stack or PHP\r\ndeveloper, each listing different residency locations (e.g., U.S., U.K., Estonia). WageMole threat actors also\r\ncollected publicly available certificate or diploma images from the internet to use in the interview process, often\r\nhttps://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west\r\nPage 7 of 10\n\nfrom private education sites related to skills like ASP development, Android development, and machine learning.\r\nWageMole uses fake career histories, degrees, and alters details like company names and university affiliations,\r\nwhile keeping the same name and contact information once they create an identity.\r\nTarget hunting\r\nThese threat actors prefer LinkedIn for finding job opportunities. They create fake LinkedIn profiles, often\r\nportraying themselves as full-stack developers or AI engineers from several countries like Italy, Germany,\r\nNetherlands, Estonia, Switzerland, and Lithuania. We discovered several LinkedIn profiles used in this campaign,\r\nsuch as the following:\r\nhxxps://www.linkedin[.]com/in/frank-schoneberg-a089832a4/\r\nhxxps://www.linkedin[.]com/in/logan-collins-374404306\r\nhxxps://www.linkedin[.]com/in/adam-song05/\r\nThe figure below shows two of those fraudulent LinkedIn profiles.\r\nFigure 7: Fake LinkedIn WageMole profiles.\r\nIn addition to LinkedIn, the threat actors set up websites and GitHub repositories to showcase their skills and\r\nattract potential employers.\r\nDuring the job search, WageMole threat actors aggressively use job seeking platforms such as Indeed, Glassdoor,\r\nUpwork, and cryptocurrency specialized sites such as degencryptojobs.com and web3.career. During the job\r\nhunting process, they search for remote roles like front/backend web developer, UX/UI designer, full-stack\r\nengineer, and blockchain developer. WageMole threat actors target various industries like: information technology,\r\nhealthcare, retail, financial services, construction, and real estate. Several Fortune 500 companies, and even\r\naerospace and defense companies, are included in WageMole’s job search list. We can’t confirm if WageMole\r\nthreat actors wanted to be hired by the defense industry intentionally or if they were just searching for remote jobs\r\nand stumbled upon these positions. WageMole threat actors also prepared emails and message templates to send\r\npotential employers. In several of their messages to potential employers, the threat actor communicates in broken\r\nEnglish, as shown below.\r\nhttps://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west\r\nPage 8 of 10\n\n# Sample 1\r\nHello,\r\nI'm a senior Vue and Laravel developer with 8 years of experience in JS frameworks like MEAN/MEVN/MERN. I\r\nspecialize in Vue, API integration, plugin customization, and bug fixing.\r\nI'm ready to start your project, ensuring perfection in a short period. I take your project seriously, always striving\r\nfor the best outcome and providing creative ideas when needed.\r\nSo let's talk and discuss.\r\nThanks!\r\n# Sample 2\r\nAs an accomplished web developer with a sharp eye for detail, your project fits right into my skillset. \r\nThe ability to work with and adjust existing text while maintaining consistency and tone is something I've\r\nconsistently done throughout my career. \r\nMy expertise in HTML and CSS, combined with meticulous graphic design skills, will ensure that your website\r\nmaintains a polished and professional appearance even after the adjustments are made.\r\n# Sample 3\r\nHi, Dear client. How are you?\r\nI read your job post carefully and am excited about it.\r\nAs I am a senior full stack developer, I have over 7 years of experience in software development.\r\nEspecially, React, Node.js, React Native is my powerful skills.\r\nI am sure that this job is appropriate to me greatly.\r\nWe can discuss the more detail via conversation.\r\nI will wait to hear from you.\r\nHave a nice day. Best regards.\r\nMost of the templates are written in English, but we observed that WageMole threat actors also created Japanese\r\nversions, indicating potential interest in job opportunities in Japan.\r\nWhen required, WageMole threat actors use automation scripts to create accounts on job search platforms, like\r\nUpwork. \r\nIn another instance, WageMole threat actors offered someone living in the U.S. $1,000 USD for access to their\r\nUpwork account and their computer. \r\nInterview/working \r\nWageMole threat actors use Skype to converse with a potential employer and during the interview process. Skype\r\noffers local phone numbers, including U.S. numbers and call forwarding, allowing remote workers to deceive\r\nemployers about their location. Since larger companies often have more stringent background checks, WageMole\r\nthreat actors typically target small to mid-sized businesses.\r\nWhen a WageMole threat actor lacks the skills to answer interview questions, they often rely on a colleague with\r\nthe necessary expertise to assist. During employment, WageMole actors collaborate with others within their threat\r\nhttps://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west\r\nPage 9 of 10\n\nactor group by sharing code and solutions. WageMole threat actors also use GitHub to prepare for the hiring\r\nprocess and complete tasks. From their code paths (shown below), we can infer the services they provide. \r\nD:\\Work\\Crypto\\Crypo-backend\\app\r\nD:\\Work\\Crypto\\Crypo-frontend\r\n/home/Crypo-Telegram-Notification-Bot\r\n/home/frontend/components/page-parts/WalletsPage/HistoryPage\r\nTransfer money\r\nThe goal of WageMole is to generate funds using the threat group’s professional skills. To bypass economic\r\nsanctions, WageMole needs secure methods to transfer money. In one case, a full-time employee earned an annual\r\nsalary of 48,000 EUR, with monthly payments sent through a European bank. In another case, a remote worker\r\nearned 12 EUR per hour for 48 hours a week, totaling 550 EUR weekly. WageMole also frequently requests\r\npayments via online platforms like PayPal or Payoneer to evade monitoring and conceal their identity.\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west\r\nhttps://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "MITRE" ], "references": [ "https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west" ], "report_names": [ "pyongyang-your-payroll-rise-north-korean-remote-workers-west" ], "threat_actors": [ { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ef59a0d9-c556-4448-8553-ed28f315d352", "created_at": "2025-06-29T02:01:57.047978Z", "updated_at": "2026-04-10T02:00:04.744218Z", "deleted_at": null, "main_name": "Operation Contagious Interview", "aliases": [ "Jasper Sleet", "Nickel Tapestry", "Operation Contagious Interview", "PurpleBravo", "Storm-0287", "Tenacious Pungsan", "UNC5267", "Wagemole", "WaterPlum" ], "source_name": "ETDA:Operation Contagious Interview", "tools": [ "BeaverTail", "InvisibleFerret", "OtterCookie", "PylangGhost" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434557, "ts_updated_at": 1775792177, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fc53b5fac43299d7e26d75e68e099e033998c8ce.pdf", "text": "https://archive.orkl.eu/fc53b5fac43299d7e26d75e68e099e033998c8ce.txt", "img": "https://archive.orkl.eu/fc53b5fac43299d7e26d75e68e099e033998c8ce.jpg" } }