Skip to main content
Mallory
Back to threat actors
North Korea🇰🇵 🇷🇺 🇨🇳 🇵🇰 KP38 malware familiesExploits CVEs in the wild

Contagious Interview

Also known asBeaverTailcontagious interviewfamous chollimagwisin ganginvisibleferretottercookietenacious pungsanunc5342void dokkaebi

Contagious Interview is a North Korea-aligned threat activity cluster associated in the provided reporting with Famous Chollima, Void Dokkaebi, UNC5342, DeceptiveDevelopment, Dev#Popper, and related aliases including BeaverTail, InvisibleFerret, OtterCookie, Gwisin Gang, and Tenacious Pungsan. The cluster is described as DPRK-linked and in multiple sources as operating under or alongside the Lazarus umbrella. The activity primarily targets software developers, especially in cryptocurrency, blockchain, Web3, DeFi, and broader technology sectors, though reporting also notes targeting of finance, education, business services, and financial services organizations. A recurring tradecraft pattern is social engineering through fake recruiter personas, fraudulent job offers, coding challenges, code review requests, and fake interview or skill-testing workflows. Operators commonly use LinkedIn, job boards, email, GitHub, GitLab, Bitbucket, Google Docs, and lure websites impersonating real companies or fabricated firms. Some variants use ClickFix-style prompts or fake video-driver/camera troubleshooting flows to induce execution. Malware and tooling directly associated in the content include BeaverTail, InvisibleFerret, JADESNOW, OtterCookie, ContagiousDrop, and in some reporting supply-chain-delivered JavaScript loaders and npm/package ecosystem abuse. Reported objectives include theft of cryptocurrency wallets, browser credentials, password-manager data, cookies, SSH keys, cloud configuration data, and other sensitive information, with some reporting also noting persistent access, remote control, and possible cyberespionage or foothold establishment inside technology companies. The content also describes operational behaviors beyond victim compromise. Contagious Interview operators were observed abusing cyber threat intelligence platforms such as Validin, monitoring Maltrail and VirusTotal for exposure of their infrastructure, rapidly replacing disrupted infrastructure, and exhibiting repeated OPSEC failures through exposed directories, logs, and Node.js applications. Additional reporting links the cluster to abuse of Google Docs for fake job lures and facilitator recruitment, software supply-chain activity involving malicious npm packages and a compromised Packagist development branch, and infrastructure patterns including blockchain-based dead-drop or EtherHiding delivery mechanisms. Related or overlapping activity in the content includes the North Korean fake IT worker scheme tracked as WageMole/Wagemole and reporting that Famous Chollima is active in both developer-targeting malware campaigns and fraudulent employment operations. Proofpoint reporting cited in the content notes strong overlaps between UNK_DeadDrop and Contagious Interview in targeting, social engineering, and theft goals, while tracking UNK_DeadDrop separately due to distinct telemetry and infrastructure.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Software & Services

Where they target

Geographies tied to known operations.

  • 🇺🇦 Ukraine
  • 🇺🇸 United States
  • 🇩🇪 Germany

Where they're from

Attributed origin per open-source reporting.

