Threat analysts at Silent Push have uncovered a new campaign orchestrated by the North Korean state-sponsored APT group, Contagious Interview, a subgroup of Lazarus (aka “Famous Chollima”). This latest operation reveals an elaborate scheme involving three fake cryptocurrency consulting companies used as fronts to distribute malware to unsuspecting job applicants.
The fake companies exposed are:
- BlockNovas LLC (blocknovas[.]com)
- Angeloper Agency (angeloper[.]com)
- SoftGlide LLC (softglide[.]co)
Silent Push confirmed that these companies are being used to spread three malware strains:
- BeaverTail: A JavaScript-based information stealer targeting browser-based crypto wallets.
- InvisibleFerret: A Python-based backdoor, often deployed as a second stage payload.
- OtterCookie: Another strain aiding persistence and data exfiltration across platforms.
“Our malware analysts confirmed that three strains, BeaverTail, InvisibleFerret, and OtterCookie, are being used to spread malware via ‘interview malware lures’ to unsuspecting cryptocurrency job applicants,” Silent Push reported.
Contagious Interview’s method heavily relies on social engineering. They post fake job listings on legitimate platforms like Upwork, Freelancer, and CryptoJobsList, lure applicants into fake interviews, and deliver malware disguised as skill assessment tests. Silent Push analysts highlighted, “The BlockNovas front company has 14 people allegedly working for them, however many of the employee personas our team researched appear to be fake.” AI-generated images, particularly via “Remaker AI,” were used to create realistic but fictitious employee profiles to build credibility for these companies.
Silent Push discovered that BlockNovas’ infrastructure, including domains like lianxinxiao[.]com, was used both as command-and-control (C2) servers and malware staging points. GitHub repositories tied to BlockNovas hosted malicious code disguised as developer assessment tasks.
One victim recounted, “After accepting the contract, the client invited me to their GitLab project and asked me to run their backend code. Soon after running it, I realized that my MetaMask wallet had been compromised.”
Among the technical findings:
- BeaverTail targets browser extensions such as MetaMask, Coinbase Wallet, Phantom, and Crypto.com.
- InvisibleFerret ensures persistence across Windows, macOS, and Linux.
- OtterCookie assists in maintaining access and hiding communications.
The malware was often spread via fake GitHub repositories, and Silent Push found obfuscated JavaScript and Python payloads dynamically pulled from C2 domains.
A notable operational security lapse by Contagious Interview exposed their dashboard monitoring service health for domains like BlockNovas and lianxinxiao[.]com, tying all fronts together. Silent Push noted, “This dashboard tied the three different companies and their products together, along with a malware staging and C2 domain. This was a significant OPSEC failure by Contagious Interview.”
The Contagious Interview campaign represents a dangerous evolution in North Korean cyber operations, combining AI deception, sophisticated social engineering, and cross-platform malware. Job seekers in the cryptocurrency sector are particularly at risk.
Silent Push urges defenders to remain vigilant against suspicious job offers and implement strong endpoint protections, especially when handling freelance or remote job solicitations in cryptocurrency and tech fields.