North Korean–linked hackers tracked as PurpleBravo have been identified as the operators behind a sophisticated cyber-espionage campaign that exploits fake job interviews as an infection vector. Known as Contagious Interview, the operation preys on job seekers and professionals by disguising malware as legitimate hiring materials. By blending social engineering with technical deception, the attackers turn a routine career interaction into an entry point for network compromise.

Scope and Scale of the Operation

The campaign is notable for both its reach and precision. Investigators have linked the activity to 3,136 IP addresses, indicating a wide pool of intended victims rather than a handful of isolated incidents. At least 20 organizations have been identified as potential targets, many operating in strategically valuable industries such as artificial intelligence, cryptocurrency, financial services, IT services, marketing, and software development.

Geographically, the operation is truly global. Targets have been observed across Europe, South Asia, the Middle East, and Central America. This broad distribution shows how attackers take advantage of the globalized job market, where remote work and international hiring have become the norm.

How the Fake Interview Attacks Work

The attack begins with deception rather than code. Threat actors pose as recruiters or fellow developers on professional platforms like LinkedIn, initiating conversations that closely resemble legitimate hiring outreach. Victims are then invited to participate in what appears to be a standard technical interview or skills assessment.

During this stage, targets are encouraged to download or execute files presented as coding challenges, interview test projects, or developer tools. These files are anything but harmless. Once opened, they install malware in the background, giving attackers access to the victim’s system. In several cases, the malicious content was embedded within Microsoft Visual Studio Code projects, making the files appear especially credible to software professionals.

Malware and Infrastructure Tactics

Analysis of the campaign has uncovered multiple malware families in use. Among them are BeaverTail, a JavaScript-based infostealer and loader, and GolangGhost, a backdoor designed to provide persistent remote access. Together, these tools allow attackers to steal sensitive data and maintain long-term control over compromised machines.

PurpleBravo’s infrastructure is intentionally obscured. Command-and-control servers are often hidden behind VPN services and routed through IP ranges associated with China, complicating attribution and takedown efforts. Researchers have also identified overlaps with PurpleDelta, another North Korean threat cluster linked to fraudulent employment activity, suggesting shared resources or coordination.

Impact, Risks, and Defensive Measures

The consequences of this campaign can be severe. In several incidents, victims ran malicious code on company-issued devices, potentially exposing entire corporate networks. Because many targeted firms are part of the software development and outsourcing supply chain, a single breach can ripple outward, affecting clients and partners as well.

Security experts recommend a layered defense: stronger identity verification during recruitment, robust endpoint security to detect suspicious behavior early, and continuous awareness training. As this campaign demonstrates, even familiar hiring processes can be weaponized, making vigilance essential in today’s digital workplace.