The Contagious Interview campaign is a DPRK-linked cyber espionage and financial theft operation leveraging a fake job platform to target high-value AI and cryptocurrency professionals, primarily in the U.S. The platform, hosted at lenvny.com and related domains, is designed to appear as a legitimate AI-powered interview tool, complete with professional UI, fake testimonials, and references to well-known tech companies to establish credibility. Victims are lured into engaging with the platform under the guise of job interviews, where they are prompted to record video introductions. This user action triggers a clipboard hijacking malware delivery mechanism that captures sensitive data and executes malicious payloads. The malware employs techniques such as code obfuscation (T1027), persistence via registry run keys (T1547.001, T1547.009), masquerading (T1036), and command execution through scripting (T1059.001, T1059.005). The campaign also uses social engineering (T1566) and remote access tools (T1105) to maintain control and exfiltrate data. Although no CVE or known exploits are reported, the operation’s complexity and targeted nature indicate a well-resourced adversary aiming to steal intellectual property and cryptocurrency assets. Indicators of compromise include specific IP addresses (69.62.86.78, 72.61.9.45) and domains (advisorflux.com, assureeval.com, carrerlilla.com, lenvny.com). The campaign’s focus on AI and cryptocurrency sectors highlights the strategic intent to access cutting-edge technology and financial resources.

For European organizations, especially those involved in AI research, development, and cryptocurrency, this threat poses a significant risk of intellectual property theft and financial loss. Compromise of AI talent could lead to exposure of proprietary algorithms, research data, and strategic plans, undermining competitive advantage and national technological leadership. Cryptocurrency professionals targeted could suffer direct financial theft or loss of wallet credentials. The social engineering approach increases the risk of insider threats and credential compromise, potentially enabling broader network infiltration. Given the global nature of AI and crypto sectors, European professionals may be targeted either directly or via collaboration with U.S. entities. The malware’s persistence and obfuscation techniques complicate detection and remediation, potentially leading to prolonged unauthorized access and data exfiltration. The medium severity rating reflects the targeted scope and complexity, but the potential impact on confidentiality and financial assets is substantial.

European organizations should implement targeted awareness training focused on sophisticated social engineering tactics used in recruitment scams, emphasizing verification of job platforms and interview processes. Deploy endpoint detection and response (EDR) solutions capable of identifying clipboard hijacking and suspicious scripting activities. Monitor network traffic for connections to known malicious IPs and domains associated with this campaign (e.g., lenvny.com, advisorflux.com). Enforce strict application control policies to prevent execution of unauthorized scripts and binaries. Use multi-factor authentication (MFA) and credential monitoring to detect and block compromised accounts. Establish incident response playbooks specific to recruitment-related phishing and malware delivery. Collaborate with threat intelligence sharing groups to receive timely updates on indicators of compromise. Encourage verification of job offers through official company channels and limit sharing of sensitive information during recruitment. Regularly audit registry run keys and startup items for unauthorized persistence mechanisms. Finally, maintain robust backup and recovery procedures to mitigate impact of potential data loss.