Github를 통해 유포된 VSCode 악용 Contagious Interview 캠페인
Contents
요약
Github에서 VSCode의 자동화 기능을 악용한 악성코드를 확인해 분석하였다.
유포된 악성코드는 Contagious Interview 캠페인에 사용되는 Beavertail, InvisibleFerret, OtterCookie로 확인되었다.
일부 코드에서 LLM을 활용해 작성된 것으로 추정되는 정황이 확인되었다.
공격자는 채용 담당자, 개발자, 가상 기업으로 위장한 계정을 사용하여 신뢰도를 확보하고, 악성코드를 유포한 것으로 확인되었다.
C&C 서버의 특징을 통해 추가적인 C&C 서버를 확보 및 분석하였다.
1. 개요
최근 Github에서 VSCode(Visual Studio Code)의 자동화 기능을 악용한 악성코드를 다수 확인하였다. 분석 결과 Contagious Interview 캠페인에 사용되는 악성코드로, 최소 2025년 8월부터 캠페인이 시작된 것으로 확인되었다.
Contagious Interview 캠페인은 주로 개발자를 대상으로 악성코드를 유포하는 북한 배후 공격 그룹의 캠페인이다. Contagious Interview 캠페인에서 공격자는 주로 채용 담당자로 위장해 개발자에게 접근하고, 코딩 테스트 혹은 화상 면접 등을 빌미로 Beavertail, InvisibleFerret, OtterCookie 등의 악성코드를 다운로드하도록 유도한다.
이번에 확인된 Github 계정은 실제로 존재하는 기업의 채용 담당자, Web3 개발자, 가상 기업으로 위장한 것으로 확인되었다. 이를 통해 공격자는 정상적인 채용 및 개발 활동으로 위장해 신뢰도를 확보하고, 악성코드 유포를 시도한 것으로 판단된다.
또한 유포에 사용된 악성코드 분석 결과, 사람이 직접 작성한 코드가 아닌 …
Github에서 VSCode의 자동화 기능을 악용한 악성코드를 확인해 분석하였다.
유포된 악성코드는 Contagious Interview 캠페인에 사용되는 Beavertail, InvisibleFerret, OtterCookie로 확인되었다.
일부 코드에서 LLM을 활용해 작성된 것으로 추정되는 정황이 확인되었다.
공격자는 채용 담당자, 개발자, 가상 기업으로 위장한 계정을 사용하여 신뢰도를 확보하고, 악성코드를 유포한 것으로 확인되었다.
C&C 서버의 특징을 통해 추가적인 C&C 서버를 확보 및 분석하였다.
1. 개요
최근 Github에서 VSCode(Visual Studio Code)의 자동화 기능을 악용한 악성코드를 다수 확인하였다. 분석 결과 Contagious Interview 캠페인에 사용되는 악성코드로, 최소 2025년 8월부터 캠페인이 시작된 것으로 확인되었다.
Contagious Interview 캠페인은 주로 개발자를 대상으로 악성코드를 유포하는 북한 배후 공격 그룹의 캠페인이다. Contagious Interview 캠페인에서 공격자는 주로 채용 담당자로 위장해 개발자에게 접근하고, 코딩 테스트 혹은 화상 면접 등을 빌미로 Beavertail, InvisibleFerret, OtterCookie 등의 악성코드를 다운로드하도록 유도한다.
이번에 확인된 Github 계정은 실제로 존재하는 기업의 채용 담당자, Web3 개발자, 가상 기업으로 위장한 것으로 확인되었다. 이를 통해 공격자는 정상적인 채용 및 개발 활동으로 위장해 신뢰도를 확보하고, 악성코드 유포를 시도한 것으로 판단된다.
