How DPRK’s Contagious Interview Campaign Targets Developers

2026-06-30 Kudelski Security

https://kudelskisecurity.com/research/how-dprks-contagious-interview-campaign-targets-developers

Thumbnail for How DPRK’s Contagious Interview Campaign Targets Developers

Kudelski Security tracked a DPRK-linked Contagious Interview operation in which actors posed as recruiters on LinkedIn, WhatsApp, Discord, and CodeMentor to pressure developers into running trojanized interview projects. A fake GitHub repository impersonating Ajuna Network used `npm install` and a hidden VS Code task to launch a Node.js backdoor that collected host data and `process.env` secrets, then beaconed to a Hetzner-hosted C2 on port 1224 for remote command execution. The report also describes collaborator and laptop-access contracts, regional VPS/residential proxy/VPN use including Astrill VPN, and detection logic for `/api/` C2 traffic, VS Code task execution, and NirCmd hidden batch execution.

Indicators of Compromise

Type Value First Seen Last Seen
URL http://138.201.128.169:1224/api… 2026-06-30 2026-06-30
IPv4 138.201.128.169 2026-06-30 2026-06-30

Related Actors

Related Reports

« Back