Fake Jobs, Real Theft: “Contagious Interview” Malware Drains Crypto Wallets

A notorious North Korean cyber espionage campaign targeting the tech sector has evolved with a dangerous new capability. According to a new report from security researcher Seongsu Park, the “Contagious Interview” campaign is no longer just stealing files—it is now surgically tampering with browser extensions to drain cryptocurrency wallets directly.

The campaign, which poses as fake job interviews to trick developers, has been active for some time. However, recent analysis shows a significant escalation in its tooling.

The primary targets remain IT professionals within the cryptocurrency, Web3, and artificial intelligence sectors. The attackers use social engineering to deploy malware families known as BeaverTail and Invisible Ferret.

“Contagious Interview is an ongoing cyber threat campaign targeting IT professionals working in cryptocurrency, Web3, and artificial intelligence sectors. The campaign, orchestrated by North Korean threat actors, aims to steal financial information and sensitive data from developers and engineers,” the researcher explains.

The most alarming finding in the new report is the specific targeting of MetaMask, the world’s most popular non-custodial crypto wallet. Once a victim’s machine is compromised via the initial JavaScript payload, the malware executes a “surgical” operation to replace the legitimate MetaMask extension with a trojanized version.

This fake extension is functionally identical to the real one, ensuring the victim remains unaware. However, it contains malicious code designed to capture the “master password” and encrypted vault data the moment the user unlocks their wallet.

“Recent analysis indicates that the threat actors have significantly expanded their data theft capabilities by incorporating manipulation of the MetaMask wallet extension, making the campaign more aggressive and effective in compromising victim systems,” the report states.

The infection chain is described as a multi-stage process designed to strip the victim of all valuable data. It begins with a simplified JavaScript loader that beacons to the attacker’s server. This is followed by the deployment of intermediate scripts, a lightweight backdoor (n.js), a dedicated file exfiltration script (p.js), and finally the Invisible Ferret Python malware.

This layered approach allows the attackers to aggressively steal browser data, keyword-matched sensitive files, and eventually, cryptocurrency funds.

“The Beaver Tail variant used in the Contagious Interview campaign remains one of the most actively deployed malware tools by DPRK-affiliated threat actors targeting financial gain,” the report concludes.

The evolution of Contagious Interview highlights the persistent threat posed by DPRK-affiliated actors in the crypto space. Developers are urged to be hyper-vigilant during job application processes, especially when asked to download code or run scripts from unverified sources.

Related Posts:

• Hackers attack MetaMask users via phishing and steal $655,000
• “Contagious” Code: North Korean Hackers Infiltrate Developer Workflows via Visual Studio Code
• WaterPlum’s OtterCookie Malware Upgrades to v4 with Credential Theft and Sandbox Detection Features