HexagonalRodent

HexagonalRodent is a financially motivated, state-sponsored North Korean threat group tracked by Expel as Expel-TA-0001. Expel assesses it as a subgroup or operational offshoot overlapping with CrowdStrike’s Famous Chollima; other vendors track overlapping activity as Contagious Interview. The reporting also describes the group as widely believed to sit within the broader Lazarus ecosystem. The group primarily targets Web3 and DeFi developers, as well as software developers more broadly, with the objective of stealing cryptocurrency and NFTs. Its operations rely heavily on employment-themed social engineering: fake recruiter outreach on LinkedIn and other career platforms, fraudulent job postings, fake company websites, and fabricated employee or leadership personas. Expel reported that the group used generative AI tools including ChatGPT, Cursor, and Anima to support malware development, infrastructure tasks, social engineering, and creation of fake companies and LinkedIn presences; in one reported case, a front company was formally incorporated in Mexico. HexagonalRodent commonly delivers malware through malicious coding assessments sent to job applicants. The infection chain abuses VSCode tasks.json with runOn:"folderOpen" to trigger execution when a project folder is opened, and also embeds backdoored code that executes when the project is run, providing a secondary path for victims not using VSCode or with automated tasks disabled. Malware associated with the group includes BeaverTail, OtterCookie, and InvisibleFerret. BeaverTail is used for credential theft, including from browser password managers, macOS Keychain, Linux Keyring, and 1Password; OtterCookie and InvisibleFerret provide reverse-shell or ongoing access. The malware is described as written in NodeJS and Python and uses obfuscated JavaScript to blend into developer environments and complicate detection. Expel reported that between January and March 2026 the campaign compromised 2,726 developer systems and exfiltrated 26,584 cryptocurrency wallets, with wallets holding up to approximately $12 million in crypto assets. Reporting also linked at least 13 victim wallets to a known DPRK-operated Ethereum address. Expel’s investigation uncovered internal command-and-control and workflow systems indicating a structured operation with 31 operators across six teams. In early 2026, the group was also linked to a supply-chain compromise of the fast-draft VSCode extension used to distribute OtterCookie.