Two IOCs In, Five C2 Servers Out: Mapping DPRK's Contagious Interview Campaign From InvisibleFerret to a Kimsuky Crossover
Contents
Two IOCs In, Five C2 Servers Out: Mapping DPRK's Contagious Interview Campaign From InvisibleFerret to a Kimsuky Crossover
Fake job interviews, ClickFix social engineering, NVIDIA masquerade persistence, and a Mach-O binary that links Lazarus to Kimsuky
Two IP addresses in a threat report. That's what we started with. By the time GHOST finished pulling threads, we had mapped 5 C2 servers across 4 hosting providers, 5 .cloud domains on a single Namecheap account, a deleted GitHub repository belonging to a fabricated Latin American woman, a serverless Fly.io endpoint disguised as an NVIDIA SDK, and a 4-stage cross-platform kill chain purpose-built to drain everything a developer holds dear -- SSH keys, cloud credentials, browser sessions, and cryptocurrency wallets.
This is the story of Contagious Interview, an active DPRK state-sponsored campaign where North Korean operatives pose as tech recruiters, lure developers into fake job interviews, and deploy a malware toolchain called BeaverTail and InvisibleFerret to …
Fake job interviews, ClickFix social engineering, NVIDIA masquerade persistence, and a Mach-O binary that links Lazarus to Kimsuky
Two IP addresses in a threat report. That's what we started with. By the time GHOST finished pulling threads, we had mapped 5 C2 servers across 4 hosting providers, 5 .cloud domains on a single Namecheap account, a deleted GitHub repository belonging to a fabricated Latin American woman, a serverless Fly.io endpoint disguised as an NVIDIA SDK, and a 4-stage cross-platform kill chain purpose-built to drain everything a developer holds dear -- SSH keys, cloud credentials, browser sessions, and cryptocurrency wallets.
This is the story of Contagious Interview, an active DPRK state-sponsored campaign where North Korean operatives pose as tech recruiters, lure developers into fake job interviews, and deploy a malware toolchain called BeaverTail and InvisibleFerret to …
IoC
http://driverstream.cloud
http://github.com/RominaMabelRamirez/dify
https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.2/install.sh
http://C245.59.163.23:1244
http://45.59.163.23
http://api.videotechdrivers.cloud
http://driversnap.cloud
https://raw.githubusercontent.com/RominaMabelRamirez/dify/refs/heads/bai/api/payuniversal2
https://raw.githubusercontent.com/RominaMabelRamirez/dify/refs/heads/bai/api/x64nvidia
http://camdriverstore.cloud
http://45.59.163.23:1244
http://95.164.17.24:1224
http://deletedhxxps://nvidiasdk.fly.dev/nvs
http://95.216.37.186
https://raw.githubusercontent.com/RominaMabelRamirez/dify/refs/heads/bai/api/*
http://exfiltration95.164.17.24:1224
http://Node.js/Express
http://nvidiasdk.fly.dev/nvs
http://95.164.17.24
http://api.driversnap.cloud
https://nvidiasdk.fly.dev/nvs
http://95.216.37.186:3011
http://api.videodriverzone.cloud
http://api.camdriverstore.cloud
http://172.86.93.139:3000/pawr/
http://videotechdrivers.cloud
http://C2172.86.93.139:3000
http://api.driverstream.cloud
http://videodriverzone.cloud
http://nvidiasdk.fly.dev
https://raw.githubusercontent.com/RominaMabelRamirez/dify/refs/heads/bai/api/downx64.sh
http://172.86.93.139
http://95.216.37.186:5000
95.164.17.24
45.59.163.23
95.216.37.186
172.86.93.139
245.59.163.23
[email protected]
[email protected]
[email protected]
http://github.com/RominaMabelRamirez/dify
https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.2/install.sh
http://C245.59.163.23:1244
http://45.59.163.23
http://api.videotechdrivers.cloud
http://driversnap.cloud
https://raw.githubusercontent.com/RominaMabelRamirez/dify/refs/heads/bai/api/payuniversal2
https://raw.githubusercontent.com/RominaMabelRamirez/dify/refs/heads/bai/api/x64nvidia
http://camdriverstore.cloud
http://45.59.163.23:1244
http://95.164.17.24:1224
http://deletedhxxps://nvidiasdk.fly.dev/nvs
http://95.216.37.186
https://raw.githubusercontent.com/RominaMabelRamirez/dify/refs/heads/bai/api/*
http://exfiltration95.164.17.24:1224
http://Node.js/Express
http://nvidiasdk.fly.dev/nvs
http://95.164.17.24
http://api.driversnap.cloud
https://nvidiasdk.fly.dev/nvs
http://95.216.37.186:3011
http://api.videodriverzone.cloud
http://api.camdriverstore.cloud
http://172.86.93.139:3000/pawr/
http://videotechdrivers.cloud
http://C2172.86.93.139:3000
http://api.driverstream.cloud
http://videodriverzone.cloud
http://nvidiasdk.fly.dev
https://raw.githubusercontent.com/RominaMabelRamirez/dify/refs/heads/bai/api/downx64.sh
http://172.86.93.139
http://95.216.37.186:5000
95.164.17.24
45.59.163.23
95.216.37.186
172.86.93.139
245.59.163.23
[email protected]
[email protected]
[email protected]