As many as 3,136 individual IP addresses have been identified associated with possible targets of the Contagious Interview campaign, which claims to include 20 potential victim organizations across the artificial intelligence (AI), cryptocurrency, financial services, IT services, marketing, and software development sectors in Europe, South Asia, the Middle East, and Central America.
This new discovery comes from Recorded Future’s Insikt Group, which tracks a cluster of North Korean threat activity under the name PurpleBravo. The campaign, first documented in late 2023, is also known as CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, Void Dokkaebi, and WaterPlum.
The 3,136 individual IP addresses, primarily concentrated around South Asia and North America, are assessed to have been targeted by attackers between August 2024 and September 2025. The 20 affected companies are said to be based in Belgium, Bulgaria, Costa Rica, India, Italy, the Netherlands, Pakistan, Romania, the United Arab Emirates (UAE), and Vietnam.
“In some cases, job seekers ran malicious code on company devices, likely exposing them to systemic risk beyond individual targets,” the threat intelligence firm said in a new report shared with Hacker News.
This disclosure comes a day after Jamf Threat Labs detailed significant iterations of the Contagious Interview campaign in which attackers exploited malicious Microsoft Visual Studio Code (VS Code) projects as attack vectors to distribute backdoors, highlighting the continued exploitation of trusted developer workflows to accomplish the twin goals of cyberespionage and financial theft.
The Mastercard-owned company announced that it had detected four LinkedIn personas potentially associated with Purple Bravo posing as developers or recruiters and claiming to be from the Ukrainian city of Odesa, as well as several malicious GitHub repositories designed to distribute known malware families like BeaverTail.
PurpleBravo has also been observed to maintain two different sets of command and control (C2) servers for BeaverTail, a JavaScript infostealer and loader, and a Go-based backdoor known as GolangGhost (also known as FlexibleFerret or WeaselStore), which is based on the HackBrowserData open source tool.
C2 servers are hosted on 17 different providers and managed from Chinese IP ranges via Astrill VPN. The use of Astrill VPN in cyberattacks by North Korean attackers has been well-documented for many years.
It’s worth pointing out that Contagious Interview is complementary to a second separate campaign called Wagemole (aka PurpleDelta). In this campaign, IT employees affiliated with Hermit Kingdom seek unauthorized employment with organizations based in the United States and other parts of the world under fraudulent or stolen identities for both financial gain and espionage.
Although the two clusters are treated as different sets of activities, there are significant tactical and infrastructure overlaps between them, despite the fact that threats to IT workers have been around since 2017.
“This includes administrative traffic from a likely PurpleBravo operator displaying activity consistent with that of North Korean IT personnel, a Russian IP address associated with North Korean IT personnel communicating with the PurpleBravo C2 server, and the same Astrill VPN IP address associated with PurpleDelta activity,” Recorded Future said.
To make matters worse, it turns out that candidates who were offered fictitious jobs by PurpleBravo took coding assessments on company-issued devices, effectively compromising their employers in the process. This highlights that the IT software supply chain is “equally vulnerable” to intrusions from North Korea’s adversaries other than IT workers.
“Many of these [potential victim] “The organization touts a large customer base, posing serious supply chain risks to companies that outsource operations in these regions. While the threat of North Korean IT worker employment is widely known, PurpleBravo’s supply chain risks also deserve equal attention as they help organizations prepare for, defend against, and prevent the leakage of sensitive data to North Korean threat actors,” the company said.
Source link
