Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Contagious Interview malware in SVG images: DPRK campaign

0
Medium
Published: 07/17/2026 (07/17/2026, 20:08:00 UTC)
Source: AlienVault OTX General

Description

A DPRK-aligned threat group is targeting developers through fake job postings and coding challenges in a campaign tracked as REF9403. Attackers post fake job offers in developer forums, then send trojanized repositories containing fully functional e-commerce projects with malicious code hidden using steganography inside SVG flag images. When developers run these projects, the malware deploys four-stage payloads aligned with OTTERCOOKIE: a browser credential and cryptocurrency wallet stealer, a file exfiltration module, a Socket.IO-based remote access trojan, and a clipboard stealer. The campaign was discovered after targeting Elastic's community Slack workspace. Multiple trojanized repositories were found with zero antivirus detections at the time of discovery, demonstrating the sophistication of this supply chain attack vector against software developers.

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.elastic.co/security-labs/contagious-interview-malware-svg-steganography"]
Adversary
Contagious Interview
Pulse Id
6a5a8ba0229db5a5b2686baa
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hash3e6360f83a95540aa2176d279ca4694513afb1e5116a7ffe591c6b5bcf3b9c3c
hash4e7639045b4a64de60bfb6312951a5c3dffbd3fb04b84837663242ed27f09864
hash54bf36910d81ab516037cb3d69d7c85190f90aa0da9e58617799c1fc738dc5a9
hash8e571d58794b9b44ae53c2c67bedef72c500e8adbb80aab7a5c263adcba55b1e
hash96357529d17c4690826d5d4c74deac51743a5388733b3f04004d898f0635ef20
hash9df01d242ef46adfedf8c35cb7cc67b1d27d7dc4a1ce74ab32e984090d579886
hashc5aed4c063d4970a03250778da8041da9e0c83d8f22d2f1994da0ad72567ebd9
hashcc97517f80f567977300450de11e9a0be53f52657525a20b1091c99fe9e45730
hashfb94b2caee2c40635448a98ba0118421e19a400e74ccff73315f8fa42351f53f

Domain

ValueDescriptionCopy
domaincontroller.rightwidth.dev
domainfile.rightwidth.dev
domainldb.rightwidth.dev
domainupload.rightwidth.dev

Threat ID: 6a5b3f7634329bf928c66a8f

Added to database: 07/18/2026, 08:55:18 UTC

Last updated: 07/18/2026, 08:56:33 UTC

Views: 3

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses