Full Report
The North Korean threat actors behind the ongoing Contagious Interview campaign are spreading their tentacles on the npm ecosystem by publishing more malicious packages that deliver the BeaverTail malware, as well as a new remote access trojan (RAT) loader. "These latest samples employ hexadecimal string encoding to evade automated detection systems and manual code audits, signaling a variation
Analysis Summary
# Threat Actor: North Korean Threat Actors (Associated with Lazarus Group)
## Attribution & Identity
North Korean threat actors, strongly associated with the **Lazarus Group**. The ongoing campaign is referred to as **Contagious Interview**.
## Activity Summary
The actors are aggressively targeting developers by posing as recruiters via job interviews. This targets the **npm ecosystem** by publishing numerous malicious packages designed to steal data, financial assets, and maintain long-term access. They recently published 11 malicious npm packages incorporating the **BeaverTail** malware and a new Remote Access Trojan (RAT) loader. They are diversifying infrastructure by using both GitHub and **Bitbucket** repositories. Separately, AhnLab detailed a phishing campaign using recruitment lure emails linking to Bitbucket projects that deploy BeaverTail, which subsequently drops a Windows backdoor named **Tropidoor**.
## Tactics, Techniques & Procedures
- Publishing malicious packages to the npm registry (Supply Chain compromise).
- Using hexadecimal string encoding to evade detection systems and manual audits.
- Masquerading packages as legitimate utilities/debuggers (e.g., `dev-debugger-vite`, `events-utils`).
- Hosting payloads in Bitbucket repositories, specifically using directories themed around hiring (e.g., `eiwork_hire`).
- Reuse of core malware (BeaverTail, InvisibleFerret).
- Employing a DLL downloader malware (`car.dll`) launched by the stealer.
- Tropidoor backdoor operates in memory and uses direct implementation of Windows commands (`schtasks`, `ping`, `reg`), similar to Lazarus malware LightlessCan and BLINDINGCAN.
- Publishing minor code variations across multiple packages to increase campaign success.
- Leveraging recruitment/job interview themes as a social engineering vector.
## Targeting
- Sectors: Software Development/Tech Industry (targeting developers).
- Geography: Explicitly mentioned targeting developers in **South Korea** via the AhnLab reported phishing campaign.
- Victims: Developer systems; intent is to steal sensitive data and siphon financial assets.
## Tools & Infrastructure
- **Malware families used:**
- BeaverTail (JavaScript stealer capable of downloading next-stage payloads).
- InvisibleFerret (Python-based backdoor).
- New RAT/Loader variant (embedded within several new npm packages).
- Tropidoor (Undocumented Windows backdoor deployed via BeaverTail/DLL downloader).
- **Infrastructure:**
- npm registry.
- GitHub.
- Bitbucket repositories.
- C2 address previously flagged in Lazarus Group's **Phantom Circuit** campaign (December 2024).
## Implications
This actor exhibits high persistence, operational maturity, and adaptability by rapidly evolving obfuscation techniques (hex encoding), diversifying hosting platforms (Bitbucket alongside GitHub), and continually refreshing their malware arsenal (Tropidoor). The focus on the software supply chain (npm) represents a high-impact vector against development environments.
## Mitigations
- Exercise extreme caution with executable files or projects cloned from unknown sources, even seemingly legitimate platforms like npm or Bitbucket.
- Implement rigorous code auditing and signature checking for dependencies installed via package managers.
- Monitor for network activity originating from developer machines communicating with known infrastructure linked to Lazarus campaigns (e.g., Phantom Circuit C2s).
- Harden developer workstations against in-memory execution techniques (Tropidoor).