Contagious Interview malware in SVG images: DPRK campaign
A DPRK-aligned threat group is targeting developers through fake job postings and coding challenges in a campaign tracked as REF9403. Attackers post fake job offers in developer forums, then send trojanized repositories containing fully functional e-commerce projects with malicious code hidden using steganography inside SVG flag images. When developers run these projects, the malware deploys four-stage payloads aligned with OTTERCOOKIE: a browser credential and cryptocurrency wallet stealer, a file exfiltration module, a Socket.IO-based remote access trojan, and a clipboard stealer. The campaign was discovered after targeting Elastic's community Slack workspace. Multiple trojanized repositories were found with zero antivirus detections at the time of discovery, demonstrating the sophistication of this supply chain attack vector against software developers.
Indicators of Compromise
- hash: 3e6360f83a95540aa2176d279ca4694513afb1e5116a7ffe591c6b5bcf3b9c3c
- hash: 4e7639045b4a64de60bfb6312951a5c3dffbd3fb04b84837663242ed27f09864
- hash: 54bf36910d81ab516037cb3d69d7c85190f90aa0da9e58617799c1fc738dc5a9
- hash: 8e571d58794b9b44ae53c2c67bedef72c500e8adbb80aab7a5c263adcba55b1e
- hash: 96357529d17c4690826d5d4c74deac51743a5388733b3f04004d898f0635ef20
- hash: 9df01d242ef46adfedf8c35cb7cc67b1d27d7dc4a1ce74ab32e984090d579886
- hash: c5aed4c063d4970a03250778da8041da9e0c83d8f22d2f1994da0ad72567ebd9
- hash: cc97517f80f567977300450de11e9a0be53f52657525a20b1091c99fe9e45730
- hash: fb94b2caee2c40635448a98ba0118421e19a400e74ccff73315f8fa42351f53f
- domain: controller.rightwidth.dev
- domain: file.rightwidth.dev
- domain: ldb.rightwidth.dev
- domain: upload.rightwidth.dev
Contagious Interview malware in SVG images: DPRK campaign
Description
A DPRK-aligned threat group is targeting developers through fake job postings and coding challenges in a campaign tracked as REF9403. Attackers post fake job offers in developer forums, then send trojanized repositories containing fully functional e-commerce projects with malicious code hidden using steganography inside SVG flag images. When developers run these projects, the malware deploys four-stage payloads aligned with OTTERCOOKIE: a browser credential and cryptocurrency wallet stealer, a file exfiltration module, a Socket.IO-based remote access trojan, and a clipboard stealer. The campaign was discovered after targeting Elastic's community Slack workspace. Multiple trojanized repositories were found with zero antivirus detections at the time of discovery, demonstrating the sophistication of this supply chain attack vector against software developers.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.elastic.co/security-labs/contagious-interview-malware-svg-steganography"]
- Adversary
- Contagious Interview
- Pulse Id
- 6a5a8ba0229db5a5b2686baa
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash3e6360f83a95540aa2176d279ca4694513afb1e5116a7ffe591c6b5bcf3b9c3c | — | |
hash4e7639045b4a64de60bfb6312951a5c3dffbd3fb04b84837663242ed27f09864 | — | |
hash54bf36910d81ab516037cb3d69d7c85190f90aa0da9e58617799c1fc738dc5a9 | — | |
hash8e571d58794b9b44ae53c2c67bedef72c500e8adbb80aab7a5c263adcba55b1e | — | |
hash96357529d17c4690826d5d4c74deac51743a5388733b3f04004d898f0635ef20 | — | |
hash9df01d242ef46adfedf8c35cb7cc67b1d27d7dc4a1ce74ab32e984090d579886 | — | |
hashc5aed4c063d4970a03250778da8041da9e0c83d8f22d2f1994da0ad72567ebd9 | — | |
hashcc97517f80f567977300450de11e9a0be53f52657525a20b1091c99fe9e45730 | — | |
hashfb94b2caee2c40635448a98ba0118421e19a400e74ccff73315f8fa42351f53f | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaincontroller.rightwidth.dev | — | |
domainfile.rightwidth.dev | — | |
domainldb.rightwidth.dev | — | |
domainupload.rightwidth.dev | — |
Threat ID: 6a5b3f7634329bf928c66a8f
Added to database: 07/18/2026, 08:55:18 UTC
Last updated: 07/18/2026, 08:56:33 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.