Contagious Interview Campaign Abusing VSCode Distributed on Github
Contents
Executive Summary
ENKI identified and analyzed malware on Github that abuses Visual Studio Code (VS Code) automation features.
The distributed malware payloads include BeaverTail, InvisibleFerret, and OtterCookie, which are associated with the DPRK-nexus Contagious Interview campaign.
Artifacts indicate that threat actors used Large Language Models (LLMs) to generate portions of the malicious code.
Threat actors distributed the malware by masquerading as recruiters, developers, and fictitious companies to establish trust.
We identified and analyzed additional command-and-control (C&C) infrastructure based on the characteristics of the initial C&C servers.
1. Overview
We recently identified multiple instances of malware on Github that abuse VS Code automation features. Our analysis attributes this activity to Contagious Interview, a DPRK-nexus campaign active since at least 2025-08 that primarily targets developers.
In this campaign, threat actors typically pose as recruiters to approach targets. Under the guise of coding tests or video interviews, they lure victims into downloading malicious payloads such as BeaverTail, InvisibleFerret, and OtterCookie.
The Github …
ENKI identified and analyzed malware on Github that abuses Visual Studio Code (VS Code) automation features.
The distributed malware payloads include BeaverTail, InvisibleFerret, and OtterCookie, which are associated with the DPRK-nexus Contagious Interview campaign.
Artifacts indicate that threat actors used Large Language Models (LLMs) to generate portions of the malicious code.
Threat actors distributed the malware by masquerading as recruiters, developers, and fictitious companies to establish trust.
We identified and analyzed additional command-and-control (C&C) infrastructure based on the characteristics of the initial C&C servers.
1. Overview
We recently identified multiple instances of malware on Github that abuse VS Code automation features. Our analysis attributes this activity to Contagious Interview, a DPRK-nexus campaign active since at least 2025-08 that primarily targets developers.
In this campaign, threat actors typically pose as recruiters to approach targets. Under the guise of coding tests or video interviews, they lure victims into downloading malicious payloads such as BeaverTail, InvisibleFerret, and OtterCookie.
The Github …
IoC
https://github.com/SettleMint-Tech-Hub5/SettleMint_Platform/
http://45.59.163.55:1244/h
http://Payload
https://vscode-helper171.vercel.app/settings/windows?flag=4
https://github.com/vnvstore/funtico-labs-assessment-15/
http://C&C
https://vscodesettings03kui.vercel.app/api/settings/windows
https://codeviewer-three.vercel.app/task/windows?token=2a643f1b401f
https://vscode-helper171-ruby.vercel.app/settings/linux?flag=4
http://66.235.11.117:1244/n/knHbMe8
https://vscodesettingstask.vercel.app/api/settings/bootstraplinux
https://github.com/veneliteus-dev/exchange-backend/
https://github.com/DavidMoura07/linkfi
https://vscode-load.onrender.com/settings/windows?flag=5
https://www.vscodeconfig.com/settings/mac?flag=1
http://103.65.230.100
http://66.235.175.117:1244/client/knHbMe8
https://vscode-settings-bootstrap.vercel.app/settings/linux?flag=301
https://github.com/eastmade/web3project-momo-token/
https://vscode-helper171-ruby.vercel.app/settings/windows?flag=3
http://45.59.163.55
https://vscode-load-config.vercel.app/settings/windows?flag=1
https://vscode-load-config.vercel.app/settings/windows?flag=4
https://github.com/QalbeAli/TrustLedger_Fixes
https://vscode-load-config.vercel.app/settings/linux?flag=1
https://vscode-settings-config.vercel.app/settings/linux?flag=9
http://66.235.175.117
https://vscode-settings-config.vercel.app/settings/windows?flag=9
https://github.com/veneliteus-dev/casino-game/
https://vscode-settings-config.vercel.app/settings/windows?flag=606
https://vscode-toolkit-bootstrap.vercel.app/settings/windows?flag=306
https://github.com/rajaXcodes/Token-Presale-dApp
https://codeviewer-three.vercel.app/task/linux?token=2a643f1b401f
