Skip to content

G1052 Contagious Interview

Contagious Interview is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. Contagious Interview targets Windows, Linux, and macOS systems, with a particular focus on individuals engaged in software development and cryptocurrency-related activities. 2345691011

Item Value
ID G1052
Associated Names DeceptiveDevelopment, Gwisin Gang, Tenacious Pungsan, DEV#POPPER, PurpleBravo, TAG-121
Version 1.0
Created 19 October 2025
Last Modified 24 October 2025
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
DeceptiveDevelopment 6
Gwisin Gang 17
Tenacious Pungsan 4
DEV#POPPER 8
PurpleBravo 5
TAG-121 5

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure Contagious Interview has used services such as Astrill VPN.15
enterprise T1583.001 Domains Contagious Interview has registered domains to leverage in their social engineering campaigns.5611 Contagious Interview has also registered domains to utilize for C2.1122151314
enterprise T1583.003 Virtual Private Server Contagious Interview has acquired virtual private servers from services such as Stark Industries Solutions and RouterHosting.310 Contagious Interview has also utilized hosting providers to include Tier[.]Net, Majestic Hosting, Leaseweb Singapore, and Kaopu Cloud.5
enterprise T1583.006 Web Services Contagious Interview has used web services such as Dropbox to receive stolen data and Google Drive, Firebase, GitHub, and Telegram to disseminate files.125 Contagious Interview has also used a cloud platform such as Vercel for C2 operations leveraging malicious web applications and static pages.151314 Contagious Interview has also used Slack to coordinate their activities.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.003 Mail Protocols Contagious Interview has utilized email notifications from malware distribution servers to track victim engagement.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Contagious Interview has established persistence using InvisibleFerret malware to place a .bat file in the Startup Folder.9
enterprise T1547.013 XDG Autostart Entries Contagious Interview has established persistence using InvisibleFerret malware to create a .desktop entry to run on startup on GNOME-based Linux devices.9
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Contagious Interview has utilized VBS scripts to open cmd.exe and run commands to include the go_batch.bat batch file.12
enterprise T1059.004 Unix Shell Contagious Interview has targeted macOS victim hosts using a bash downloader coremedia.sh and a bash script cloud.sh.12
enterprise T1059.005 Visual Basic Contagious Interview has utilized Visual Basic scripts in the execution of their downloader malware targeting Windows devices including as script called update.vbs.12
enterprise T1059.006 Python Contagious Interview has used the Python-based malware such as InvisibleFerret to install and execute Python Packages and Python modules.3610
enterprise T1059.007 JavaScript Contagious Interview has leveraged JavaScript in the execution of their downloader malware targeting Windows devices using a NodeJS script titled nvidia.js.12
enterprise T1543 Create or Modify System Process -
enterprise T1543.001 Launch Agent Contagious Interview has established persistence using InvisibleFerret malware to create file to run the script on Startup via LaunchAgents.9 Contagious Interview has also utilized a plist file located in /Library/LaunchAgents to enable a malicious bash script the ability to persist.12
enterprise T1555 Credentials from Password Stores -
enterprise T1555.001 Keychain Contagious Interview has leveraged malware variants configured to dump credentials from the macOS keychain.121314
enterprise T1587 Develop Capabilities Contagious Interview developed malicious NPM packages for delivery to or retrieval by victims.12315131410
enterprise T1587.001 Malware Contagious Interview has developed malware that utilizes Qt cross-platform framework to include BeaverTail.611
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Contagious Interview has encrypted C2 traffic using RC4.12
enterprise T1585 Establish Accounts Contagious Interview has created and maintained personas on code repositories to distribute malicious payloads.121513146
enterprise T1585.001 Social Media Accounts Contagious Interview has created fake social media accounts such as LinkedIn and Telegram accounts for their targeting efforts.561617119
enterprise T1585.002 Email Accounts Contagious Interview has created fake email accounts to correspond with social media accounts, fake LinkedIn personas, code repository accounts, and job announcements on development job board services.15146911 Contagious Interview has also utilized fake email accounts with Threat Intelligence vendor services.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.004 Unix Shell Configuration Modification Contagious Interview has targeted macOS victim hosts using a bash downloader coremedia.sh and a bash script cloud.sh.12
enterprise T1480 Execution Guardrails Contagious Interview has configured C2 endpoints to review IP geolocation, request headers, victim environment details and runtime conditions prior to delivering payloads.14
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Contagious Interview has exfiltrated victim information using FTP.61011
enterprise T1041 Exfiltration Over C2 Channel Contagious Interview has exfiltrated data from a compromised host to actor-controlled C2 servers.1351513146161011
