As many as 3,136 particular person IP addresses linked to seemingly targets of the Contagious Interview exercise have been recognized, with the marketing campaign claiming 20 potential sufferer organizations spanning synthetic intelligence (AI), cryptocurrency, monetary companies, IT companies, advertising and marketing, and software program improvement sectors in Europe, South Asia, the Center East, and Central America.
The brand new findings come from Recorded Future’s Insikt Group, which is monitoring the North Korean menace exercise cluster underneath the moniker PurpleBravo. First documented in late 2023, the marketing campaign is often known as CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Well-known Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, Void Dokkaebi, and WaterPlum.
The three,136 particular person IP addresses, primarily concentrated round South Asia and North America, are assessed to have been focused by the adversary from August 2024 to September 2025. The 20 sufferer corporations are mentioned to be based mostly in Belgium, Bulgaria, Costa Rica, India, Italy, the Netherlands, Pakistan, Romania, the United Arab Emirates (U.A.E.), and Vietnam.
“In a number of circumstances, it’s seemingly that job-seeking candidates executed malicious code on company units, creating organizational publicity past the person goal,” the menace intelligence agency mentioned in a brand new report shared with The Hacker Information.
The disclosure comes a day after Jamf Menace Labs detailed a major iteration of the Contagious Interview marketing campaign whereby the attackers abuse malicious Microsoft Visible Studio Code (VS Code) initiatives as an assault vector to distribute a backdoor, underscoring continued exploitation of trusted developer workflows to realize their twin objectives of cyber espionage and monetary theft.
The Mastercard-owned firm mentioned it detected 4 LinkedIn personas doubtlessly related to PurpleBravo that masqueraded as builders and recruiters and claimed to be from the Ukrainian metropolis of Odesa, together with a number of malicious GitHub repositories which are designed to ship identified malware households like BeaverTail.
PurpleBravo has additionally been noticed managing two distinct units of command-and-control (C2) servers for BeaverTail, a JavaScript infostealer and loader, and a Go-based backdoor referred to as GolangGhost (aka FlexibleFerret or WeaselStore) that’s based mostly on the HackBrowserData open-source software.
The C2 servers, hosted throughout 17 completely different suppliers, are administered through Astrill VPN and from IP ranges in China. North Korean menace actors’ use of Astrill VPN in cyber assaults has been well-documented through the years.
It is price declaring that Contagious Interview enhances a second, separate marketing campaign known as Wagemole (aka PurpleDelta), the place IT employees from the Hermit Kingdom actors search unauthorized employment underneath fraudulent or stolen identities with organizations based mostly within the U.S. and different elements of the world for each monetary acquire and espionage.
Whereas the 2 clusters are handled as disparate units of actions, there are important tactical and infrastructure overlaps between them even supposing the IT employee menace has been ongoing since 2017.
“This features a seemingly PurpleBravo operator displaying exercise in keeping with North Korean IT employee habits, IP addresses in Russia linked to North Korean IT employees speaking with PurpleBravo C2 servers, and administration site visitors from the identical Astrill VPN IP tackle related to PurpleDelta exercise,” Recorded Future mentioned.
To make issues worse, candidates who’re approached by PurpleBravo with fictitious job affords have been discovered to take the coding evaluation on company-issued units, successfully compromising their employers within the course of. This highlights that the IT software program provide chain is “simply as susceptible” to infiltration from North Korean adversaries aside from the IT employees.
“Many of those [potential victim] organizations promote giant buyer bases, presenting an acute supply-chain danger to corporations outsourcing work in these areas,” the corporate famous. “Whereas the North Korean IT employee employment menace has been broadly publicized, the PurpleBravo supply-chain danger deserves equal consideration so organizations can put together, defend, and forestall delicate knowledge leakage to North Korean menace actors.”
