“Contagious Interview” Goes macOS: North Korean Hackers Deploy Stealthy “DriverFixer” Stealer

A notorious North Korean cyber-espionage campaign known for targeting job seekers has expanded its arsenal with a sophisticated new tool aimed specifically at macOS users. A new analysis by security researcher LunchM0n3y has uncovered “DriverFixer0428,” a stealthy credential stealer masquerading as a harmless system utility to slip past defenses and rob victims of their digital identities.

The malware is the latest weapon in the “Contagious Interview” campaign, a long-running operation attributed to North Korean state-sponsored actors who pose as recruiters to trick software developers and IT professionals into installing malware under the guise of technical interviews or coding tests.

Unlike crude malware that smashes through the front door, DriverFixer0428 relies on the art of deception. It disguises itself as a legitimate tool, waiting for the user to lower their guard.

Once executed, the malware doesn’t just run malicious code; it talks to the victim. According to the report, the malware “harvests user credentials through sophisticated social engineering dialogs that impersonate macOS system prompts and Google Chrome permission requests”.

By mimicking trusted system alerts, the attackers trick users into handing over their passwords voluntarily. Once captured, these credentials are silently bundled up and shipped out.

To avoid setting off network alarms, the attackers hide their traffic in plain sight. Instead of connecting to a suspicious server, the malware communicates with Dropbox, a trusted cloud storage provider used by millions of businesses.

“The malware demonstrates operational security consistent with nation-state threat actors, utilizing legitimate cloud services for command-and-control to evade network-based detection,” the analysis notes.

This technique allows the stolen data to bypass firewalls and security filters that would normally block traffic to known malicious domains.

The malware is equipped with “multi-layer sandbox evasion capabilities,” allowing it to detect if it is running inside a virtual machine or a security researcher’s analysis environment.

When the malware detects it is in a sandbox (like a Triage environment or an Apple VM), it pulls a “silent fade.” It doesn’t crash or panic; it simply enters an “idle event loop without executing its payload,” effectively playing dead to fool analysts into thinking the file is benign.

The malware’s internal code provided clues to its origins. Strings extracted from the binary revealed the internal name “DriverFixer0428,” with the numeric suffix likely indicating a build date of April 28th.

The combination of social engineering, sophisticated evasion, and the specific targeting of macOS developers points directly to a familiar adversary. The report concludes that the sample is “attributed with high confidence to North Korea’s Contagious Interview campaign”.

Related Posts:

• North Korean APT “Contagious Interview” Floods npm Registry with 338 Malicious Packages to Steal Crypto
• North Korea’s “Contagious Interview” Floods npm with 200 New Packages, Using Fake Crypto Jobs to Deploy OtterCookie Spyware
• Lazarus APT Targets Job Seekers with “Contagious Interview” Campaign Using ClickFix Technique
• North Korean Threat Actors Targeting Tech Job Seekers with Contagious Interview Campaign
• SentinelLABS Reveals How North Korean “Contagious Interview” Operators Abuse Threat Intel Platforms