enterprise T1567 Exfiltration Over Web Service Contagious Interview has leveraged Telegram API to exfiltrate stolen data.6
enterprise T1567.002 Exfiltration to Cloud Storage Contagious Interview has exfiltrated stolen passwords to Dropbox.12
enterprise T1083 File and Directory Discovery Contagious Interview has conducted key word searches within files and directories on a compromised hosts to identify files for exfiltration.610
enterprise T1657 Financial Theft Contagious Interview has stolen cryptocurrency wallet credentials and credit card information utilizing BeaverTail and InvisibleFerret malware.31314691011
enterprise T1589 Gather Victim Identity Information Contagious Interview has researched specific professional groups such as software developers for targeting.14168171011 Contagious Interview has also researched individuals who work in roles related to cryptocurrency and blockchain technologies.112
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Contagious Interview has convinced victims to disable Docker and other container environments and run code on their machine natively in attempts to bypass container isolation and ensure device infection.14
enterprise T1656 Impersonation Contagious Interview had impersonated HR hiring personnel through social media, job board notifications, and conducted interviews with victims in order to entice them to download malware disguised as legitimate applications or malicious scripts from code repositories.1214168171011
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Contagious Interview has configured malware to remove archives used in collection activities following successful exfiltration.13
enterprise T1036 Masquerading Contagious Interview has delivered BeaverTail malware masquerading as legitimate software or applications.3691011 Contagious Interview has also delivered malicious payloads masquerading as legitimate software drivers.12
enterprise T1571 Non-Standard Port Contagious Interview has used TCP port 1224 for C2.15
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation Contagious Interview has obfuscated JavaScript code using Base64 and variable substitutions.61689
enterprise T1027.013 Encrypted/Encoded File Contagious Interview has used hexadecimal string encoding to hide critical JavaScript module names, function names, and C2 URLs, which are decoded dynamically at runtime.15
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Contagious Interview has used remote management and monitoring software such as “AnyDesk”.36161011
enterprise T1588.007 Artificial Intelligence Contagious Interview has appeared to have used AI to generate images and content to facilitate their campaigns.5
enterprise T1566 Phishing -
enterprise T1566.003 Spearphishing via Service Contagious Interview has used fake job advertisements and messages sent via social media to spearphish targets.122561617 Contagious Interview has also leveraged hiring websites to solicit victims.5
enterprise T1090 Proxy Contagious Interview has leveraged Astrill VPN for C2.5
enterprise T1219 Remote Access Tools -
enterprise T1219.002 Remote Desktop Software Contagious Interview has downloaded remote management and monitoring software such as “AnyDesk” for post compromise activities.36161011
enterprise T1593 Search Open Websites/Domains Contagious Interview has utilized open-source indicator of compromise repositories to determine their exposure to include VirusTotal, and MalTrail.1
enterprise T1593.001 Social Media Contagious Interview had identified and solicited victims through social media such as LinkedIn, X, and Telegram.12216171011
enterprise T1593.003 Code Repositories Contagious Interview had identified and solicited victims through code repositories such as GitHub.10
enterprise T1681 Search Threat Vendor Data Contagious Interview has registered accounts with Threat Intelligence vendor services to check for reporting associated with their infrastructure and to evaluate new potential infrastructure.1
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware Contagious Interview has hosted malicious payloads on code repositories used as lures for victims to download.12351513146168910
enterprise T1082 System Information Discovery Contagious Interview has configured malicious webpages to identify the victim’s operating system by reviewing the details of the victims User-Agent of their browser.12
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Contagious Interview has lured victims to click on a malicious link that led to download of a malicious payload.5 Contagious Interview has also leveraged links to malicious payloads on social media and code repositories.5
enterprise T1204.002 Malicious File Contagious Interview has distributed malicious files requiring direct victim interaction to execute through the guise of a code test.1617
enterprise T1204.004 Malicious Copy and Paste Contagious Interview has leveraged ClickFix type tactics enticing victims to copy and paste malicious code.1122
enterprise T1204.005 Malicious Library Contagious Interview has relied on users to install a malicious library from a code repository to infect the victim’s device and has led to additional payload distribution and theft of sensitive data.12315131468910
enterprise T1497 Virtualization/Sandbox Evasion Contagious Interview has requested victims to disable Docker and other container environments in attempts to thwart container isolation and ensure device infection.14

