New North Korean campaign uses fake coding interviews to steal developer credentials

2026-07-18 Elastic

https://www.elastic.co/security-labs/contagious-interview-malware-svg-steganography

Thumbnail for New North Korean campaign uses fake coding interviews to steal developer credentials

Elastic identified REF9403, a DPRK-aligned Contagious Interview campaign that delivered trojanized coding challenges through fake developer recruitment and concealed payload fragments in SVG flag images. Running the project reconstructed and executed an OTTERCOOKIE-aligned JavaScript implant with browser and wallet theft, sensitive-file collection, clipboard monitoring, and Socket.IO remote access. The malware operated across Windows, macOS, and Linux and used rightwidth.dev infrastructure for command-and-control and exfiltration. Elastic linked the activity to earlier DPRK operations through code, behavioral, endpoint, and infrastructure overlaps.

Indicators of Compromise

Type Value First Seen Last Seen
IPv4 195.26.248.212 2026-07-18 2026-07-18
DOMAIN upload.rightwidth.dev 2026-07-18 2026-07-18
IPv4 188.40.64.61 2026-07-18 2026-07-18
DOMAIN file.rightwidth.dev 2026-07-18 2026-07-18
DOMAIN controller.rightwidth.dev 2026-07-18 2026-07-18
DOMAIN ldb.rightwidth.dev 2026-07-18 2026-07-18
DOMAIN rightwidth.dev 2026-07-18 2026-07-18
HASH fb94b2caee2c40635448a98ba011842… 2026-07-18 2026-07-18
HASH cc97517f80f567977300450de11e9a0… 2026-07-18 2026-07-18
HASH c5aed4c063d4970a03250778da8041d… 2026-07-18 2026-07-18
HASH 9df01d242ef46adfedf8c35cb7cc67b… 2026-07-18 2026-07-18
HASH 96357529d17c4690826d5d4c74deac5… 2026-07-18 2026-07-18
HASH 54bf36910d81ab516037cb3d69d7c85… 2026-07-18 2026-07-18
HASH 4e7639045b4a64de60bfb6312951a5c… 2026-07-18 2026-07-18
HASH 3e6360f83a95540aa2176d279ca4694… 2026-07-18 2026-07-18

Related Actors

Related Reports

« Back