North Korean hackers are carrying out a sophisticated and persistent phishing campaign, targeting software developers through fake job interviews to spread cross-platform malware. The operation, dubbed “Contagious Interview” by Palo Alto Networks’ Unit 42, was first disclosed in November 2023 and has since continued to pose a significant threat. These hackers, linked to the activity cluster CL-STA-0240, impersonate recruiters on job search platforms, contacting developers with enticing employment offers. Once trust is established, victims are invited to participate in fake online interviews where they are tricked into downloading malware disguised as coding assignments or tools needed for the interview process. This malware, designed to operate on both Windows and macOS systems, has been highly effective, showcasing the potency of social engineering tactics in professional contexts.
The malware families involved, known as BeaverTail and InvisibleFerret, form a multi-stage attack chain. BeaverTail acts as an initial downloader and information stealer, which collects data from infected systems and delivers the second-stage malware, InvisibleFerret. InvisibleFerret is a Python-based backdoor that provides attackers with extensive control over the victim’s machine, enabling them to conduct remote operations, log keystrokes, steal sensitive data, and install additional malware, such as AnyDesk, for further exploitation. This combination of tools allows the hackers to exfiltrate browser passwords, cryptocurrency wallet information, and other private credentials, leaving victims’ data highly vulnerable.
One of the most concerning aspects of this campaign is the advanced cross-platform functionality of the malware. The latest iteration of BeaverTail has been developed using the Qt framework, which supports both Windows and macOS, enabling hackers to target a wider range of developers without needing to drastically change their approach. By leveraging this cross-compilation technology, the attackers can maximize their reach and efficiency. Adding to the complexity, the hackers have also used fake video conferencing applications, such as those impersonating MiroTalk and FreeConference.com, to further lure developers into downloading malicious software. This tactic helps avoid suspicion by mimicking legitimate, widely-used tools that are common in virtual job interviews.
Despite the public exposure of the “Contagious Interview” campaign, the hackers have continued their attacks with little alteration to their methods. This suggests that their strategy remains highly effective, especially as many job seekers may be unaware of such sophisticated schemes or overlook basic security protocols in their pursuit of employment. Social engineering—especially in professional environments where trust is key—continues to be a successful attack vector for these threat actors. Moreover, researchers from Palo Alto Networks’ Unit 42 and other cybersecurity firms like Group-IB have noted that the campaign may be financially motivated.
