Full Report
DPRK-aligned threat actors abuse CTI platforms to detect infrastructure exposure and scout for new assets.
Analysis Summary
# Threat Actor: North Korea-aligned Threat Actors (Associated with Contagious Interview campaign cluster)
## Attribution & Identity
Attributed with high confidence to North Korean threat actors involved in the **Contagious Interview** campaign cluster. The article also notes persistent interest in CTI linked to major North Korean APT umbrella clusters like **Lazarus**.
## Activity Summary
The actors are actively monitoring cyber threat intelligence (CTI) platforms to detect infrastructure exposure and scout new assets. They operate in coordinated teams, suspected of using platforms like Slack for real-time collaboration while utilizing CTI platforms such as Validin, VirusTotal, and Maltrail. They exhibited an intensive and coordinated effort to register and use Validin community access accounts, particularly after infrastructure related to Lazarus was discussed in a Validin blog post on March 11, 2025. Despite identifying their infrastructure being monitored, the actors have only made limited changes to reduce detection, preferring to rapidly deploy new infrastructure upon service provider takedowns, suggesting a strategy focused on continuous operational sustainability over infrastructure hardening. The campaign cluster employed the **ClickFix** social engineering technique. Over 230 victims were identified between January and March 2025, with the actual count likely being much higher.
## Tactics, Techniques & Procedures
- Actively monitoring CTI platforms (Validin, VirusTotal, Maltrail) for intelligence regarding their own infrastructure.
- Real-time coordination among operational teams (suspected use of Slack).
- Employing **ClickFix** social engineering technique.
- Low maintenance on existing infrastructure exposure, relying on rapid redeployment after disruption.
- Using operational security measures that include tracking compromised infrastructure artifacts via CTI platforms.
- **SHA-1 Hashes observed correspond to the `ContagiousDrop` application (app.js).**
## Targeting
- Sectors: Implied focus on sectors that utilize hiring/assessment platforms ("Contagious Interview" suggests targeting job seekers or recruitment functions within organizations).
- Geography: Not explicitly stated, but attribution points to North Korea-aligned actors.
- Victims: Over 230 victims observed between January and March 2025. (The Reuters coverage mentioned suggests focus on crypto workers).
## Tools & Infrastructure
- **Malware Families Used:** `ContagiousDrop` application (identified by SHA-1 hashes).
- **Infrastructure (C2, domains, IPs):**
- **IPs used for account registration/login:**
- 39.70[.]194
- 77.247.126[.]189
- 89.19.58[.]51
- 96.62.127[.]126
- **Contagious Interview Domains:** careerquestion[.]com, evaluateiq[.]com, hirelytics360[.]com, motionassess[.]com, nvidia-release[.]us, paxos-video-interview[.]com, paxosassessments[.]com, quickproassess[.]com, quiz-nest[.]com, robinhood[.]evalvidz[.]com, skill-share[.]org, skillcheck[.]pro, skillmasteryhub[.]us, skillquestions[.]com, talentcheck[.]pro, versusx[.]us, vidassesspro[.]com, VidHireHub[.]com, webcamfixer[.]online, willotalent[.]us
- **ClickFix Malware Distribution Servers:** api.camdriverhelp[.]club, api.drive-release[.]cloud, api.release-drivers[.]online, glitchmedic[.]com
- **Domains Scouted by Operators:** easyjobinterview[.]org, hireassessment[.]com, hiringassessment[.]com, hiringassessment[.]net, screenquestion[.]org
## Implications
The actors demonstrate a high level of operational discipline, evidenced by sophisticated team coordination and the extensive use of CTI platforms to monitor their own footprint. Their strategy prioritizes rapid infrastructure turnover over long-term stealth on existing assets, suggesting they have substantial resources for quick deployment/re-deployment. Their effectiveness in victim engagement (230+ victims in three months) suggests social engineering/spear-phishing campaigns are highly successful.
## Mitigations
- **Monitor CTI Platform Access:** Scrutinize access logs on internal or subscribed CTI platforms for known threat actor usage patterns (e.g., rapid registration after specific intelligence publications).
- **Infrastructure Monitoring & Automated Response:** Deploy systems capable of rapidly taking down or blocking newly registered domains associated with these actors.
- **User Security Training:** Given the use of ClickFix social engineering, heightened awareness regarding fake assessment/hiring platforms is crucial.
- **Defensive Visibility:** Threat intelligence sharing and continuous monitoring are key to disrupting their operational cycle revolving around CTI platform abuse.