ACCORDING to Insikt Group, a campaign dubbed “Contagious Interview” shows PurpleBravo, a North Korean threat group, increasingly targeting the IT software supply chain by masquerading as legitimate recruiters and delivering weaponised coding tests to candidates’ corporate laptops. The operation relies on elaborate fictitious personas on professional networks, with recruiters supposedly from places like Odessa, Ukraine, who build relationships before sending a “coding challenge” or project file hosted on GitHub.
Once a candidate runs the test, BeaverTail (a JavaScript infostealer) deploys, alongside two Remote Access Trojans named PylangGhost and GolangGhost, designed to bypass security defences and exfiltrate data. The report notes a connection between PurpleBravo and the fraud-ridden North Korean IT workforce known as PurpleDelta, with investigators observing shared infrastructure such as Astrill VPN nodes and overlapping malware and freelance activity.
Insikt Group identified over 3,000 IP addresses linked to potential targets and at least twenty victim organisations across the AI, cryptocurrency, and financial services sectors.