Recent investigations have uncovered a sophisticated cyberattack campaign attributed to threat actors linked to North Korea, called Contagious Interview. This campaign targets software developers working on Windows, Linux, and macOS operating systems, particularly those involved in cryptocurrency and Web3 projects. The cybersecurity firm ESET has identified this group, known as DeceptiveDevelopment, which employs a range of tools and tactics to infiltrate companies and steal sensitive information.
An Intangible Threat
Among the tools used is a Trojan called AkdoorTea, which is distributed via Windows batch scripts and resembles another implant known as NukeSped. The campaign has been designed to lure victims with attractive job offers on platforms like LinkedIn and Upwork. Victims are instructed to complete programming exercises that, unbeknownst to them, install malware on their systems.
Criminals have adopted a clever approach by impersonating recruiters, presenting well-paid jobs, and once the target expresses interest, they lead them to interact with fake sites that simulate a video assessment, but actually serve to facilitate the installation of malware. In this process, various malware variants have been identified, such as BeaverTail and InvisibleFerret, designed to steal information and manage cryptocurrencies.
Additionally, there are indications that the Contagious Interview campaign is related to other fraudulent initiatives by North Korean IT workers, which have been ongoing since 2017. Reports suggest that these actors often combine identity theft with digital tools, classifying them as a hybrid threat that merges traditional criminal operations and cybercrime.
Software developers are advised to be alert to suspicious job offers and to verify the legitimacy of any communication received regarding potential job opportunities.