In a new wave of cyber attacks, North Korean-linked threat actors have been using fake job interviews to distribute malware under a campaign known as Contagious Interview. This sophisticated attack lures developers and IT professionals with fraudulent job postings, leading them to download malware under the guise of a legitimate hiring process. The campaign utilizes several front companies in the cryptocurrency consulting industry to spread malicious software, including BeaverTail, InvisibleFerret, and OtterCookie.
The Contagious Interview campaign is a series of social engineering attacks designed to deceive targets into downloading cross-platform malware. These attacks are typically carried out through seemingly legitimate job interview processes, including video assessments and coding challenges. Once victims download the malware, it can compromise their systems and steal sensitive data.
The attackers have been leveraging three front companies in the cryptocurrency consulting industry:
- BlockNovas LLC
- Angeloper Agency
- SoftGlide LLC
These companies distribute malware via lures, including fake coding assignments or browser troubleshooting prompts during video interviews.
Malware Families Involved
The Contagious Interview campaign deploys three different types of malware:
- BeaverTail: A JavaScript-based stealer and loader that contacts an external command-and-control server to load additional malicious payloads.
- InvisibleFerret: A Python backdoor that provides persistence on infected systems across Windows, Linux, and macOS.
- OtterCookie: Another malware used in select infection chains, delivered via BeaverTail to further compromise the system.
The use of fake front companies such as BlockNovas has been a significant shift in tactics. The companies advertise job opportunities that entice targets into applying, only to infect them with malware. The BlockNovas website, for example, contains several employee profiles that appear fabricated, with the company falsely claiming 12+ years of operation despite being a recent creation.
In addition to the fake websites, the attackers use fraudulent profiles on platforms like LinkedIn, Facebook, and GitHub to further legitimize their operation and attract targets.
Once compromised, victims’ systems are often used to facilitate illicit activities, such as cryptocurrency mining. In one observed instance, attackers created over 200 containers in a compromised cloud environment to mine cryptocurrency. The attackers also utilized malware to exploit cloud-based services like Kubernetes clusters, leveraging misconfigured management interfaces to carry out malicious actions.
Recent FBI Action
In April 2025, BlockNovas was seized by the U.S. Federal Bureau of Investigation (FBI) as part of law enforcement efforts against North Korean cyber actors. The company was found to be distributing malware via fake job postings and orchestrating a variety of attacks under the Contagious Interview campaign.
Notably, the attackers have been using AI-powered tools to enhance their operations. These tools are used to create fake profile pictures, schedule job interviews, and even facilitate real-time translation during interviews. This highlights the growing role of AI in cyber attacks, as it enables the creation of more convincing and sophisticated social engineering lures.
Tactics to Protect Against Contagious Interview
Organizations and individuals can take several steps to protect themselves from such attacks:
- Beware of Unsolicited Job Offers: Be cautious when receiving job offers from unknown companies, especially those related to high-risk sectors like cryptocurrency.
- Verify Employers: Always verify the legitimacy of the company and check their history before applying or engaging in interviews.
- Secure Systems: Regularly update software, use anti-malware tools, and implement strong security protocols to prevent unauthorized access to sensitive data.
- Educate Employees: Train employees about common phishing and social engineering tactics, and encourage caution during online interviews.
The Contagious Interview campaign highlights the increasingly sophisticated tactics used by North Korean threat actors to target IT workers and developers. By setting up fake companies and using AI-driven techniques to enhance their social engineering methods, the attackers have found a new way to distribute malware and steal sensitive information. As cyber threats continue to evolve, it is crucial for individuals and organizations to stay vigilant and protect their systems from these deceptive attacks.