또한 유포에 사용된 악성코드 분석 결과, 사람이 직접 작성한 코드가 아닌 …
IoC
https://github.com/SettleMint-Tech-Hub5/SettleMint_Platform/
http://45.59.163.55:1244/h
https://vscode-helper171.vercel.app/settings/windows?flag=4
https://github.com/vnvstore/funtico-labs-assessment-15/
http://C&C
https://vscodesettings03kui.vercel.app/api/settings/windows
https://codeviewer-three.vercel.app/task/windows?token=2a643f1b401f
https://vscode-helper171-ruby.vercel.app/settings/linux?flag=4
http://66.235.11.117:1244/n/knHbMe8
https://vscodesettingstask.vercel.app/api/settings/bootstraplinux
https://github.com/veneliteus-dev/exchange-backend/
https://github.com/DavidMoura07/linkfi
https://vscode-load.onrender.com/settings/windows?flag=5
https://www.vscodeconfig.com/settings/mac?flag=1
http://103.65.230.100
http://66.235.175.117:1244/client/knHbMe8
https://vscode-settings-bootstrap.vercel.app/settings/linux?flag=301
https://github.com/eastmade/web3project-momo-token/
http://45.59.163.55:1244/mmz/[
https://vscode-helper171-ruby.vercel.app/settings/windows?flag=3
http://45.59.163.55
https://vscode-load-config.vercel.app/settings/windows?flag=1
https://vscode-load-config.vercel.app/settings/windows?flag=4
https://github.com/QalbeAli/TrustLedger_Fixes
https://vscode-load-config.vercel.app/settings/linux?flag=1
http://IP:1224/p
https://vscode-settings-config.vercel.app/settings/linux?flag=9
http://66.235.175.117
https://vscode-settings-config.vercel.app/settings/windows?flag=9
https://github.com/veneliteus-dev/casino-game/
https://vscode-settings-config.vercel.app/settings/windows?flag=606
https://vscode-toolkit-bootstrap.vercel.app/settings/windows?flag=306
https://github.com/rajaXcodes/Token-Presale-dApp
https://codeviewer-three.vercel.app/task/linux?token=2a643f1b401f
https://vscode-settings-bootstrap.vercel.app/settings/linux?flag=302
http://147.124.202.225
http://66.235.175.117:1244/uploads
https://github.com/brahmabit/be_challenge_blockchain/
https://github.com/AretaSchmidt/Web3-RE-Prototype
https://github.com/angel-group888/dapp-integration
https://vscodesettings03kui.vercel.app/api/settings/linux
https://vscode-load.onrender.com/settings/linux?flag=5
https://vscode-settings-config.vercel.app/settings/linux?flag=8
http://66.235.175.109
https://codeviewer-three.vercel.app/task/mac?token=2a643f1b401f
https://vscode-helper171-ruby.vercel.app/settings/mac?flag=3
https://vscode-settings-bootstrap.vercel.app/settings/linux?flag=305
https://github.com/0x9x-sketch/Oasis361/
http://66.235.175.117:1244/and
https://vscodesettingstask.vercel.app/api/settings/linux
http://66.235.11.117:1244/z/knHbMe8
https://vscode-load.onrender.com/settings/mac?flag=5
http://38.92.47.152
https://github.com/ryon-business/Promoting-DApp
http://147.124.213.232
https://vscode-load-config.vercel.app/settings/linux?flag=4
https://vscode-helper171-ruby.vercel.app/settings/mac?flag=4
https://www.vscodeconfig.com/settings/windows?flag=4
https://vscode-helper-132.vercel.app/settings/windows?flag=4
https://vscode-helper171-ruby.vercel.app/settings/linux?flag=3
https://vscode-settings-config.vercel.app/settings/linux?flag=606
http://ì¤
https://vscode-helper171.vercel.app/settings/linux?flag=4
https://vscode-toolkit-bootstrap.vercel.app/settings/linux?flag=306
http://172.86.73.198
http://172.86.73.198:8086/upload
https://www.vscodeconfig.com/settings/linux?flag=3
https://codeviewer-three.vercel.app/task/windows?token=6df937fe9011
https://www.vscodeconfig.com/settings/windows?flag=1
