A sophisticated new phishing campaign, linked to North Korea, is impersonating legitimate job platforms to target U.S.-based artificial intelligence developers, software engineers, and cryptocurrency professionals. The operation, dubbed “Contagious Interview” by security researchers at Validin, uses an elaborate fake job portal to trick highly skilled individuals into downloading malware by posing as a cutting-edge AI-powered hiring tool.
Researchers discovered the advanced scam operating under the domain lenvny[.]com. This platform is meticulously designed to mimic the appearance and functionality of legitimate technology companies and recruitment software. Its polished interface, gradient design, and synthetic branding suggest a deliberate effort to align with the projected aesthetic of the AI and tech industry in the near future, marking a significant evolution from previous, less sophisticated North Korean recruitment lures.
North Korean Fake Job Platform Employs Advanced Social Engineering
The “Contagious Interview” operation leverages a fully functional React and Next.js-based job platform that presents itself as an “Integrated AI-Powered Interview Tool.” The website features a comprehensive application workflow, dynamically generated job listings, and numerous interactive routes, all designed to appear authentic to unsuspecting candidates. This level of polish and comprehensive functionality sets it apart from simpler phishing pages typically seen in such campaigns.
The infection mechanism, termed “ClickFix” by Validin analysts, begins with an initial contact, often via a LinkedIn message, leading to a purported interview process. Candidates are then directed to record video responses, during which they are prompted to download a “helper tool” to “fix their webcam.” This seemingly innocent troubleshooting step is the actual delivery vector for malware directly to the victim’s system.
Security analysts noted that the intricate design and workflow of the fake platform are intended to build trust and deceive candidates into executing malicious code. The application process mirrors modern hiring practices in the tech industry, including video interviews and take-home coding assessments, which are common in remote-friendly environments. This familiar process makes the scam particularly convincing.
Targeting AI and Cryptocurrency Professionals for Strategic Gain
North Korea’s focus on AI developers and cryptocurrency professionals is strategic, according to security assessments. Individuals in these fields possess access to valuable assets and expertise crucial for state-sponsored cyber operations. AI developers, for instance, may have access to proprietary research, advanced model weights, and inference infrastructure. Meanwhile, cryptocurrency professionals often manage high-value digital assets, making them attractive targets for financial exploitation.
Furthermore, professionals in these sectors typically maintain workstations with elevated system privileges, sophisticated development environments, and custom tooling. These elements increase the likelihood of successful initial payload execution once malware is installed on their machines. The sophisticated nature of the fake job platform is designed to overcome the natural skepticism of these highly skilled individuals.
Job seekers are advised to exercise extreme caution when engaging with unsolicited job offers, especially those that appear too good to be true or come from unfamiliar sources. It is paramount to verify that company career pages are hosted on official, legitimate domains and to avoid uploading sensitive personal documents to unverified platforms or during initial interview stages.
When candidates are requested to execute code or scripts as part of a technical assessment, they should meticulously review the provided code before execution. It is strongly recommended to run any unfamiliar code within isolated virtual machines or sandboxed environments rather than directly on their primary workstations. This practice can significantly mitigate the risk of malware infection even if the code is malicious. The ongoing evolution of such campaigns highlights the persistent threat posed by state-sponsored cyber actors seeking to exploit talent pipelines.