  • KP
  • RU
  • CN
  • PK
MITRE ATT&CK

Tradecraft

68 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

14 of 15 tactics85 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
3 techniques
T1589
Gather Victim Identity Information
T1592
Gather Victim Host Information
T1598×2
Phishing for Information
TA0042
Resource Development
2 techniques
T1583
Acquire Infrastructure
T1583.001
Domains
T1586
Compromise Accounts
TA0001
Initial Access
6 techniques
T1078
Valid Accounts
T1133
External Remote Services
T1189×2
Drive-by Compromise
T1195×2
Supply Chain Compromise
T1195.002
Compromise Software Supply Chain
T1199
Trusted Relationship
T1566
Phishing
T1566.002×2
Spearphishing Link
T1566.003×5
Spearphishing via Service
TA0002
Execution
2 techniques
T1059×2
Command and Scripting Interpreter
T1059.001
PowerShell
T1059.003
Windows Command Shell
T1059.005
Visual Basic
T1059.006×2
Python
T1059.007×4
JavaScript
T1204
User Execution
T1204.001
Malicious Link
T1204.002×5
Malicious File
TA0003
Persistence
4 techniques
T1078
Valid Accounts
T1133
External Remote Services
T1136
Create Account
T1547
Boot or Logon Autostart Execution
T1547.001
Registry Run Keys / Startup Folder
TA0004
Privilege Escalation
2 techniques
T1078
Valid Accounts
T1547
Boot or Logon Autostart Execution
T1547.001
Registry Run Keys / Startup Folder
TA0005
Stealth
5 techniques
T1027×3
Obfuscated Files or Information
T1027.013
Encrypted/Encoded File
T1036
Masquerading
T1078
Valid Accounts
T1140×2
Deobfuscate/Decode Files or Information
T1564
Hide Artifacts
T1564.001
Hidden Files and Directories
T1564.003
Hidden Window
TA0006
Credential Access
5 techniques
T1056
Input Capture
T1056.001
Keylogging
T1539
Steal Web Session Cookie
T1552
Unsecured Credentials
T1552.001
Credentials In Files
T1555
Credentials from Password Stores
T1555.001
Keychain
T1555.003
Credentials from Web Browsers
T1649
Steal or Forge Authentication Certificates
TA0007
Discovery
7 techniques
T1010
Application Window Discovery
T1016
System Network Configuration Discovery
T1082×3
System Information Discovery
T1083×3
File and Directory Discovery
T1124
System Time Discovery
T1217
Browser Information Discovery
T1614
System Location Discovery
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.001×2
Remote Desktop Protocol
TA0009
Collection
7 techniques
T1005
Data from Local System
T1025
Data from Removable Media
T1056
Input Capture
T1056.001
Keylogging
T1074
Data Staged
T1074.001
Local Data Staging
T1115
Clipboard Data
T1119
Automated Collection
T1560
Archive Collected Data
T1560.002
Archive via Library
TA0011
Command and Control
7 techniques
T1071×2
Application Layer Protocol
T1071.001×2
Web Protocols
T1071.002
File Transfer Protocols
T1090
Proxy
T1090.002
External Proxy
T1095
Non-Application Layer Protocol
T1102
Web Service
T1102.001
Dead Drop Resolver
T1105×4
Ingress Tool Transfer
T1219
Remote Access Tools
T1571
Non-Standard Port
TA0010
Exfiltration
4 techniques
T1030
Data Transfer Size Limits
T1041×2
Exfiltration Over C2 Channel
T1537
Transfer Data to Cloud Account
T1567
Exfiltration Over Web Service
T1567.004
Exfiltration Over Webhook
TA0040
Impact
1 technique
T1657×2
Financial Theft
ARSENAL

Associated malware families

38 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
BeaverTailInstructional videos have also been found with what it looks like non-native English text, detailing how to set up a Beavertail malware command-and-control server and how to crack cryptocurrency wallet passwords.19Jun 14, 2026
InvisibleFerretThe campaign used the JavaScript infostealer BeaverTail, the cross-platform Python backdoor InvisibleFerret, and most recently OtterCookie, a new backdoor identified in December 2024.18Jun 14, 2026
OtterCookieThe campaign used the JavaScript infostealer BeaverTail, the cross-platform Python backdoor InvisibleFerret, and most recently OtterCookie, a new backdoor identified in December 2024.12Jun 14, 2026
DEV#POPPERThe malware, including a variant of the DEV#POPPER remote access trojan, retrieves encrypted payloads from blockchain transactions, decrypts them, and executes them on infected systems.3May 26, 2026
JADESNOWJADESNOW is a JavaScript-based downloader malware family associated with the threat cluster UNC5342. JADESNOW utilizes EtherHiding to fetch, decrypt, and execute malicious payloads from smart contracts on the BNB Smart Chain and Ethereum.3Jun 14, 2026

33 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2025-55182React2ShellIn the wildEvidence2

"A critical remote code execution (RCE) vulnerability, identified as CVE-2025-55182 and dubbed React2Shell, exists within the React Server Components (RSC) architecture, allowing unauthenticated attackers to execute arbitrary code..."

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

IOCS

Observables

534 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

534 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
techcrunch com securityNews
Jun 10, 2026
North Koreans behind nearly half of US tech industry hacks, says CrowdStrike | TechCrunch

North Korean state-backed intrusion activity focused on the tech sector, including posing as remote IT workers and recruiters to infiltrate companies, steal intellectual property and sensitive information, extort victims, and target blockchain developers to steal cryptocurrency.

Read more
kmsecNews
Jun 10, 2026
Hunting North Korea's job adverts on Google Docs | kmsec.uk

Runs two related campaigns: the IT Worker scheme to obtain salaries via fraudulent insider employment, and Contagious Interview targeting developers with fake job lures and coding tests that lead to infostealing malware and cryptocurrency theft. The group also uses Google Docs to host and update malicious job adverts, coding assessments, and proxy interviewee recruitment materials.

Read more
cyber security newsNews
Jun 9, 2026
North Korea-Aligned Hackers Abuse GitHub Repositories to Infect Developers

A previously known threat actor cluster that overlaps strongly with UNK_DeadDrop and is associated in the content with North Korea-aligned developer-targeting social engineering activity.

Read more
scworldNews
Jun 9, 2026
Suspected North Korean actors use fake ‘coding assignments’ to steal crypto | news | SC Media

North Korean campaign targeting developers, associated with social engineering around job opportunities and theft of cryptocurrency wallets and credentials.

Read more
+193 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping68

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal38

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables534

Domains, IPs, and hashes tied to this actor, refreshed continuously.