Key Takeaways
- The Contagious Interview campaign, attributed to North Korean threat actors, has targeted 20 potential victim organizations across various sectors in Europe, South Asia, the Middle East, and Central America.
- The campaign has been linked to 3,136 individual IP addresses, primarily concentrated in South Asia and North America, and has been active from August 2024 to September 2025.
- The attackers use malicious Microsoft Visual Studio Code (VS Code) projects to distribute a backdoor and exploit trusted developer workflows for cyber espionage and financial theft.
- The campaign is part of a larger threat activity cluster known as PurpleBravo, which has been observed managing command-and-control (C2) servers for malware families like BeaverTail and GolangGhost.
- The threat actors use Astrill VPN to administer C2 servers and have been linked to IP addresses in China and Russia.
Introduction to the Contagious Interview Campaign
The Contagious Interview campaign, a threat activity cluster attributed to North Korean threat actors, has been found to have targeted 20 potential victim organizations across various sectors, including artificial intelligence, cryptocurrency, financial services, IT services, marketing, and software development. The campaign, which has been active from August 2024 to September 2025, has been linked to 3,136 individual IP addresses, primarily concentrated in South Asia and North America. The victim companies are based in Belgium, Bulgaria, Costa Rica, India, Italy, the Netherlands, Pakistan, Romania, the United Arab Emirates, and Vietnam. This campaign is part of a larger threat activity cluster known as PurpleBravo, which has been observed managing command-and-control (C2) servers for malware families like BeaverTail and GolangGhost.
Tactics and Techniques Used by the Threat Actors
The threat actors behind the Contagious Interview campaign use malicious Microsoft Visual Studio Code (VS Code) projects to distribute a backdoor and exploit trusted developer workflows for cyber espionage and financial theft. In several cases, job-seeking candidates have executed malicious code on corporate devices, creating organizational exposure beyond the individual target. The attackers also use Astrill VPN to administer C2 servers, which are hosted across 17 different providers and are linked to IP addresses in China. Additionally, the threat actors have been found to use LinkedIn personas and GitHub repositories to deliver malware and communicate with C2 servers. For instance, the Mastercard-owned company, Jamf Threat Labs, detected four LinkedIn personas potentially associated with PurpleBravo that masqueraded as developers and recruiters and claimed to be from the Ukrainian city of Odesa.
Relationship with Other Threat Activity Clusters
The Contagious Interview campaign is not an isolated threat activity cluster. It has been found to have significant overlaps with another campaign referred to as Wagemole (aka PurpleDelta), where IT workers from North Korean threat actors seek unauthorized employment under fraudulent or stolen identities with organizations based in the U.S. and other parts of the world for both financial gain and espionage. While the two clusters are treated as disparate sets of activities, there are tactical and infrastructure overlaps between them, including the use of Astrill VPN and IP addresses in Russia linked to North Korean IT workers communicating with PurpleBravo C2 servers. Furthermore, a likely PurpleBravo operator has been found to display activity consistent with North Korean IT worker behavior, highlighting the connection between the two campaigns.
Impact on the IT Software Supply Chain
The Contagious Interview campaign highlights the vulnerability of the IT software supply chain to infiltration from North Korean adversaries. Candidates who are approached by PurpleBravo with fictitious job offers have been found to take the coding assessment on company-issued devices, effectively compromising their employers in the process. This poses an acute supply-chain risk to companies outsourcing work in these regions, as many of the potential victim organizations advertise large customer bases. The threat actors’ use of malicious code and backdoors can lead to sensitive data leakage, and the campaign’s ability to exploit trusted developer workflows makes it a significant threat to the IT software supply chain. To mitigate this risk, organizations must take proactive measures to prevent sensitive data leakage to North Korean threat actors.
Conclusion and Recommendations
In conclusion, the Contagious Interview campaign is a significant threat activity cluster that has targeted 20 potential victim organizations across various sectors. The campaign’s use of malicious code, backdoors, and exploitation of trusted developer workflows makes it a major concern for the IT software supply chain. To prepare, defend, and prevent sensitive data leakage, organizations must be aware of the tactics and techniques used by the threat actors and take proactive measures to mitigate the risk. This includes monitoring for suspicious activity, implementing robust security measures, and educating employees on the risks associated with the campaign. By taking these steps, organizations can reduce the risk of falling victim to the Contagious Interview campaign and protect their sensitive data from North Korean threat actors.