https://vscode-settings-bootstrap.vercel.app/settings/linux?flag=302
http://147.124.202.225
http://66.235.175.117:1244/uploads
https://github.com/brahmabit/be_challenge_blockchain/
https://github.com/AretaSchmidt/Web3-RE-Prototype
https://github.com/angel-group888/dapp-integration
http://Configuration
https://vscodesettings03kui.vercel.app/api/settings/linux
https://vscode-load.onrender.com/settings/linux?flag=5
https://vscode-settings-config.vercel.app/settings/linux?flag=8
http://66.235.175.109
https://codeviewer-three.vercel.app/task/mac?token=2a643f1b401f
https://vscode-helper171-ruby.vercel.app/settings/mac?flag=3
https://vscode-settings-bootstrap.vercel.app/settings/linux?flag=305
https://github.com/0x9x-sketch/Oasis361/
http://66.235.175.117:1244/and
http://172.86.73.198:8087
https://vscodesettingstask.vercel.app/api/settings/linux
http://66.235.11.117:1244/z/knHbMe8
https://vscode-load.onrender.com/settings/mac?flag=5
http://38.92.47.152
https://github.com/ryon-business/Promoting-DApp
http://45.59.163.55:1244/mmz/[Extension
http://147.124.213.232
https://vscode-load-config.vercel.app/settings/linux?flag=4
https://vscode-helper171-ruby.vercel.app/settings/mac?flag=4
https://www.vscodeconfig.com/settings/windows?flag=4
https://vscode-helper-132.vercel.app/settings/windows?flag=4
https://vscode-helper171-ruby.vercel.app/settings/linux?flag=3
https://vscode-settings-config.vercel.app/settings/linux?flag=606
https://vscode-helper171.vercel.app/settings/linux?flag=4
https://vscode-toolkit-bootstrap.vercel.app/settings/linux?flag=306
http://172.86.73.198
http://172.86.73.198:8086/upload
https://www.vscodeconfig.com/settings/linux?flag=3
https://codeviewer-three.vercel.app/task/windows?token=6df937fe9011
https://www.vscodeconfig.com/settings/windows?flag=1
https://github.com/ivanwassaf/skill-test/
https://github.com/Rochelle128/TokenPresaleDApp
https://www.vscodeconfig.com/settings/linux?flag=4
http://koinos.us
https://vscode-toolkit-bootstrap.vercel.app/settings/mac?flag=306
https://veneliteus.com
https://codeviewer-three.vercel.app/task/linux?token=6df937fe9011
https://vscode-helper171-ruby.vercel.app/settings/windows?flag=4
https://vscode-helper-132.vercel.app/settings/linux?flag=4
http://66.235.175.117:1244/payl/knHbMe8
https://vscode-settings-bootstrap.vercel.app/settings/mac?flag=308
https://vscode-settings-config.vercel.app/settings/windows?flag=8
https://vscodesettingstask.vercel.app/api/settings/windows
https://github.com/goldendragon68/Bullana/
https://y-lilac-sigma.vercel.app/api/ipcheck-encrypted/608
https://github.com/nhonlvsoict/skill-test-main/
https://vscode-settings-bootstrap.vercel.app/settings/mac?flag=302
https://www.vscodeconfig.com/settings/windows?flag=3
https://vscode-settings-bootstrap.vercel.app/settings/windows?flag=306
http://66.235.175.117:1244/bro/knHbMe8
https://vscode-settings-bootstrap.vercel.app/settings/windows?flag=302
https://vscode-load-config.vercel.app/settings/mac?flag=1
http://147.124.213.19
https://vscode-settings-bootstrap.vercel.app/settings/windows?flag=308
https://www.vscodeconfig.com/settings/mac?flag=3
https://vscode-load-config.vercel.app/settings/mac?flag=4
https://github.com/trustllabs/Token-Presale-dApp
http://66.235.175.117:1244/t
http://216.250.251.87:1245
https://codeviewer-three.vercel.app/task/mac?token=6df937fe9011
https://vscode-settings-config.vercel.app/settings/mac?flag=606
https://vscode-settings-bootstrap.vercel.app/settings/mac?flag=306
https://vscode-helper171-ruby.vercel.app/settings/mac?flag=6
https://codeviewer-three.vercel.app/task/linux?token=f93a80304111
http://216.250.251.87
https://vscodesettings03kui.vercel.app/api/settings/mac
http://45.59.163.23
https://vscode-settings-bootstrap.vercel.app/settings/windows?flag=305
https://www.vscodeconfig.com/settings/mac?flag=4
http://IP:1244/p
http://172.86.73.198:8087/api/notify
https://codeviewer-three.vercel.app/task/windows?token=f93a80304111
https://vscode-settings-config.vercel.app/settings/mac?flag=9
https://github.com/VictorKulagin/testtoken
https://vscode-settings-bootstrap.vercel.app/settings/linux?flag=306
http://66.235.175.117:1244/keys
