North Korean hackers are escalating their global cyberattacks using fake cryptocurrency firms and bogus job interviews to deploy advanced malware across developer communities. This campaign, dubbed the “Contagious Interview,” blends social engineering with sophisticated infrastructure—making it one of the most dangerous and deceptive operations linked to the DPRK’s cyber units.
At the heart of this operation are three front companies: BlockNovas LLC, Angeloper Agency, and SoftGlide LLC. These entities appear to offer crypto consulting services, but their real mission is far more malicious. According to Silent Push, these fake firms trick job seekers—especially developers—into malware-laced interviews under the guise of technical assessments or coding tasks.
Once victims engage, they unknowingly download malware strains including BeaverTail, InvisibleFerret, and OtterCookie. These tools work together to infiltrate systems, collect sensitive data, and open persistent backdoors across Windows, Linux, and macOS platforms.
This isn’t a standalone event. Cybersecurity analysts have tracked these tactics under names like CL-STA-0240, DEV#POPPER, and Void Dokkaebi, all referring to operations driven by North Korean hackers.
BlockNovas, in particular, maintained a polished online presence—complete with fake employee profiles and misleading claims about operating for over 12 years. Yet public records reveal it was registered only recently. Their website, social media accounts, and even LinkedIn job listings helped them appear legitimate while quietly spreading malware during fake interviews.
The infection process begins with BeaverTail, a JavaScript-based loader that connects to a command-and-control server at lianxinxiao[.]com. It then downloads InvisibleFerret, a Python backdoor designed for stealth, persistence, and cross-platform compatibility. In some cases, it also drops OtterCookie, further strengthening their grip on infected machines.
Researchers also discovered a live “Status Dashboard” on a BlockNovas subdomain that tracked multiple domains and services used in the operation. Another subdomain hosted Hashtopolis, an open-source password cracking tool—hinting at broader hacking objectives.
The campaign has already led to real-world impacts. One developer reportedly had their MetaMask wallet compromised after engaging in one of these fake interview processes. Another site, attisscmo[.]com, hosted a tool called Kryptoneer, which connects to wallets like Suiet and Ethos—indicating a focus on crypto theft.
Adding to the deception, North Korean hackers have turned to AI-generated personas, using tools like Remaker to create realistic profile photos for fake recruiters and job candidates. These identities are used across LinkedIn, GitHub, X, and even Pinterest to establish trust with unsuspecting victims.
The U.S. FBI seized the BlockNovas domain in April 2025, warning that it had been used to distribute malware through fraudulent job offers. But despite that victory, experts warn the broader infrastructure remains active—and evolving.
Part of that evolution includes the use of Russian infrastructure. Analysts found five Russian IP ranges used by the attackers, hidden behind layers of VPNs, proxies, and RDP servers. These ranges are linked to providers in Khasan and Khabarovsk, regions with known North Korea-Russia ties.
According to researchers, the overlap suggests possible cooperation or at least infrastructure sharing between entities in both nations. The attackers are also leveraging telemetry from China, Russia, and Pakistan, using remote desktop access to manage job board interactions and run crypto scams.
But there’s another layer to this operation: a scheme called Wagemole. This approach involves planting fake IT workers inside real companies. Using AI to generate resumes, schedule interviews, and translate in real-time, these operatives pose as remote developers. Once hired, they either extract sensitive data or route a portion of their salaries directly to North Korea.
Okta reports that these operations rely heavily on GenAI tools—from real-time transcription to deepfake video generation—to keep up the illusion. It’s all part of a dual-purpose playbook: financial gain and espionage.
As cyber threats continue to evolve, experts warn that North Korean hackers are pushing boundaries with their blend of AI, social engineering, and infrastructure camouflage. For companies and job seekers alike, staying vigilant is no longer optional—it’s essential.