Software

ID Name References Techniques
S1246 BeaverTail 69101135 Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data Browser Information Discovery JavaScript:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Credentials from Password Stores Keychain:Credentials from Password Stores Data from Local System Junk Data:Data Obfuscation Local Data Staging:Data Staged Exfiltration Over C2 Channel File and Directory Discovery Financial Theft File Deletion:Indicator Removal Ingress Tool Transfer Log Enumeration Masquerading Non-Standard Port Encrypted/Encoded File:Obfuscated Files or Information Compromise Software Dependencies and Development Tools:Supply Chain Compromise System Information Discovery System Time Discovery Malicious File:User Execution
S1249 HexEval Loader 151314 Web Protocols:Application Layer Protocol JavaScript:Command and Scripting Interpreter Deobfuscate/Decode Files or Information Exfiltration Over C2 Channel Ingress Tool Transfer Keylogging:Input Capture Match Legitimate Resource Name or Location:Masquerading Encrypted/Encoded File:Obfuscated Files or Information System Information Discovery System Location Discovery System Network Configuration Discovery System Owner/User Discovery
S1245 InvisibleFerret 36910115 Local Account:Account Discovery Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data XDG Autostart Entries:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Clipboard Data Python:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Launch Agent:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Password Managers:Credentials from Password Stores Data from Local System Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Exfiltration Over C2 Channel Exfiltration Over Web Service File and Directory Discovery Financial Theft Hidden Window:Hide Artifacts Ingress Tool Transfer Input Capture Keylogging:Input Capture Non-Application Layer Protocol Non-Standard Port Encrypted/Encoded File:Obfuscated Files or Information Process Discovery Remote Access Tools Selective Exclusion Service Stop Software Discovery System Information Discovery System Location Discovery System Network Configuration Discovery System Owner/User Discovery
S1248 XORIndex Loader 13 Web Protocols:Application Layer Protocol JavaScript:Command and Scripting Interpreter Deobfuscate/Decode Files or Information Exfiltration Over C2 Channel Ingress Tool Transfer Match Legitimate Resource Name or Location:Masquerading Encrypted/Encoded File:Obfuscated Files or Information Command Obfuscation:Obfuscated Files or Information System Information Discovery System Location Discovery System Network Configuration Discovery System Owner/User Discovery

References

  1. Aleksandar Milenkoski, Sreekar Madabushi, Kenneth Kinion. (2025, September 4). Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms. Retrieved October 20, 2025. 

  2. Efstratios Lontzetidis. (2025, January 16). Lazarus APT: Techniques for Hunting Contagious Interview. Retrieved October 20, 2025. 

  3. eSentire Threat Response Unit (TRU). (2024, November 14). Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2. Retrieved October 17, 2025. 

  4. Ian Kretz, Sebastian Obregoso, Datadog Security Research Team. (2024, October 24). Tenacious Pungsan: A DPRK threat actor linked to Contagious Interview. Retrieved October 20, 2025. 

  5. Insikt Group. (2025, February 13). Inside the Scam: North Korea’s IT Worker Threat. Retrieved October 17, 2025. 

  6. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025. 

  7. Michael “Barni” Barnhart, DTEX, and Anonymous SMEs. (2025, May 14). Exposing DPRK’s Cyber Syndicate and Hidden IT Workforce. Retrieved September 3, 2025. 

  8. Securonix Threat Research, D.Iuzvyk, T. Peck, O.Kolesnikov. (2024, April 24). Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors. Retrieved October 20, 2025. 

  9. Seongsu Park. (2024, November 4). From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West. Retrieved October 17, 2025. 

  10. Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025. 

  11. Unit42. (2024, October 9). Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware. Retrieved October 17, 2025. 

  12. Amaury G., Coline Chavane, Felix Aimé and Sekoia TDR. (2025, March 31). From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic. Retrieved April 1, 2025. 

  13. Kirill Boychenko. (2025, July 14). Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader. Retrieved October 19, 2025. 

  14. Kirill Boychenko. (2025, June 25). Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages. Retrieved October 19, 2025. 

  15. Kirill Boychenko. (2025, April 4). Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads. Retrieved October 20, 2025. 

  16. Ryan Sherstobitoff. (2024, October 29). Inside a North Korean Phishing Operation Targeting DevOps Employees. Retrieved October 20, 2025. 

  17. Steve Cobb. (2024, October 29). The Job Offer That Wasn’t: How We Stopped an Espionage Plot. Retrieved October 20, 2025.