“Contagious Interview”: How North Korean Hackers Use Fake Jobs to Breach IT Firms
Ddos 
LinkedIn personas highly likely linked to PurpleBravo threat activity (Source: LinkedIn)
The perfect job offer landed in your inbox. The recruiter was polite, the company looked legitimate, and the coding test seemed like standard procedure. But according to a new report by Insikt Group, that “career opportunity” might actually be a state-sponsored cyberattack designed to breach your company’s defenses.
Researchers have pulled the curtain back on PurpleBravo, a North Korean threat group that has aggressively evolved its tactics to target the IT software supply chain. In a campaign that blurs the line between legitimate recruitment and espionage, these hackers are “masquerading as legitimate recruiters, delivering weaponized coding tests to candidates’ corporate laptops”.
The campaign, dubbed “Contagious Interview,” relies on a disturbingly effective social engineering hook. PurpleBravo operators create elaborate fictitious personas on professional networking sites like LinkedIn, posing as recruiters from places like Odessa, Ukraine.
They don’t just send a malicious link; they build a relationship. They conduct interviews, discuss salary expectations, and finally, send a “coding challenge” or a project file hosted on GitHub.
“PurpleBravo employs a combination of fictitious personas, organizations, and websites to distribute malware to unsuspecting job seekers in the software development industry,” the report states.
The danger arises when eager candidates, looking to impress, download these repositories on their work machines. “In several cases, it is likely that job-seeking candidates executed malicious code on corporate devices, creating organizational exposure beyond the individual target”.
Once the victim runs the “test,” the trap snaps shut. PurpleBravo deploys a sophisticated arsenal of custom malware, including BeaverTail (a JavaScript infostealer) and two newly identified Remote Access Trojans (RATs) named PylangGhost and GolangGhost.
These tools are not generic vandalism; they are precision instruments for theft.
- BeaverTail acts as the initial foothold, silently gathering sensitive system information.
- PylangGhost (Python-based) and GolangGhost (Go-based) are designed to bypass modern security defenses. PylangGhost, in particular, is engineered to defeat the latest “app-bound credential protection” in Google Chrome, allowing hackers to steal stored passwords and authentication cookies.
The report notes the strategic duality of these tools: “GolangGhost’s design suggests optimization for broader victim coverage across multiple platforms… while PylangGhost represents a specialized Windows-focused variant engineered specifically to defeat Google’s latest credential protection mechanisms”.
Perhaps the most intriguing finding is the connection between these hackers and the army of fraudulent North Korean IT workers known as PurpleDelta. While often treated as separate issues—one is espionage, the other is revenue generation—Insikt Group found they are two sides of the same coin.
“The overlap between Purple Bravo and PurpleDelta reveals a broader North Korean apparatus that combines fraudulent IT work with targeted malicious campaigns”.
Investigators observed operators sharing infrastructure, such as Astrill VPN nodes, and using the same devices to conduct both IT freelance scams and targeted malware attacks. In one instance, a PurpleBravo operator was caught “displaying activity consistent with North Korean IT worker behavior,” such as automating job applications on Upwork while simultaneously managing malware command-and-control servers.
The scale of this operation is massive. Insikt Group identified over 3,000 IP addresses linked to potential targets and at least twenty victim organizations across the AI, cryptocurrency, and financial services sectors.
The risk is not just to the individual developer but to the entire software ecosystem. “PurpleBravo presents an overlooked threat to the IT software supply chain,” the report warns. “Because many targets are in the IT services and staff-augmentation industries with large public customer bases, compromises can propagate downstream to their customers”.
Related Posts:
- North Korea’s IT Worker Scam: How the Regime Infiltrates Global Tech Firms for Cyber Espionage
- PylangGhost: North Korean APT Deploys Python-Based RAT to Target Crypto Professionals
- North Korean APT “Contagious Interview” Floods npm Registry with 338 Malicious Packages to Steal Crypto
- “Contagious” Code: North Korean Hackers Infiltrate Developer Workflows via Visual Studio Code
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
