Tuesday, May 13, 2025
HomeAPTNorth Korean APT Hackers Pose as Companies to Spread Malware to Job...

North Korean APT Hackers Pose as Companies to Spread Malware to Job Seekers

Published on

SIEM as a Service

Follow Us on Google News

Silent Push Threat Analysts have uncovered a chilling new cyberattack campaign orchestrated by the North Korean Advanced Persistent Threat (APT) group known as Contagious Interview, also referred to as Famous Chollima, a subgroup of the notorious Lazarus group.

This state-sponsored entity has been implicated in numerous sophisticated cyber-espionage efforts targeting global industries, with a particular focus on the cryptocurrency sector.

Their latest operation involves masquerading as legitimate cryptocurrency consulting firms BlockNovas LLC, Angeloper Agency, and SoftGlide LLC to lure unsuspecting job seekers into a malicious trap.

- Advertisement - Google News

By exploiting the trust associated with job applications, these threat actors distribute malware through deceptive “interview lures,” aiming to compromise personal and financial data.

Sophisticated Social Engineering Targets Cryptocurrency Industry

The technical prowess of this campaign is evident in the deployment of three distinct malware strains BeaverTail, InvisibleFerret, and OtterCookie each tailored for information theft and further payload delivery across Windows, Linux, and macOS systems.

BeaverTail, primarily a JavaScript-based malware, acts as an initial vector, often distributed through malicious GitHub repositories disguised as skill assessment tasks.

Once executed, it facilitates the download of InvisibleFerret, a multi-stage Python backdoor designed for persistence and data exfiltration.

North Korean APT Hackers
Obfuscated InvisibleFerret script lianxinxiao[.]com

This malware targets cryptocurrency wallet credentials by harvesting data from browser extensions like MetaMask and Coinbase Wallet, using sophisticated techniques to access stored passwords, credit card information, and keychain data.

InvisibleFerret also integrates reverse shell capabilities and keylogging functions, communicating with command-and-control (C2) servers such as lianxinxiao[.]com to upload stolen data and receive further instructions.

Malware Campaigns Leverage AI-Generated Personas and GitHub Repositories

The operational infrastructure behind this campaign is equally alarming, heavily utilizing platforms like GitHub, freelancer sites, and job listing portals to disseminate malicious payloads.

Silent Push researchers identified critical OPSEC failures, such as exposed dashboards on mail.blocknovas[.]com, which monitor domains linked to malware distribution, including angeloperonline[.]online and softglide[.]co.

Moreover, the use of AI-generated personas, created with tools like Remaker AI, enhances the deceptive authenticity of these fake companies.

Employee profiles on platforms like LinkedIn, often tied to fictitious identities such as Mehmet Demir (aka Bigrocks918), are crafted to build credibility, further ensnaring victims.

North Korean APT Hackers
mail[.]blocknovas[.]com:4200

Infrastructure ties extend to DNS records and shared C2 IPs, with lianxinxiao[.]com resolving to 37.221.126.117, a persistent hub for malware staging since August 2024.

Adding to the complexity, the threat actors employ services like Astrill VPN and residential proxies to obscure their activities, making detection challenging.

Victim testimonies, documented on platforms like dev[.]to, reveal real-world impacts, including compromised MetaMask wallets after executing malicious code from BlockNovas’ GitHub repositories.

Silent Push’s analysis underscores the persistent social engineering tactics of North Korean APTs, urging defenders to scrutinize job offers from unknown entities and monitor for suspicious domains and IPs.

This campaign exemplifies the intersection of technical sophistication and psychological manipulation, highlighting the urgent need for heightened cybersecurity awareness in the cryptocurrency job market.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Microsoft Patch Tuesday May 2025 Released With the Fixes for 72 Flaws With 5 Actively Exploited 0-Day

Microsoft has released its May 2025 Patch Tuesday updates, addressing 72 security vulnerabilities across...

Ivanti Released Security Updates to Fix for the Mutiple RCE Vulnerabilities – Patch Now

Ivanti, a leading enterprise software provider, has released critical security updates addressing vulnerabilities across...

Fortinet FortiVoice Zero-day Vulnerability Actively Exploited in The Wild

A critical stack-based buffer overflow vulnerability (CWE-121) has been discovered in multiple Fortinet products,...

Ransomware Attacks Surge by 123% Amid Evolving Tactics and Strategies

The 2025 Third-Party Breach Report from Black Kite highlights a staggering 123% surge in...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Microsoft Patch Tuesday May 2025 Released With the Fixes for 72 Flaws With 5 Actively Exploited 0-Day

Microsoft has released its May 2025 Patch Tuesday updates, addressing 72 security vulnerabilities across...

Ivanti Released Security Updates to Fix for the Mutiple RCE Vulnerabilities – Patch Now

Ivanti, a leading enterprise software provider, has released critical security updates addressing vulnerabilities across...

Fortinet FortiVoice Zero-day Vulnerability Actively Exploited in The Wild

A critical stack-based buffer overflow vulnerability (CWE-121) has been discovered in multiple Fortinet products,...