A joint investigation by SentinelLABS and the internet intelligence platform Validin reveals that North Korea-aligned hackers are taking a pragmatic approach to maintaining their cyber operations.
When infrastructure is detected and taken down, they replace it with new assets rather than investing in comprehensive, long-term protection.
The group, linked to the “Contagious Interview” campaign cluster under the Lazarus umbrella, continues to lure cryptocurrency professionals with the ClickFix social engineering technique, where fake hiring assessments trick applicants into downloading malware disguised as fixes for fabricated technical errors.
Monitoring CTI Platforms for Exposure
Researchers observed that the threat actors actively monitor cyber threat intelligence (CTI) platforms to check for traces of their infrastructure.
Within just 24 hours of a Validin blog publishing indicators tied to Lazarus, the hackers registered multiple community accounts using Gmail addresses and later custom domains, such as versusx[.]us and quiz-nest[.]com.
The investigation revealed that hackers utilized Validin, VirusTotal, and Maltrail IOC repositories to determine which of their servers, domains, and lure websites had been flagged.
Their activity patterns suggested real-time coordination across multiple personas, likely using Slack channels, with Slack Bot traffic confirming shared CTI links across team members.
Despite uncovering artifacts that could easily compromise their operations, actors only made minor tactical adjustments such as renaming a lure site from SkillMaster to SkillUp.
Rather than overhauling exposed infrastructure, they rapidly deployed new domains and hosting servers, favoring scalability and uninterrupted victim targeting.
New Assets, OPSEC Failures, and Victimology
The Validin logs revealed how the hackers scouted new domains before purchase, including hiringassessment[.]net and screenquestion[.]org, to avoid blacklisted web properties. Once acquired, these assets were deployed swiftly as fake job platforms or malware delivery servers.
Their ContagiousDrop applications, typically implemented in Node.js, provided OS-specific payloads (Windows, macOS, Linux) and logged every victim interaction.
Email notifications sent via accounts like designedcuratedamy58[@]gmail.com alerted operators whenever targets began assessments or ran malicious curl commands.
Poor operational security (OPSEC) repeatedly undermined the hackers. Misconfigured servers leaked directory listings, logs, and internal usernames, providing investigators with an unprecedented glimpse into attacker workflows.
Over 230 victims were confirmed between January and March 2025, with targets concentrated in the global cryptocurrency and blockchain industry, especially in investment-related roles.
Strategic Trade-Offs
SentinelLABS assesses that the attackers’ reliance on quick asset replacement is partly driven by Pyongyang’s earnings quotas, which pressure cyber units to prioritize revenue over stealth.
Instead of implementing a unified, long-term defense for their infrastructure, operatives race to maintain victim engagement with newly stood-up assets after takedowns.
According to experts, defense hinges on aggressive takedowns by service providers and heightened vigilance among job seekers in the crypto sector.
This combination, cutting off infrastructure while educating potential targets, offers the best chance of disrupting North Korea’s continuous phishing and malware pipeline.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
.jpg?resize=1068,580&ssl=1&description=North Korean Hackers - A joint investigation by SentinelLABS and the internet intelligence platform Validin reveals that North Korea-aligned.){kind=link}