http://66.235.11.117:1244/pdo
https://www.vscodeconfig.com/settings/linux?flag=1
https://vscode-settings-bootstrap.vercel.app/settings/windows?flag=301
https://vscodesettingstask.vercel.app/api/settings/mac
https://github.com/TrustLedgerLabs/Token-Presale-dApp
https://vscode-helper171-ruby.vercel.app/settings/linux?flag=6
https://vscode-helper171-ruby.vercel.app/settings/windows?flag=6
https://github.com/samuelmeadowbiankah/felina/
https://vscode-settings-bootstrap.vercel.app/settings/linux?flag=308
https://vscode-helper171.vercel.app/settings/mac?flag=4
http://216.250.251.211
http://216.250.251.87:1247
https://vscode-helper-132.vercel.app/settings/mac?flag=4
https://vscode-settings-config.vercel.app/settings/mac?flag=8
http://130.65.230.100
https://vscode-settings-bootstrap.vercel.app/settings/mac?flag=301
https://codeviewer-three.vercel.app/task/mac?token=f93a80304111
https://vscode-settings-bootstrap.vercel.app/settings/mac?flag=305
http://67.203.7.205
http://45.59.163.55:1244/ddo
66.235.175.109
216.250.251.87
38.92.47.152
147.124.213.232
216.250.251.211
130.65.230.100
147.124.202.225
67.203.7.205
66.235.11.117
45.59.163.23
172.86.73.198
45.59.163.55
103.65.230.100
147.124.213.19
66.235.175.117
[email protected]
http://45.59.163.55:1244/h
http://Payload
https://vscode-helper171.vercel.app/settings/windows?flag=4
https://github.com/vnvstore/funtico-labs-assessment-15/
http://C&C
https://vscodesettings03kui.vercel.app/api/settings/windows
https://codeviewer-three.vercel.app/task/windows?token=2a643f1b401f
https://vscode-helper171-ruby.vercel.app/settings/linux?flag=4
http://66.235.11.117:1244/n/knHbMe8
https://vscodesettingstask.vercel.app/api/settings/bootstraplinux
https://github.com/veneliteus-dev/exchange-backend/
https://github.com/DavidMoura07/linkfi
https://vscode-load.onrender.com/settings/windows?flag=5
https://www.vscodeconfig.com/settings/mac?flag=1
http://103.65.230.100
http://66.235.175.117:1244/client/knHbMe8
https://vscode-settings-bootstrap.vercel.app/settings/linux?flag=301
https://github.com/eastmade/web3project-momo-token/
https://vscode-helper171-ruby.vercel.app/settings/windows?flag=3
http://45.59.163.55
https://vscode-load-config.vercel.app/settings/windows?flag=1
https://vscode-load-config.vercel.app/settings/windows?flag=4
https://github.com/QalbeAli/TrustLedger_Fixes
https://vscode-load-config.vercel.app/settings/linux?flag=1
https://vscode-settings-config.vercel.app/settings/linux?flag=9
http://66.235.175.117
https://vscode-settings-config.vercel.app/settings/windows?flag=9
https://github.com/veneliteus-dev/casino-game/
https://vscode-settings-config.vercel.app/settings/windows?flag=606
https://vscode-toolkit-bootstrap.vercel.app/settings/windows?flag=306
https://github.com/rajaXcodes/Token-Presale-dApp
https://codeviewer-three.vercel.app/task/linux?token=2a643f1b401f
https://vscode-settings-bootstrap.vercel.app/settings/linux?flag=302
http://147.124.202.225
http://66.235.175.117:1244/uploads
https://github.com/brahmabit/be_challenge_blockchain/
https://github.com/AretaSchmidt/Web3-RE-Prototype
https://github.com/angel-group888/dapp-integration
http://Configuration
https://vscodesettings03kui.vercel.app/api/settings/linux
https://vscode-load.onrender.com/settings/linux?flag=5
https://vscode-settings-config.vercel.app/settings/linux?flag=8
http://66.235.175.109
https://codeviewer-three.vercel.app/task/mac?token=2a643f1b401f
https://vscode-helper171-ruby.vercel.app/settings/mac?flag=3
https://vscode-settings-bootstrap.vercel.app/settings/linux?flag=305
https://github.com/0x9x-sketch/Oasis361/
http://66.235.175.117:1244/and
http://172.86.73.198:8087
https://vscodesettingstask.vercel.app/api/settings/linux
http://66.235.11.117:1244/z/knHbMe8
https://vscode-load.onrender.com/settings/mac?flag=5
http://38.92.47.152
https://github.com/ryon-business/Promoting-DApp
http://45.59.163.55:1244/mmz/[Extension
http://147.124.213.232
https://vscode-load-config.vercel.app/settings/linux?flag=4
https://vscode-helper171-ruby.vercel.app/settings/mac?flag=4
https://www.vscodeconfig.com/settings/windows?flag=4
