North Korean hackers are employing a sophisticated social engineering tactic known as the “Contagious Interview” campaign, targeting software developers with deceptive recruitment offers that hide malicious code. This cyber threat leverages fake job postings and technical assessment projects to trick unsuspecting victims into downloading compromised code repositories, ultimately aiming to steal sensitive data and cryptocurrency.
The campaign, identified by cybersecurity researchers at SEAL Intel, uses meticulously crafted lures, often through LinkedIn messages from fabricated recruiters representing well-known tech companies. These messages direct developers to GitHub repositories that appear to be legitimate coding challenges or technical assessments. However, these repositories contain hidden malware designed for a multi-stage infection process, posing a significant risk to individuals and potentially their organizations.
North Korean Hackers Use Code Abuse Tactics for ‘Contagious Interview’ Campaign
The “Contagious Interview” campaign represents a significant escalation in the methods employed by North Korean state-sponsored threat actors. By exploiting the trust and routine workflows of software developers, these adversaries have devised a novel approach to compromise target systems. The campaign’s effectiveness stems from its ability to bypass traditional security measures by embedding malicious code within seemingly innocuous development projects.
According to SEAL Intel’s analysis, victims are typically approached via LinkedIn with offers for roles at organizations like Meta2140. The subsequent interaction guides them to download a repository presented as a technical evaluation. This repository is designed to execute a dual-layer malware system, which operates through a carefully planned two-stage infection process. The ultimate goal is the exfiltration of credentials, cryptocurrency wallets, and the establishment of persistent remote access to the victim’s system.
Sophisticated Infection Vectors
What sets the “Contagious Interview” campaign apart is its ingenuity in deploying malware. One of the most dangerous infection vectors abuses Visual Studio Code’s internal task configuration. When a developer opens a project folder and the Integrated Development Environment attempts to parse or enable AI-assisted code inspection, a hidden task can automatically execute without requiring the user to directly run any suspicious code. This stealthy execution bypasses common developer caution.
Additionally, the malware utilizes application logic hooks embedded within the server code. Legitimate-looking functions within the project can be triggered to download and execute malicious payloads. Even if these methods are thwarted, the campaign resorts to attempting the installation of malicious npm dependencies, a package manager commonly used in Node.js development. This layered approach ensures a high probability of successful infection, even against vigilant developers.
SEAL Intel’s investigation began after three separate victims, each suffering significant financial losses, sought assistance within a single month. The consistent attack pattern and the nature of the reported losses pointed towards a coordinated effort. By examining commit histories and metadata within the malicious repositories, researchers were able to attribute the malware to known North Korean IT workers who have previously been linked to fraudulent projects, such as one identified as Ultra-X. The consistent use of the Korean Standard Time zone in commit timestamps further solidified this attribution.
Infection Mechanism and Payload Delivery
The infection mechanism of the “Contagious Interview” campaign is designed to be comprehensive and persistent. Upon initial trigger, the malware downloads a Node.js controller that operates entirely in system memory, making it difficult to detect. This controller then deploys five specialized modules dedicated to stealing sensitive data. A keylogger and screenshot module meticulously track user activity, transmitting the captured information to an attacker-controlled command server at the IP address 172.86.116.178.
A file grabber module actively scans the user’s home directory for configuration files, secrets, and SSH keys—all high-value targets for attackers. Concurrently, a clipboard monitor vigilantly watches for cryptocurrency addresses being copied, facilitating potential theft. The browser stealer module specifically targets databases within popular browsers like Chrome, Brave, and Opera, aiming to abscond with login credentials and cryptocurrency wallet information stored within them. Finally, a remote access tool establishes a connection to the attacker’s command center using socket.io, enabling arbitrary shell command execution and full system control.
Following the initial Node.js stage, the malware deploys Python payloads that are designed to establish more robust persistence on the victim’s system. On Windows environments, this involves creating startup folder injections and scheduled tasks that cleverly masquerade as legitimate Windows processes, such as RuntimeBroker.exe, to evade detection. Furthermore, a miner module downloads and executes XMRig cryptocurrency mining software, effectively turning the victim’s machine into a resource for the attackers. Throughout its operation, the malware creates hidden directories within .npm and system folders, used to stage stolen data and maintain a foothold even after system reboots.
Mitigation and Future Outlook
To protect themselves from the “Contagious Interview” campaign and similar threats, developers are strongly advised to immediately disable automatic Visual Studio Code task execution and diligently enable workspace trust verification settings within their IDEs. For systems that exhibit signs of infection, such as the presence of hidden .n2, .n3, or .npm directories, a comprehensive rotation of all credentials and migration of cryptocurrency wallets to new, secure addresses from a clean device is imperative.
In cases of confirmed infection on Windows systems, a complete operating system reinstallation is highly recommended due to the malware’s ability to establish registry-level persistence mechanisms. The ongoing evolution of North Korean cyber capabilities, as demonstrated by this complex social engineering attack, underscores the need for continuous vigilance and adaptation in cybersecurity practices. The international community and cybersecurity firms will likely continue to monitor the activities of these threat actors, anticipating further attempts to exploit software development workflows and supply chains for illicit gains.