North Korean Recruiter Scam Delivers BeaverTail and InvisibleFerret Malware
North Korean threat actors have been linked to Operation Contagious Interview, a campaign that impersonates job recruiters to target software developers with malware-laced interview workflows. Palo Alto Networks Unit 42 said the operation uses fake hiring outreach, GitHub-hosted projects, and rogue npm packages to deliver BeaverTail and InvisibleFerret, two cross-platform malware families aimed at stealing data and establishing persistent access. BeaverTail acts as both an infostealer and loader, while InvisibleFerret is a Python backdoor capable of host fingerprinting, remote control, keylogging, data exfiltration, and deploying remote administration tools such as AnyDesk.
The activity has been tracked as a distinct North Korean subgroup under the Contagious Interview name, although researchers noted tactical overlap with the broader Operation Dream Job playbook. The same reporting also tied Pyongyang-linked operators to Wagemole, a parallel scheme in which forged identities are used to secure jobs at foreign companies for revenue generation and espionage, reinforcing government warnings that North Korea is abusing developer ecosystems such as GitHub, npm, and PyPI to evade sanctions and support state objectives.
Timeline
Apr 23, 2026
Serbian developer reports DPRK-linked fake recruitment malware attack
Serbia-based web developer Boris Vujičić disclosed that he was targeted through LinkedIn outreach, a fake company site, and staged video interviews before being sent a malicious coding test for macOS. After execution, the malware exfiltrated 634 saved Chrome passwords, his macOS keychain, and MetaMask wallet data within 56 seconds; incident responders at zeroShadow assessed the operation was likely linked to North Korean actors.
Apr 22, 2026
Expel details AI-enabled DPRK developer campaign and crypto theft scale
Expel reported that a DPRK-linked cluster it tracks as Expel-TA-0001/HexagonalRodent targeted Web3 developers with fake job offers and backdoored coding tests, using BeaverTail, InvisibleFerret, and OtterCookie, and likely conducted a supply-chain compromise via the fast-draft VSX extension. Based on exposed backend data, Expel assessed the operation exfiltrated 26,584 cryptocurrency wallets from 2,726 infected systems and ingested wallets holding up to $12 million in crypto assets during the first three months of 2026.
Nov 22, 2023
Unit 42 publicly links DPRK actors to both campaigns
Palo Alto Networks Unit 42 publicly attributed both the Contagious Interview and Wagemole campaigns to North Korean threat actors. The report placed the operations within a broader pattern of DPRK abuse of GitHub, npm, and PyPI alongside activity associated with clusters such as Sapphire Sleet, Jade Sleet, and Andariel.
Nov 22, 2023
BeaverTail and InvisibleFerret malware are documented
Palo Alto Networks Unit 42 reported that Contagious Interview delivered two newly documented malware families: BeaverTail, a stealer and loader, and InvisibleFerret, a Python backdoor supporting fingerprinting, remote control, keylogging, data exfiltration, and AnyDesk deployment. Unit 42 also assessed tactical overlap with Operation Dream Job while treating Contagious Interview as a separate activity cluster.
Nov 22, 2023
Contagious Interview targets developers with fake job lures
North Korean threat actors ran the Contagious Interview campaign, impersonating recruiters and using fake job interview themes to target software developers with malware. The operation used rogue npm packages and GitHub-hosted components as part of the infection chain.