https://github.com/ivanwassaf/skill-test/
https://github.com/Rochelle128/TokenPresaleDApp
https://www.vscodeconfig.com/settings/linux?flag=4
http://koinos.us
https://vscode-toolkit-bootstrap.vercel.app/settings/mac?flag=306
https://veneliteus.com
https://codeviewer-three.vercel.app/task/linux?token=6df937fe9011
https://vscode-helper171-ruby.vercel.app/settings/windows?flag=4
https://vscode-helper-132.vercel.app/settings/linux?flag=4
http://66.235.175.117:1244/payl/knHbMe8
https://vscode-settings-bootstrap.vercel.app/settings/mac?flag=308
https://vscode-settings-config.vercel.app/settings/windows?flag=8
https://vscodesettingstask.vercel.app/api/settings/windows
https://github.com/goldendragon68/Bullana/
https://y-lilac-sigma.vercel.app/api/ipcheck-encrypted/608
https://github.com/nhonlvsoict/skill-test-main/
https://vscode-settings-bootstrap.vercel.app/settings/mac?flag=302
https://www.vscodeconfig.com/settings/windows?flag=3
https://vscode-settings-bootstrap.vercel.app/settings/windows?flag=306
http://66.235.175.117:1244/bro/knHbMe8
https://vscode-settings-bootstrap.vercel.app/settings/windows?flag=302
https://vscode-load-config.vercel.app/settings/mac?flag=1
http://147.124.213.19
https://vscode-settings-bootstrap.vercel.app/settings/windows?flag=308
https://www.vscodeconfig.com/settings/mac?flag=3
https://vscode-load-config.vercel.app/settings/mac?flag=4
https://github.com/trustllabs/Token-Presale-dApp
http://66.235.175.117:1244/t
https://codeviewer-three.vercel.app/task/mac?token=6df937fe9011
https://vscode-settings-config.vercel.app/settings/mac?flag=606
https://vscode-settings-bootstrap.vercel.app/settings/mac?flag=306
https://vscode-helper171-ruby.vercel.app/settings/mac?flag=6
https://codeviewer-three.vercel.app/task/linux?token=f93a80304111
http://216.250.251.87
https://vscodesettings03kui.vercel.app/api/settings/mac
http://45.59.163.23
https://vscode-settings-bootstrap.vercel.app/settings/windows?flag=305
https://www.vscodeconfig.com/settings/mac?flag=4
http://172.86.73.198:8087/api/notify
https://codeviewer-three.vercel.app/task/windows?token=f93a80304111
https://vscode-settings-config.vercel.app/settings/mac?flag=9
https://github.com/VictorKulagin/testtoken
https://vscode-settings-bootstrap.vercel.app/settings/linux?flag=306
http://66.235.175.117:1244/keys
http://66.235.11.117:1244/pdo
https://www.vscodeconfig.com/settings/linux?flag=1
https://vscode-settings-bootstrap.vercel.app/settings/windows?flag=301
https://vscodesettingstask.vercel.app/api/settings/mac
https://github.com/TrustLedgerLabs/Token-Presale-dApp
https://vscode-helper171-ruby.vercel.app/settings/linux?flag=6
https://vscode-helper171-ruby.vercel.app/settings/windows?flag=6
https://github.com/samuelmeadowbiankah/felina/
https://vscode-settings-bootstrap.vercel.app/settings/linux?flag=308
https://vscode-helper171.vercel.app/settings/mac?flag=4
http://216.250.251.211
https://vscode-helper-132.vercel.app/settings/mac?flag=4
https://vscode-settings-config.vercel.app/settings/mac?flag=8
http://130.65.230.100
https://vscode-settings-bootstrap.vercel.app/settings/mac?flag=301
https://codeviewer-three.vercel.app/task/mac?token=f93a80304111
https://vscode-settings-bootstrap.vercel.app/settings/mac?flag=305
http://67.203.7.205
http://45.59.163.55:1244/ddo
66.235.175.109
216.250.251.87
38.92.47.152
147.124.213.232
216.250.251.211
130.65.230.100
147.124.202.225
67.203.7.205
66.235.11.117
45.59.163.23
172.86.73.198
45.59.163.55
103.65.230.100
