How DPRK’s Contagious Interview Campaign Targets Developers
2026-06-30 • Kudelski Security •
https://kudelskisecurity.com/research/how-dprks-contagious-interview-campaign-targets-developers
Kudelski Security tracked a DPRK-linked Contagious Interview operation in which actors posed as recruiters on LinkedIn, WhatsApp, Discord, and CodeMentor to pressure developers into running trojanized interview projects. A fake GitHub repository impersonating Ajuna Network used `npm install` and a hidden VS Code task to launch a Node.js backdoor that collected host data and `process.env` secrets, then beaconed to a Hetzner-hosted C2 on port 1224 for remote command execution. The report also describes collaborator and laptop-access contracts, regional VPS/residential proxy/VPN use including Astrill VPN, and detection logic for `/api/` C2 traffic, VS Code task execution, and NirCmd hidden batch execution.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| URL | http://138.201.128.169:1224/api… | 2026-06-30 | 2026-06-30 |
| IPv4 | 138.201.128.169 | 2026-06-30 | 2026-06-30 |