North Korea’s state-sponsored cyber threat landscape continues to evolve, as recent research from Silent Push Threat Analysts has revealed advanced persistent threat (APT) activity targeting job-seekers in the cryptocurrency sector.
Operating under the codename “Contagious Interview” an offshoot of the notorious Lazarus Group North Korean actors have established elaborate fronts masquerading as legitimate crypto consulting firms.
Detailed technical analysis links three companies BlockNovas LLC, Angeloper Agency, and SoftGlide LLC to the active distribution of highly sophisticated malware through fake job application processes aimed at developers and crypto professionals worldwide.
State-Backed Lazarus Offshoot Targets Crypto Job Seekers with Sophisticated Social Engineering
Analysis shows that these malicious campaigns utilize a multi-stage infection chain, leveraging social engineering and AI-powered deception across widely-used freelancing and job listing platforms such as Upwork, Freelancer.com, and CryptoJobsList.
The fraudulent companies use AI-generated profile pictures and fictitious resumes often crafted via tools like Remaker AI to fabricate the appearance of established businesses employing a full suite of technical staff and recruiters.
This digital facade is reinforced with cloned websites, plagiarized portfolios, and business registrations that trace back to unverifiable or abandoned physical addresses.
The infection vector is primarily propagated through “interview lures”: job seekers are led through increasingly convincing application flows hosted on cloned company portals or cloud-based infrastructure (e.g., apply-blocknovas[.]site).
Victims are asked to provide credentials, upload video introductions, or perform technical “assessment tasks.”
These tasks often require downloading code from controlled GitHub repositories or proprietary subdomains, where the malware payload is surreptitiously embedded, usually in obfuscated scripts or built into compressed installer bundles with legitimate software components for camouflage.
BeaverTail, InvisibleFerret, and OtterCookie Malware Campaigns Identified in Technical Detail
Technical analysis reveals the deployment of at least three custom malware strains: BeaverTail, InvisibleFerret, and OtterCookie.
BeaverTail, primarily distributed through JavaScript in NPM packages, acts as an information stealer and loader for further stages, including Python-based backdoors.
InvisibleFerret demonstrates multi-platform persistence, installing itself on Linux, MacOS, and Windows environments by modifying registry keys, autostart files, or LaunchAgents depending on the OS.
The malware establishes communication with remote command-and-control (C2) infrastructure chiefly domains such as lianxinxiao[.]com often utilizing hardcoded IPs and sophisticated base64 and XOR encryption schemes to obfuscate communications and payload delivery.
Data exfiltration techniques include harvesting browser-stored credentials, cryptocurrency wallet seeds, keychain and keyring data from major crypto browser extensions (MetaMask, Phantom, Coinbase Wallet, etc.), and clipboard monitoring.
Stolen data is transmitted back to attacker-controlled servers, with some payloads demonstrating the capability to upload logs or files to third-party services like Dropbox or FTP servers, and even incorporate reverse shell and keylogger modules.
Analysts found that the malware’s structure facilitates modular loading, meaning new functionality can be deployed dynamically at the behest of the attackers.
Infrastructure mapping links the three fake companies and their technical teams, whose online personas cross-reference each other on LinkedIn and other platforms, but collapse under scrutiny names and images are patently fictitious, with several instances of identity theft or synthetic profile generation.
These domains all resolve to hosting providers and IP ranges consistent with activity previously attributed to North Korean APTs, with further operational security failures exposing shared dashboards and management utilities across supposedly independent firms.
The campaign’s sophistication is underscored by its operational resilience: actors leverage residential proxies, VPNs (notably Astrill VPN), and obfuscated domain records to evade detection.
Community research has corroborated victim reports of cryptocurrency theft and device compromise following engagement with these job lures.
In several cases, contractors were solicited under the guise of minor programming tests, only to have their Web3 wallets drained or their systems recruited into broader botnet activity.
Researchers urge organizations and individual professionals in the cryptocurrency and tech sectors to exercise heightened vigilance.
Defensive strategies include careful verification of remote job offers, avoiding the execution of unsolicited code or binaries, monitoring for known C2 domains/IPs, and using behavioral analytics to detect unusual network or credential exfiltration patterns.
As North Korea continues to blend social engineering with technical innovation, the threat to the global digital workforce particularly those in the rapidly expanding crypto economy remains acute and ever-evolving.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