147.124.213.19
66.235.175.117
[email protected]
http://45.59.163.55:1244/h
https://vscode-helper171.vercel.app/settings/windows?flag=4
https://github.com/vnvstore/funtico-labs-assessment-15/
http://C&C
https://vscodesettings03kui.vercel.app/api/settings/windows
https://codeviewer-three.vercel.app/task/windows?token=2a643f1b401f
https://vscode-helper171-ruby.vercel.app/settings/linux?flag=4
http://66.235.11.117:1244/n/knHbMe8
https://vscodesettingstask.vercel.app/api/settings/bootstraplinux
https://github.com/veneliteus-dev/exchange-backend/
https://github.com/DavidMoura07/linkfi
https://vscode-load.onrender.com/settings/windows?flag=5
https://www.vscodeconfig.com/settings/mac?flag=1
http://103.65.230.100
http://66.235.175.117:1244/client/knHbMe8
https://vscode-settings-bootstrap.vercel.app/settings/linux?flag=301
https://github.com/eastmade/web3project-momo-token/
http://45.59.163.55:1244/mmz/[
https://vscode-helper171-ruby.vercel.app/settings/windows?flag=3
http://45.59.163.55
https://vscode-load-config.vercel.app/settings/windows?flag=1
https://vscode-load-config.vercel.app/settings/windows?flag=4
https://github.com/QalbeAli/TrustLedger_Fixes
https://vscode-load-config.vercel.app/settings/linux?flag=1
http://IP:1224/p
https://vscode-settings-config.vercel.app/settings/linux?flag=9
http://66.235.175.117
https://vscode-settings-config.vercel.app/settings/windows?flag=9
https://github.com/veneliteus-dev/casino-game/
https://vscode-settings-config.vercel.app/settings/windows?flag=606
https://vscode-toolkit-bootstrap.vercel.app/settings/windows?flag=306
https://github.com/rajaXcodes/Token-Presale-dApp
https://codeviewer-three.vercel.app/task/linux?token=2a643f1b401f
https://vscode-settings-bootstrap.vercel.app/settings/linux?flag=302
http://147.124.202.225
http://66.235.175.117:1244/uploads
https://github.com/brahmabit/be_challenge_blockchain/
https://github.com/AretaSchmidt/Web3-RE-Prototype
https://github.com/angel-group888/dapp-integration
https://vscodesettings03kui.vercel.app/api/settings/linux
https://vscode-load.onrender.com/settings/linux?flag=5
https://vscode-settings-config.vercel.app/settings/linux?flag=8
http://66.235.175.109
https://codeviewer-three.vercel.app/task/mac?token=2a643f1b401f
https://vscode-helper171-ruby.vercel.app/settings/mac?flag=3
https://vscode-settings-bootstrap.vercel.app/settings/linux?flag=305
https://github.com/0x9x-sketch/Oasis361/
http://66.235.175.117:1244/and
https://vscodesettingstask.vercel.app/api/settings/linux
http://66.235.11.117:1244/z/knHbMe8
https://vscode-load.onrender.com/settings/mac?flag=5
http://38.92.47.152
https://github.com/ryon-business/Promoting-DApp
http://147.124.213.232
https://vscode-load-config.vercel.app/settings/linux?flag=4
https://vscode-helper171-ruby.vercel.app/settings/mac?flag=4
https://www.vscodeconfig.com/settings/windows?flag=4
https://vscode-helper-132.vercel.app/settings/windows?flag=4
https://vscode-helper171-ruby.vercel.app/settings/linux?flag=3
https://vscode-settings-config.vercel.app/settings/linux?flag=606
http://ì¤
https://vscode-helper171.vercel.app/settings/linux?flag=4
https://vscode-toolkit-bootstrap.vercel.app/settings/linux?flag=306
http://172.86.73.198
http://172.86.73.198:8086/upload
https://www.vscodeconfig.com/settings/linux?flag=3
https://codeviewer-three.vercel.app/task/windows?token=6df937fe9011
https://www.vscodeconfig.com/settings/windows?flag=1
https://github.com/ivanwassaf/skill-test/
