Full Report
North Korean threat actors linked to the Contagious Interview campaign have been observed employing steganography in SVG image files to conceal malicious payloads as part of a campaign using fake job postings and coding challenges. "Any user who ran the project ended up with a four-stage payload aligned with OTTERCOOKIE: a browser credential and crypto wallet stealer, a file stealer, a
Analysis Summary
# Threat Actor: REF9403
## Attribution & Identity
- **Actor Identification:** North Korea-linked threat actors (DPRK).
- **Aliases:** REF9403.
- **Known Associations:** Linked to the "Contagious Interview" campaign. The article suggests overlaps between this activity and previous campaigns involving malicious npm packages (Rollup polyfill tooling).
## Activity Summary
- **Campaign Name:** Contagious Interview (ongoing since at least December 2022).
- **Recent Operations:** In May 2026, the actor targeted members of the Elastic Slack workspace using a persona named "Maxwell." They posted fake job listings for Next.js/NestJS developers. Interested candidates were directed to complete a "coding assessment" by downloading and running a trojanized repository. The campaign notably utilizes steganography in SVG images to deliver the OTTERCOOKIE malware.
## Tactics, Techniques & Procedures
- **Social Engineering:** Using Slack (#jobs channels) and direct messages to lure developers with fake job offers.
- **Steganography:** Hiding malicious Base64-encoded payload fragments inside HTML comments within SVG image files (e.g., country flags like `AE.svg`, `AF.svg`).
- **Dependency/Supply Chain Poisoning:** Distributing trojanized software repositories and malicious npm packages.
- **Persistence:** Engineering the attack chain to execute the malware on every server boot.
- **Anti-Analysis:** Incorporating VM detection capabilities to evade sandbox environments.
- **Communication:** Using Socket.IO for Command and Control (C2) communications.
## Targeting
- **Sectors:** Software Development, Cryptocurrency, Artificial Intelligence.
- **Geography:** Global (targeted via community Slack workspaces).
- **Victims:** Software developers/engineers, specifically those working with Next.js, NestJS, and AI coding tools. Members of the Elastic Slack community were specifically mentioned.
## Tools & Infrastructure
- **Malware Families:**
- **OTTERCOOKIE:** A modular, cross-platform stealer and RAT.
- **Socket.IO-based RAT:** Used for persistent remote access and shell commands.
- **Targeted Data/Files:**
- Browser credentials and crypto wallets.
- AI coding extensions: `.claude`, `.cursor`, `.gemini`, `.windsurf`, `.pearai`, and `.llama`.
- Specific file extensions for data exfiltration.
- **Infrastructure:**
- **C2:** Socket.IO-based infrastructure.
- **Distribution:** GitHub-like repositories and Slack.
## Implications
This campaign demonstrates the increasing sophistication of DPRK-linked actors in bypassing signature-based detection through steganography. By specifically targeting AI developers and harvesting AI-tooling configurations, the actor is likely attempting to steal proprietary intellectual property or credentials related to emerging technology sectors. The shift toward Slack for initial access marks an expansion of their social engineering vector beyond LinkedIn and traditional email.
## Mitigations
- **Organizational Policy:** Implement strict policies regarding the execution of unverified "coding tests" or repositories on corporate hardware.
- **Verification:** Use out-of-band communication to verify the identity of recruiters and the legitimacy of job offers found on Slack or Discord.
- **Technical Controls:**
- Deploy endpoint detection and response (EDR) tools capable of monitoring JavaScript execution and suspicious network connections from development environments.
- Sanitize or inspect SVG files for hidden HTML comments or non-standard metadata.
- **Developer Education:** Train developers to recognize the specific "coding challenge" lures used in the Contagious Interview campaigns.