Full Report
The North Korean threat actors behind the Contagious Interview campaign, also tracked as WaterPlum, have been attributed to a malware family tracked as StoatWaffle that's distributed via malicious Microsoft Visual Studio Code (VS Code) projects. The use of VS Code "tasks.json" to distribute malware is a relatively new tactic adopted by the threat actor since December 2025, with the attacks
Analysis Summary
# Threat Actor: Contagious Interview (WaterPlum)
## Attribution & Identity
* **Origin:** North Korea (DPRK).
* **Aliases:** WaterPlum.
* **Associated Groups:** Linked to activities often attributed to Lazarus Group sub-groups (specifically those targeting developers and the crypto industry).
* **Associated Campaigns:** Contagious Interview, PolinRider.
## Activity Summary
The actor is currently executing a sophisticated campaign targeting developers by leveraging malicious Microsoft Visual Studio Code (VS Code) projects. Since December 2025, the group has evolved its tactics to use "tasks.json" files within VS Code to achieve automatic code execution. This activity is often preceded by social engineering under the guise of fake technical job interviews, where victims are directed to download and run code from repositories on GitHub, GitLab, or Bitbucket.
## Tactics, Techniques & Procedures
* **Social Engineering:** Uses "convincingly staged recruitment processes" on platforms like LinkedIn to target senior-level technical staff.
* **Auto-Run via VS Code:** Utilizes the `runOn: folderOpen` option in `tasks.json` to trigger malware execution automatically when a project folder is opened.
* **Dependency Manipulation (T1574):** Checks for Node.js presence; if missing, it downloads and installs the official version to ensure its JavaScript-based malware can run.
* **Platform Agnostic Execution:** Exploits Vercel-hosted web applications to deliver cross-platform payloads (Windows, macOS, Linux).
* **Supply Chain Attacks:** Compromising legitimate GitHub accounts (e.g., Neutralinojs) to force-push malicious code.
* **Blockchain Exploitation:** Using encrypted payloads hidden within Tron, Aptos, and Binance Smart Chain (BSC) transactions.
* **MITRE ATT&CK IDs:**
* T1566 (Phishing/Social Engineering)
* T1204.002 (User Execution: Malicious File)
* T1584 (Compromise Infrastructure)
* T1071 (Application Layer Protocol)
## Targeting
* **Sectors:** Cryptocurrency, Web3, Open-source software development.
* **Geography:** Global (referenced by Japanese security vendor NTT Security).
* **Victims:** Senior engineers, CTOs, Founders, and contributors to open-source projects (e.g., Neutralinojs contributors).
## Tools & Infrastructure
* **StoatWaffle:** A modular Node.js-based malware containing Stealer and RAT modules.
* **BeaverTail:** A known stealer and downloader used to facilitate secondary infections.
* **PylangGhost:** Malware distributed via malicious npm packages.
* **Infrastructure:**
* Hosting: Vercel (for initial data/payload download).
* Repositories: GitHub, GitLab, Bitbucket.
* C2: External servers polling for Node.js code execution (specific IPs/Domains defanged: `vercel[.]app`, `npmjs[.]com`).
## Implications
This actor demonstrates a high level of operational maturity by targeting the "top of the pyramid"—senior decision-makers and developers with high-level access. By moving away from junior-level targets to CTOs and founders, the strategic objective likely involves large-scale cryptocurrency theft and long-term supply chain compromise. The focus on VS Code automation suggests a shift toward more "silent" execution methods that bypass traditional "run-as-admin" warnings.
## Mitigations
* **VS Code Security:** Disable or strictly audit "Automatic Tasks" in VS Code settings. Set `task.allowAutomaticTasks` to `off` or `prompt`.
* **Developer Training:** Implement high-fidelity social engineering simulations specifically targeting senior technical staff regarding "technical assessments" from unverified recruiters.
* **Package Integrity:** Use tools to audit `package.json` and hidden `.vscode` folders in cloned repositories before opening them in an IDE.
* **Network Filtering:** Block or monitor traffic to unusual Vercel subdomains and monitor for unauthorized Node.js installations or unexpected outbound Node.js network activity.