https://github.com/Rochelle128/TokenPresaleDApp
https://www.vscodeconfig.com/settings/linux?flag=4
http://koinos.us
https://vscode-toolkit-bootstrap.vercel.app/settings/mac?flag=306
https://veneliteus.com
https://codeviewer-three.vercel.app/task/linux?token=6df937fe9011
https://vscode-helper171-ruby.vercel.app/settings/windows?flag=4
https://vscode-helper-132.vercel.app/settings/linux?flag=4
http://66.235.175.117:1244/payl/knHbMe8
https://vscode-settings-bootstrap.vercel.app/settings/mac?flag=308
https://vscode-settings-config.vercel.app/settings/windows?flag=8
https://vscodesettingstask.vercel.app/api/settings/windows
https://github.com/goldendragon68/Bullana/
https://y-lilac-sigma.vercel.app/api/ipcheck-encrypted/608
https://github.com/nhonlvsoict/skill-test-main/
https://vscode-settings-bootstrap.vercel.app/settings/mac?flag=302
https://www.vscodeconfig.com/settings/windows?flag=3
https://vscode-settings-bootstrap.vercel.app/settings/windows?flag=306
http://66.235.175.117:1244/bro/knHbMe8
https://vscode-settings-bootstrap.vercel.app/settings/windows?flag=302
https://vscode-load-config.vercel.app/settings/mac?flag=1
http://147.124.213.19
https://vscode-settings-bootstrap.vercel.app/settings/windows?flag=308
https://www.vscodeconfig.com/settings/mac?flag=3
https://vscode-load-config.vercel.app/settings/mac?flag=4
https://github.com/trustllabs/Token-Presale-dApp
http://66.235.175.117:1244/t
https://codeviewer-three.vercel.app/task/mac?token=6df937fe9011
https://vscode-settings-config.vercel.app/settings/mac?flag=606
https://vscode-settings-bootstrap.vercel.app/settings/mac?flag=306
https://vscode-helper171-ruby.vercel.app/settings/mac?flag=6
https://codeviewer-three.vercel.app/task/linux?token=f93a80304111
http://216.250.251.87
https://vscodesettings03kui.vercel.app/api/settings/mac
http://45.59.163.23
https://vscode-settings-bootstrap.vercel.app/settings/windows?flag=305
https://www.vscodeconfig.com/settings/mac?flag=4
http://172.86.73.198:8087/api/notify
https://codeviewer-three.vercel.app/task/windows?token=f93a80304111
https://vscode-settings-config.vercel.app/settings/mac?flag=9
https://github.com/VictorKulagin/testtoken
https://vscode-settings-bootstrap.vercel.app/settings/linux?flag=306
http://66.235.175.117:1244/keys
http://66.235.11.117:1244/pdo
https://www.vscodeconfig.com/settings/linux?flag=1
https://vscode-settings-bootstrap.vercel.app/settings/windows?flag=301
https://vscodesettingstask.vercel.app/api/settings/mac
https://github.com/TrustLedgerLabs/Token-Presale-dApp
https://vscode-helper171-ruby.vercel.app/settings/linux?flag=6
https://vscode-helper171-ruby.vercel.app/settings/windows?flag=6
https://github.com/samuelmeadowbiankah/felina/
https://vscode-settings-bootstrap.vercel.app/settings/linux?flag=308
https://vscode-helper171.vercel.app/settings/mac?flag=4
http://216.250.251.211
https://vscode-helper-132.vercel.app/settings/mac?flag=4
https://vscode-settings-config.vercel.app/settings/mac?flag=8
http://130.65.230.100
https://vscode-settings-bootstrap.vercel.app/settings/mac?flag=301
https://codeviewer-three.vercel.app/task/mac?token=f93a80304111
https://vscode-settings-bootstrap.vercel.app/settings/mac?flag=305
http://67.203.7.205
http://45.59.163.55:1244/ddo
66.235.175.109
216.250.251.87
38.92.47.152
147.124.213.232
216.250.251.211
130.65.230.100
147.124.202.225
67.203.7.205
66.235.11.117
45.59.163.23
172.86.73.198
45.59.163.55
103.65.230.100
147.124.213.19
66.235.175.117
[email protected]