Nov 22, 2023
North Korean operatives place fake IT workers in companies
North Korean threat actors conducted the Wagemole campaign by using forged identities to obtain employment at companies, aiming to generate revenue and support espionage. The activity aligns with prior U.S. government warnings about DPRK IT worker schemes used to evade sanctions and fund weapons programs.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Sources
3 more from sources like falconfeeds blog, apt.etda.or.th and the hacker news
Related Stories
North Korean Contagious Interview Campaign Uses Malicious VS Code Projects
North Korea-linked threat actors tied to the long-running **Contagious Interview** operation have been observed using **malicious Microsoft Visual Studio Code (VS Code) projects** as part of fake job-assessment lures, instructing targets to clone repositories from GitHub/GitLab/Bitbucket and open them in VS Code. The technique abuses VS Code `tasks.json` configuration—specifically `"runOn": "folderOpen"`—to trigger execution when a folder is opened, pulling staged payloads from attacker-controlled infrastructure (including Vercel-hosted domains) and ultimately deploying backdoors such as **BeaverTail** and **InvisibleFerret** that enable remote code execution and follow-on control. Recent iterations reportedly add multi-stage droppers embedded in task configuration content and disguised as benign files (e.g., spell-check dictionaries) to improve resilience if network retrieval fails, and include command-and-control behavior that can execute attacker-supplied JavaScript from a remote server (e.g., `ip-regions-check.vercel[.]app`). Separate reporting on North Korean APT trends indicates continued reliance on **fraudulent IT employment schemes** and recruitment-platform abuse to gain access to Western organizations, including long-term social engineering and persistent remote access via legitimate tools (e.g., *AnyDesk*, *Google Remote Desktop*) and VPN/location obfuscation. This broader pattern aligns with the same overarching tradecraft used in developer-targeted “interview” lures: leveraging hiring workflows and developer tooling to establish initial access and persistence while reducing suspicion, particularly in environments with remote-work infrastructure and developer workstations.
1 months ago
North Korean 'Contagious Interview' Campaign Expands with Malicious npm Packages and OtterCookie Malware
North Korea-linked threat actors have significantly expanded the 'Contagious Interview' campaign, targeting software developers in the crypto and Web3 sectors by uploading 197 new malicious npm packages designed to distribute an updated version of the OtterCookie infostealer. These actors, posing as recruiters on platforms like LinkedIn, use sophisticated social engineering tactics such as fake job interviews and trojanized demo projects to lure victims on Windows, Linux, and macOS. The campaign leverages a full delivery infrastructure, including a threat actor–controlled GitHub account and Vercel-hosted staging sites, to store and deliver malware, with command and control servers used for data theft and remote tasking. The campaign's payloads include the BeaverTail and OtterCookie infostealers and the InvisibleFerret RAT, and the malicious npm packages have been downloaded over 31,000 times, highlighting the scale and persistence of the operation. Technical analysis reveals that the attackers have built a robust malware delivery system, using their GitHub account to host repositories and fetch the latest payloads from Vercel, while maintaining separate C2 infrastructure for exfiltration and tasking. At least five npm packages, including 'tailwind-magic' and its variants, have been directly linked to this campaign. The operation demonstrates the increasing sophistication of North Korean supply chain attacks, with a focus on compromising developers in high-value sectors through open-source ecosystems. Security researchers continue to monitor the evolving tactics and infrastructure associated with this campaign, warning organizations and developers to exercise heightened vigilance when interacting with unsolicited job offers and npm packages.
3 weeks ago
North Korean Fake Job Campaigns Targeting Developers via npm and Recruiting Platforms
North Korean state-sponsored threat actors have intensified their cyber-espionage operations by targeting job seekers in the AI, cryptocurrency, and Web3 development sectors. Security researchers have uncovered a sophisticated campaign in which operatives create fake job platforms that closely mimic legitimate recruiting services, such as Lever, to lure candidates into running malicious software under the guise of interview processes or test assignments. This approach exploits the trust and secrecy inherent in job searches, making victims less likely to report suspicious activity, and is believed to be a significant source of funding for North Korea's weapons programs. In parallel, the "Contagious Interview" operation has been systematically infiltrating the npm ecosystem, with at least 197 malicious packages and over 31,000 downloads targeting blockchain and JavaScript developers. The campaign leverages a complex infrastructure involving GitHub repositories, Vercel-hosted payloads, and command-and-control servers to deliver malware through seemingly innocuous npm packages. These operations demonstrate North Korea's adaptive and persistent threat capabilities, using modern software development workflows and social engineering to gain long-term access to sensitive systems in the tech industry.
1 months ago