The ‘Contagious Interview’ Trap: How a Web3 CEO Unmasked North Korean Stealth Malware

It started with a routine direct message on LinkedIn: a recruiter named “Nazar” pitching a role at an ambitious AI startup. But for Christian Papathanasiou, Co-founder and CEO of AllSecure, what looked like a career opportunity quickly unraveled into a high-stakes encounter with North Korean state-sponsored malware.

The attack, part of a campaign known as “Contagious Interview,” targets high-level engineers and founders in the crypto and Web3 space.

The threat actor’s social engineering was polished. Using the guise of a company called “OG Labs,” the attacker invited Papathanasiou to clone a GitHub repository for a technical assessment.

The trap was set to spring the moment the folder was opened in a development environment. “It was North Korean state-sponsored malware with 3 independent infection vectors that executes the moment you open the folder,” Papathanasiou noted after investigating the repo in an isolated virtual machine.

The malware’s architecture is designed for extreme stealth, hiding its core logic inside hundreds of kilobytes of legitimate-looking code.

• Stage 1: The Hidden Core. The primary malware core was a mere 930 bytes, effectively “hidden inside 280KB of legitimate bundled npm libraries”.
• Stage 2: The Reassembly. This stage used a sophisticated string-shuffling technique to remain undetected by static scanners. It contained hundreds of code fragments that, when rotated and reassembled, produced the Stage 3 persistent agent.
• Stage 3: The Persistent Agent. This stage established a permanent foothold on the machine, waiting to deliver the final, devastating payload.

In a striking display of operational awareness, the attackers triggered a kill switch once they realized they were being analyzed.

“We captured and reverse-engineered 3 stages of the malware before the operators detected us and triggered a kill switch,” Papathanasiou reported. In a matter of minutes, the attackers began “burning their infrastructure,” deleting social media profiles and wiping the malicious Bitbucket repository to erase their tracks.

While the analysis was cut short by the kill switch, the intent of the “Contagious Interview” campaign is well-documented. The ultimate goal is the complete compromise of the developer’s professional and financial life.

The malware is designed to exfiltrate:

• Crypto Wallets: Including MetaMask LevelDB vaults.
• Browser Secrets: Saved passwords from Chrome, Brave, and Opera.
• Development Assets: Entire ~/.ssh/ directories and every .env file found on the system.
• Real-Time Activity: Through keyloggers, clipboard monitors, and periodic screenshots.

This campaign highlights the evolving threat to the Web3 ecosystem, where the primary vulnerability isn’t the code, but the developers themselves.