Full Report
The North Korean threat actors associated with the long-running Contagious Interview campaign have been observed using malicious Microsoft Visual Studio Code (VS Code) projects as lures to deliver a backdoor on compromised endpoints. The latest finding demonstrates continued evolution of the new tactic that was first discovered in December 2025, Jamf Threat Labs said. "This activity involved
Analysis Summary
# Threat Actor: North Korea-linked Threat Actors (Associated with Contagious Interview)
## Attribution & Identity
* **Attribution:** Linked to North Korea (Democratic People's Republic of Korea - DPRK).
* **Known Aliases/Groups:** Associated with the long-running **Contagious Interview** campaign.
## Activity Summary
The actors are demonstrating continued evolution in their infection tactics, first observed in December 2025. The current activity centers on luring software developers by providing malicious Microsoft Visual Studio Code (VS Code) projects. Victims are instructed to clone repositories from GitHub, GitLab, or Bitbucket and open them in VS Code, ostensibly as part of a job assessment. The ultimate goal is to install a backdoor granting remote code execution capabilities.
## Tactics, Techniques & Procedures
* **Luring:** Utilizing malicious VS Code projects hosted on popular code repositories.
* **Execution via Configuration:** Abusing VS Code task configuration files (`tasks.json`), specifically leveraging the `"runOn": "folderOpen"` option to automatically execute arbitrary commands upon project opening.
* **Payload Delivery:** Staging payloads on Vercel domains.
* **OS-Specific Execution (macOS Example):** Executing a background shell command using `nohup bash -c` combined with `curl -s` to retrieve and pipe a JavaScript payload directly into the Node.js runtime, ensuring persistence even if the VS Code process terminates.
* **Fallback/Evasion:** Concealing multi-stage droppers within files disguised as harmless spell-check dictionaries.
* **Persistence & Evasion:** The delivered JavaScript backdoor establishes a persistent loop, harvests host information, and beacons every five seconds.
* **Obfuscation:** Using heavily obfuscated JavaScript for payloads and command execution.
* **Potential AI Usage:** Code structure suggests the script payload may have been generated using an Artificial Intelligence (AI) tool.
## Targeting
* **Sectors:** Software engineers, particularly those working in the **cryptocurrency, blockchain, and fintech sectors**.
* **Geography:** Not explicitly detailed, but consistent with state-sponsored espionage targeting sensitive technology sectors globally.
* **Victims:** Software developers/engineers targeted via fake job assessments.
## Tools & Infrastructure
* **Malware Families Used:**
* BeaverTail (Backdoor implant)
* InvisibleFerret (Backdoor implant)
* Backdoor implant providing Remote Code Execution (RCE).
* **Infrastructure (Defanged):**
* C2/Payload Host: `ip-regions-check[.]vercel[.]app` (leveraging Vercel domains).
## Implications
The threat actors are showing advanced social engineering skill tailored specifically toward the software development community. The abuse of legitimate IDE features (VS Code tasks) combined with reliance on cloud hosting services (Vercel) makes detection challenging for traditional application control solutions. The use of JavaScript payloads designed for RCE indicates an objective focused on long-term foothold and data exfiltration from target systems.
## Mitigations
* **IDE Security Posture:** Employ strict configurations regarding trusting third-party Git repositories within development environments (IDEs). Organizations should implement controls to limit or scrutinize automatic execution upon project opening.
* **Workspace Trust Policy:** Educate developers never to open or clone external, untrusted repositories automatically. Strictly enforce policies related to granting "trust" to repository authors within VS Code.
* **Endpoint Detection:** Implement advanced detection rules capable of flagging unusual out-of-process command execution triggered by IDE configuration files (e.g., detection of `tasks.json` initiating shell commands or network connections during folder open events).
* **Network Monitoring:** Monitor for beaconing activity and connections originating from development workstations to known or newly registered cloud hosting domains.