Full Report
North Korea-linked threat actors behind the Contagious Interview have set up front companies as a way to distribute malware during the fake hiring process. "In this new campaign, the threat actor group is using three front companies in the cryptocurrency consulting industry—BlockNovas LLC (blocknovas[.] com), Angeloper Agency (angeloper[.]com), and SoftGlide LLC (softglide[.]co)—to spread
Analysis Summary
# Threat Actor: Evolving DPRK-linked Job Scammers (Associated with "Contagious Interview" and "Wagemole")
## Attribution & Identity
**Attribution:** North Korea-linked threat actors (Democratic People's Republic of Korea - DPRK).
**Known Aliases/Tracking IDs:** CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, UNC5342, Void Dokkaebi, and ClickFake Interview (Trend Micro).
**Associated Groups/Tactics:** Related to the Wagemole remote worker fraud tactic.
**Infrastructure/Operational Notes:** Utilizes front companies (BlockNovas LLC, Angeloper Agency, SoftGlide LLC) in the cryptocurrency consulting industry to distribute malware during fake hiring processes. Observed operating from China, Russia, and Pakistan using Russian IP ranges obscured by VPNs/proxies for connecting to VPS servers.
## Activity Summary
The actors are orchestrating social engineering campaigns, notably the **"Contagious Interview"** operation, using fake job postings and interviews to lure targets into downloading cross-platform malware. This is often framed around coding assignments or browser checks during video assessments. The use of front companies engaging in fake hiring processes coupled with GenAI tools for persona creation marks a new escalation. A linked tactic, **"Wagemole,"** involves placing DPRK nationals in long-term remote IT jobs by crafting fake personas, aiming for financial theft and intelligence gathering. BlockNovas was allegedly offering positions targeting Ukrainian IT professionals. The operation resulted in at least one developer's MetaMask wallet being compromised in September 2024, and the BlockNovas domain was later seized by the FBI.
## Tactics, Techniques & Procedures
- **Social Engineering (T1566.001/T1566.002):** Luring victims via fake job interviews ("Contagious Interview," "ClickFake Interview") and job board postings on platforms like Facebook, LinkedIn, Pinterest, X, Medium, GitHub, and GitLab.
- **Creation of False Personas (T1583, T1591):** Establishing front companies and creating fake employee/candidate profiles, often using AI tools (like Remaker) to generate profile pictures.
- **Initial Execution:** Serving malware via JavaScript stealers/loaders dropped during compromised interview processes (coding assignments/browser checks).
- **Persistence:** Employing a Python backdoor (InvisibleFerret) capable of establishing persistence on Windows, Linux, and macOS hosts.
- **System Information Gathering (T1082):** BeaverTail harvests system information.
- **Remote Access (T1219):** Installation of AnyDesk remote access software.
- **Credential/Data Theft (T1003, T1056):** Stealing browser data and files.
- **Anonymization (T1090):** Heavy obfuscation using commercial VPNs (Astrill VPN), residential proxies, and RDP layers over Russian infrastructure.
- **Use of Infrastructure for C2/Management:** Hosting a "Status Dashboard" and an open-source password cracking management system (Hashtopolis).
- **Supply Chain/Software Misuse:** Distributing tools like Kryptoneer to connect to various cryptocurrency wallets.
## Targeting
- **Sectors:** Cryptocurrency consulting (front companies), general IT professionals, and potentially the Sui blockchain ecosystem (via Kryptoneer tool).
- **Geography:** Targeting observed in operations originating from China, Russia, and Pakistan, with specific outreach observed toward **Ukrainian IT professionals**.
- **Victims:** Job seekers, developers, and cryptocurrency wallet holders (leading to documented MetaMask compromise).
## Tools & Infrastructure
- **Malware Families:**
- BeaverTail (JavaScript stealer and loader)
- InvisibleFerret (Python backdoor)
- OtterCookie
- FROSTYFERRET
- GolangGhost
- **Infrastructure:**
- Front Companies: BlockNovas\[.\]com, angeloper\[.\]com, softglide\[.\]co (domains seized or associated with operations).
- C2/External Servers: lianxinxiao\[.\]com (C2 for BeaverTail payload delivery).
- Operational Infrastructure: angeloperonline\[.\]online, softglide\[.\]co.
- Cryptocurrency Tool Hosting: attisscmo\[.\]com hosting Kryptoneer.
- Anonymization Services: Astrill VPN, commercial proxy servers, and VPS servers accessed via RDP from Russian IP ranges.
## Implications
This represents a sophisticated, financially motivated threat actor that is rapidly adopting cutting-edge techniques (GenAI for persona fraud) to facilitate both immediate criminal gains (crypto theft, salary funneling) and potential long-term intelligence gathering through espionage inside remote client organizations. The blending of social engineering, supply chain compromise (via fake jobs), and cryptocurrency targeting shows a mature, multi-faceted operation. The use of Russian infrastructure suggests potential cooperation or, at minimum, a reliance on geography proximal to North Korea for deep-layer anonymization.
## Mitigations
- **Supply Chain Vigilance:** Exercise extreme caution with unsolicited job offers, especially those requiring code execution or browser access checks during interviews.
- **Verify Front Companies:** Scrutinize the history and legitimacy of consulting or tech companies offering remote work, especially if their registration/online tenure significantly predates their claims (e.g., BlockNovas claiming 12+ years of operation).
- **Strong Endpoint Security:** Implement proactive endpoint detection and response (EDR) capable of detecting persistence mechanisms like Python backdoors (InvisibleFerret) and unauthorized software installation (AnyDesk).
- **Limit Trust Zones:** Isolate and strictly monitor development/testing environments where job assignment code is executed.
- **Wallet Security:** Maintain cold storage for high-value assets and only interact with wallet connectors after verifying source legitimacy, minimizing known compromises via tools like Kryptoneer.
- **Infrastructure Monitoring:** Organizations operating infrastructure in or connected with areas mentioned (Russia, China, Pakistan) should increase monitoring for anomalous RDP or VPS activity associated with known threat patterns.