North Korean threat actors are employing sophisticated, two-pronged cyber operations, including the “Contagious Interview” campaign, to infiltrate Western tech companies and generate revenue. These malicious actors impersonate IT recruiters, tricking software developers into running malware during fake technical interviews to steal credentials and gain remote access. Since at least 2022, this operation has ensnared thousands of developers, highlighting a significant and growing threat to the cybersecurity landscape.
In parallel to the fake interview tactics, separate North Korean operatives have successfully embedded themselves as fraudulent employees within Western technology firms. These embedded actors reportedly earn salaries that contribute to funding the North Korean regime. The combined effort, utilizing both direct social engineering attacks and infiltration, demonstrates a multifaceted and persistent strategy by North Korean state-backed groups to exploit the global tech industry.
North Korean Cyber Threat Actors Employing Fake IT Worker Campaigns
The “Contagious Interview” campaign, as identified by security researchers, involves threat actors creating convincing recruiter profiles on professional networking platforms. These fake recruiters then engage software developers, steering them towards running malicious code disguised as technical interview tasks. Once a victim executes the provided project, the malware operates stealthily in the background, compromising their system.
GitLab analysts recently reported identifying and banning 131 accounts on GitLab.com in 2025 that were connected to these North Korean malware distribution campaigns. The reported activity peaked in September, with an average of 11 account bans per month. Notably, in over 80% of these cases, the malware was not hosted directly on GitLab. Instead, actors utilized hidden loaders that fetched the malicious payloads from third-party services such as Vercel, a tactic that significantly complicates detection efforts for security defenders.
The financial implications of these operations are substantial. One private repository analyzed by researchers belonged to a cell manager identified as Kil-Nam Kang. This individual was reportedly overseeing seven North Korean operatives based in Beijing. Financial records indicate that this specific cell generated over US$1.64 million between the first quarter of 2022 and the third quarter of 2025. This revenue was reportedly earned through freelance software development activities conducted under stolen or fabricated identities, underscoring the profit-driven nature of these cybercrimes.
Malware Execution and Concealment Tactics in Contagious Interview
A common execution pattern observed in 2025 involved distributing malicious code across multiple project files, making it challenging to detect even during thorough code reviews. Threat actors would encode a staging URL within a `.env` file, camouflaging it as a routine configuration variable. Upon execution of the project by a developer, a trigger function would fetch remote content and then pass it to a custom error handler.
This error handler utilized JavaScript’s `Function.constructor` method to execute the downloaded payload as live code. To further evade analysis, staging URLs were designed to return decoy content unless specific request headers were included, adding another layer of obfuscation. This sophisticated approach allows the malware to remain undetected and execute its malicious functions without immediate suspicion.
In December 2025, security researchers observed a new variation of this attack where malware was being executed through VS Code task configurations. This method involved decoding hidden payloads concealed within fake font files. Such evolving tactics highlight the adaptive nature of these North Korean threat actors and the constant need for updated security measures.
Organizations are advised to treat job applicants with incomplete or broken links to professional profiles or code portfolios with caution. Developers should exercise due diligence and avoid running unfamiliar code provided by unknown contacts during technical screenings. Cybersecurity teams are encouraged to monitor for encoded values in `.env` files and to scrutinize unexpected outbound network requests that are triggered at application startup, as these can be indicators of malicious activity.
The ongoing evolution of these sophisticated North Korean cyber operations, particularly the “Contagious Interview” campaign and their dual approach of technical infiltration and human exploitation, indicates a persistent and adaptable threat. Organizations and individuals within the tech sector must remain vigilant and implement robust security protocols to counter these evolving tactics. Future efforts are likely to focus on further refining these evasion techniques and identifying new avenues for financial gain.