Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
🇰🇵 KP

PurpleDelta

Also known aspurpledelta

PurpleDelta is Recorded Future Insikt Group’s designation for North Korean IT workers conducting a remote IT employment fraud scheme (also referred to as Wagemole) in which operators seek unauthorized employment—often at US firms—using fraudulent, stolen, or “loaned” identities, including synthetic personas built across platforms such as LinkedIn, GitHub, and job boards. The activity is assessed to be conducted for both financial gain and espionage, and reporting cited the use of deepfake injection techniques to pass remote hiring processes. Content states this scheme has infiltrated at least 64 US companies and can generate significant revenue per operator. Insikt Group reports multiple points of operational and infrastructure overlap between PurpleDelta and the North Korea-linked ‘Contagious Interview’ activity cluster it tracks as PurpleBravo, including shared Astrill VPN-linked infrastructure/nodes, administration traffic overlaps, and instances suggesting the same devices/operators were involved in both IT-worker job-fraud activity (e.g., automating job applications) and malware C2 operations. This overlap is highlighted as a supply-chain and insider-risk concern when fraudulent hires gain access to corporate environments.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

  • KP
MITRE ATT&CK

Tradecraft

9 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics14 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
1 technique
T1585
Establish Accounts
TA0001
Initial Access
2 techniques
T1078×3
Valid Accounts
T1133
External Remote Services
TA0003
Persistence
2 techniques
T1078×3
Valid Accounts
T1133
External Remote Services
TA0004
Privilege Escalation
1 technique
T1078×3
Valid Accounts
TA0005
Stealth
2 techniques
T1036×3
Masquerading
T1078×3
Valid Accounts
TA0009
Collection
1 technique
T1005
Data from Local System
TA0011
Command and Control
1 technique
T1090
Proxy
T1090.002
External Proxy
T1090.003
Multi-hop Proxy
TA0010
Exfiltration
1 technique
T1537
Transfer Data to Cloud Account
TA0040
Impact
1 technique
T1486×2
Data Encrypted for Impact
IOCS

Observables

3 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

3 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
cyberthroneNews
Feb 1, 2026
North Korean PurpleBravo Targets Developers in Contagious Interview Campaign - TheCyberThrone

Referenced as a related North Korea–linked operational cluster whose infrastructure/operations are tied to the Astrill VPN-linked C2 used in the described campaign.

Read more
security online infoNews
Jan 27, 2026
"Contagious Interview": How North Korean Hackers Use Fake Jobs to Breach IT Firms

North Korea-linked fraudulent IT worker operation used for revenue generation and access, assessed in the content as operationally overlapping with PurpleBravo via shared infrastructure and devices, including automation of job applications while managing malware C2.

Read more
ctoatncsc substackNews
Jan 25, 2026
CTO at NCSC Summary: week ending January 25th

Referenced as a related North Korea-linked activity cluster (North Korean IT worker operations) with observed overlap with PurpleBravo.

Read more
risky biz rssNews
Jan 22, 2026
Improperly patched bug exploited again in Fortinet firewalls

Referenced as connected to North Korea’s remote IT worker scheme; mentioned in relation to Contagious Interview/PurpleBravo activity.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping9

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables3

Domains, IPs, and hashes tied to this actor, refreshed continuously.