North Korean Hackers Spread Malware via Fake Job Interviews

May 06, 2025·By Eli Junco

North Korean state-backed hackers are once again turning job seekers into unwitting victims. In a new campaign tracked as Contagious Interview, attacks pose as recruiters from fake crypto consulting firms to lure candidates into malware traps. Unlike previous efforts focused on phishing or exploiting crypto tools directly, this one weaponizes the hiring process itself.

Fake Interviews, Real Malware

Researchers at Silent Push have identified a set of front companies—BlockNovas LLC, Angeloper Agency, and SoftGlide LLC—being used by threat actors to distribute malware through fake job interviews. These aren’t just spoofed profiles or short-lived websites. The companies have full online personas, complete with fabricated employee profiles, websites claiming years of experience, and active presences on LinkedIn, GitHub, and even Medium.

Candidates are tricked during the hiring process, often being asked to complete coding tasks or “fix browser issues” related to their video assessments. In reality, these tasks are a cover for delivering cross-platform malware. Three distinct malware families—BeaverTail, InvisibleFerret, and OtterCookie—have been identified as part of the campaign. These can exfiltrate credentials, take screenshots, and provide long-term backdoor access.

Male indian hr, recruiter or employer holding cv having online virtual job interview meeting with african candidate on video call. Distance remote recruitment conference chat. Over shoulder view.

Why Is North Korea Doing This?

This operation is more than a cybercrime scheme—it’s a state-funded campaign designed to serve two strategic goals: raise money for the regime and steal intellectual property.

The Democratic People's Republic of Korea (DPRK) is under heavy international sanctions and relies heavily on illicit cyber operations to fund its government. Cybersecurity experts have consistently tracked activity that blends financial theft with espionage, and campaigns like Contagious Interview fit squarely within that pattern.

In addition to deploying malware, North Korea has used these fake hiring efforts to gather intelligence on companies and their technologies, particularly in the blockchain and fintech sectors. In some cases, they’ve even gotten job applicants to run malware that compromised cryptocurrency wallets like MetaMask.

Ties to a Broader Social Engineering Network

Contagious Interview is one part of a wider ecosystem of North Korean social engineering operations. Another campaign known as Wagemole involves crafting AI-generated personas to gain legitimate employment in Western tech firms. These fake workers often pass interviews using highly coordinated playbooks and tools, then quietly work remote jobs while sending portions of their salaries back to Pyongyang.

GenAI-powered services are now being used to streamline every part of this process. From scheduling interviews to transcribing calls and translating real-time conversations, the operation is becoming more automated and scalable. Researchers note that a small group of facilitators often control multiple fake identities, juggling several job applications at once.

Black hat hacker in hood using laptop computer and call smartphone to victim on desk hacking privacy sensitive data hack in dark room background. Cyber security cyber crime concept. Hacking phishing

Infrastructure and Obfuscation

Much of the technical infrastructure for this campaign is intentionally anonymized. The attackers use VPN services like Astrill, residential proxies, and even password-cracking tools like Hashtopolis hosted on their fake domains. One subdomain tied to BlockNovas was found running a status dashboard monitoring their broader infrastructure, including sites like lianxinxiao.com and angeloperonline.online.

These connections were traced to IP ranges in Russia, particularly in the Khasan and Khabarovsk regions—areas known for proximity and ties to North Korea. While it’s not confirmed whether the Russian infrastructure providers are cooperating directly, it suggests some level of facilitation or indirect support.

Mitigating the Threat

There is no single fix for this threat, but awareness is a strong starting point. Hiring managers, HR teams, and technical leads must be trained to spot red flags in the recruitment process. Be cautious when asked to download unfamiliar tools during interviews or when interacting with companies that have little verifiable history.

Organizations should also implement stronger endpoint protections. Staff—especially developers—should not have unrestricted ability to install software, particularly during onboarding or interviews. Activity monitoring, restricted permissions, and application allowlisting are effective safeguards.

Finally, verify the legitimacy of vendors and applicants alike. Use open-source intelligence tools to check domain histories, employee photos, and company claims. If a firm says it’s been around for 12 years but was registered 6 months ago, that’s a serious red flag.

The Bottom Line

The fake interview lure represents a chilling evolution in North Korean cyber tactics. By turning the hiring process into an attack vector, these threat actors are able to bypass traditional security tools and get closer to valuable targets.

It’s a reminder that in today’s cyber threat landscape, even a job interview can be a front for state-sponsored malware. Vigilance, verification, and education are your first lines of defense.