The Contagious Interview campaign is a sophisticated cyber espionage and malware delivery operation linked to North Korean threat actors. It specifically targets software developers working in cryptocurrency and Web3 projects across Windows, Linux, and macOS platforms. The attackers employ social engineering by creating fake recruiter profiles to engage victims in staged job interviews, during which they deliver trojanized code. This code is hosted on legitimate JSON storage services such as JSON Keeper and popular code repositories, allowing the attackers to evade traditional detection mechanisms by blending malicious payloads with legitimate web traffic. The malware payload includes BeaverTail and OtterCookie infostealers designed to exfiltrate sensitive information, and the InvisibleFerret Remote Access Trojan (RAT) that provides persistent remote control over infected systems. Additionally, the campaign uses the Tsunami Payload, which modifies Windows Defender to add exceptions and creates scheduled tasks to maintain persistence and evade endpoint security. The attack chain is multi-staged, starting from initial social engineering contact, progressing through delivery of trojanized code, and culminating in the deployment of multiple malware components. The use of legitimate services for hosting payloads and the targeting of niche developer communities make this campaign particularly stealthy and effective. The campaign leverages various MITRE ATT&CK techniques such as T1053 (Scheduled Task), T1562 (Impair Defenses), T1566 (Phishing), and T1204 (User Execution), highlighting its complexity and sophistication. No known public exploits exist for this campaign, but its reliance on social engineering and multi-platform malware increases its threat potential.

For European organizations, especially those involved in cryptocurrency and Web3 development, this campaign poses a significant risk to confidentiality and integrity of sensitive intellectual property, credentials, and development environments. The multi-platform nature of the malware means that organizations using diverse operating systems are vulnerable. Successful compromise could lead to theft of proprietary code, user credentials, and potentially financial assets, as well as long-term persistence within corporate networks. The use of legitimate JSON storage services and code repositories complicates detection and response, increasing the likelihood of prolonged undetected presence. This could result in reputational damage, regulatory penalties under GDPR if personal data is compromised, and financial losses. The campaign’s targeting of developers means that supply chain security could be undermined, potentially affecting downstream customers and partners. The stealthy nature and use of advanced evasion techniques also increase the operational cost and complexity of incident response for affected organizations.

1. Implement rigorous social engineering awareness training focused on recruitment scams and staged interview tactics, emphasizing verification of recruiter identities and interview processes. 2. Enforce strict code review and validation policies, especially for code received from external or unknown sources, including scanning for trojanized code. 3. Monitor and restrict use of JSON storage services and unusual outbound connections to such services, employing network anomaly detection to flag suspicious activity. 4. Harden endpoint security by configuring Windows Defender and other antivirus solutions to detect and block known malware components like BeaverTail, OtterCookie, and InvisibleFerret, and audit exceptions and scheduled tasks regularly. 5. Deploy endpoint detection and response (EDR) solutions capable of detecting multi-stage attack chains and lateral movement across Windows, Linux, and macOS. 6. Use multi-factor authentication (MFA) and credential hygiene best practices to limit impact of credential theft. 7. Maintain up-to-date threat intelligence feeds and integrate indicators of compromise related to this campaign into security monitoring tools. 8. Conduct regular penetration testing and red team exercises simulating social engineering and malware delivery scenarios to improve detection and response capabilities. 9. Collaborate with industry peers and law enforcement to share intelligence and best practices regarding this campaign.