https://vscode-helper-132.vercel.app/settings/windows?flag=4
https://vscode-helper171-ruby.vercel.app/settings/linux?flag=3
https://vscode-settings-config.vercel.app/settings/linux?flag=606
https://vscode-helper171.vercel.app/settings/linux?flag=4
https://vscode-toolkit-bootstrap.vercel.app/settings/linux?flag=306
http://172.86.73.198
http://172.86.73.198:8086/upload
https://www.vscodeconfig.com/settings/linux?flag=3
https://codeviewer-three.vercel.app/task/windows?token=6df937fe9011
https://www.vscodeconfig.com/settings/windows?flag=1
https://github.com/ivanwassaf/skill-test/
https://github.com/Rochelle128/TokenPresaleDApp
https://www.vscodeconfig.com/settings/linux?flag=4
http://koinos.us
https://vscode-toolkit-bootstrap.vercel.app/settings/mac?flag=306
https://veneliteus.com
https://codeviewer-three.vercel.app/task/linux?token=6df937fe9011
https://vscode-helper171-ruby.vercel.app/settings/windows?flag=4
https://vscode-helper-132.vercel.app/settings/linux?flag=4
http://66.235.175.117:1244/payl/knHbMe8
https://vscode-settings-bootstrap.vercel.app/settings/mac?flag=308
https://vscode-settings-config.vercel.app/settings/windows?flag=8
https://vscodesettingstask.vercel.app/api/settings/windows
https://github.com/goldendragon68/Bullana/
https://y-lilac-sigma.vercel.app/api/ipcheck-encrypted/608
https://github.com/nhonlvsoict/skill-test-main/
https://vscode-settings-bootstrap.vercel.app/settings/mac?flag=302
https://www.vscodeconfig.com/settings/windows?flag=3
https://vscode-settings-bootstrap.vercel.app/settings/windows?flag=306
http://66.235.175.117:1244/bro/knHbMe8
https://vscode-settings-bootstrap.vercel.app/settings/windows?flag=302
https://vscode-load-config.vercel.app/settings/mac?flag=1
http://147.124.213.19
https://vscode-settings-bootstrap.vercel.app/settings/windows?flag=308
https://www.vscodeconfig.com/settings/mac?flag=3
https://vscode-load-config.vercel.app/settings/mac?flag=4
https://github.com/trustllabs/Token-Presale-dApp
http://66.235.175.117:1244/t
http://216.250.251.87:1245
https://codeviewer-three.vercel.app/task/mac?token=6df937fe9011
https://vscode-settings-config.vercel.app/settings/mac?flag=606
https://vscode-settings-bootstrap.vercel.app/settings/mac?flag=306
https://vscode-helper171-ruby.vercel.app/settings/mac?flag=6
https://codeviewer-three.vercel.app/task/linux?token=f93a80304111
http://216.250.251.87
https://vscodesettings03kui.vercel.app/api/settings/mac
http://45.59.163.23
https://vscode-settings-bootstrap.vercel.app/settings/windows?flag=305
https://www.vscodeconfig.com/settings/mac?flag=4
http://IP:1244/p
http://172.86.73.198:8087/api/notify
https://codeviewer-three.vercel.app/task/windows?token=f93a80304111
https://vscode-settings-config.vercel.app/settings/mac?flag=9
https://github.com/VictorKulagin/testtoken
https://vscode-settings-bootstrap.vercel.app/settings/linux?flag=306
http://66.235.175.117:1244/keys
http://66.235.11.117:1244/pdo
https://www.vscodeconfig.com/settings/linux?flag=1
https://vscode-settings-bootstrap.vercel.app/settings/windows?flag=301
https://vscodesettingstask.vercel.app/api/settings/mac
https://github.com/TrustLedgerLabs/Token-Presale-dApp
https://vscode-helper171-ruby.vercel.app/settings/linux?flag=6
https://vscode-helper171-ruby.vercel.app/settings/windows?flag=6
https://github.com/samuelmeadowbiankah/felina/
https://vscode-settings-bootstrap.vercel.app/settings/linux?flag=308
https://vscode-helper171.vercel.app/settings/mac?flag=4
http://216.250.251.211
http://216.250.251.87:1247
https://vscode-helper-132.vercel.app/settings/mac?flag=4
https://vscode-settings-config.vercel.app/settings/mac?flag=8
http://130.65.230.100
https://vscode-settings-bootstrap.vercel.app/settings/mac?flag=301
https://codeviewer-three.vercel.app/task/mac?token=f93a80304111
https://vscode-settings-bootstrap.vercel.app/settings/mac?flag=305
http://67.203.7.205
http://45.59.163.55:1244/ddo
66.235.175.109
216.250.251.87
38.92.47.152
147.124.213.232
216.250.251.211
130.65.230.100
147.124.202.225
67.203.7.205
66.235.11.117
45.59.163.23
172.86.73.198
45.59.163.55
103.65.230.100
147.124.213.19
66.235.175.117
[email protected]