REF9403 is a DPRK-linked threat activity cluster associated with the broader Contagious Interview campaign, a long-running social-engineering operation that targets software developers with fraudulent job opportunities and coding assessments. The operation is consistent with North Korean objectives of credential theft, cryptocurrency theft, and access acquisition that could enable follow-on intrusion or software supply-chain compromise. REF9403 uses fake recruiter personas and developer-focused lures to move targets from public job discussions into private conversations, where victims are encouraged to download and execute trojanized repositories presented as legitimate technical exercises. The malicious projects are typically functional enough to appear credible, while hidden code triggers malware execution during normal development workflows such as application startup. In this cluster, operators concealed payload fragments inside SVG image files using steganographic techniques and used JavaScript to reconstruct and execute the malware, demonstrating an emphasis on evasion and low initial detection. The observed infection chain aligns with OtterCookie-related tooling and delivers a modular, multi-stage payload. Capabilities include theft of browser credentials and autofill data, harvesting of cryptocurrency wallet data, collection of sensitive files from developer systems, clipboard theft, and remote access via a Socket.IO-based RAT. The malware has also been observed executing arbitrary shell commands, loading additional modules, checking for virtualized environments, and on Windows attempting to deploy additional executable payloads. Targeted data includes browser-stored secrets, wallet extensions, shell histories, cloud and SSH-related configuration material, and files commonly associated with development environments. REF9403 is best understood as a tracked campaign or intrusion set within the DPRK-linked Contagious Interview ecosystem rather than a wholly distinct named actor. Its tradecraft overlaps with previously reported Contagious Interview operations through code similarity, behavioral patterns, and infrastructure relationships tied to OtterCookie activity. The cluster reflects North Korean threat actor interest in developers as high-value targets for direct financial theft and for access paths into organizations through trusted software development environments. Known associated names and relationships include Contagious Interview and OtterCookie. REF9403 itself is the tracking designation for this specific campaign activity.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Attributed origin per open-source reporting.
9 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
1 malware family attributed to this actor across reporting.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
North Korean state-sponsored activity targeting software developers with fake job postings and coding challenges, using trojanized repositories and steganography in SVG files to deliver multi-stage malware for credential theft, crypto wallet theft, file theft, clipboard theft, and persistent remote access.
A DPRK-aligned developer-targeting campaign using fake job postings and trojanized coding challenges to infect victims with credential theft, wallet theft, file theft, RAT, and clipboard-stealing capabilities, potentially enabling downstream supply-chain compromise.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.