North Korean Hackers Launch Sophisticated Malware Campaign Targeting Crypto Developers

North Korean Hackers Spread Malware via Fake Crypto Firms and Job Interview Lures

North Korea-linked threat actors behind the Contagious Interview have set up front companies as a way to distribute malware during the fake hiring process. "In this new campaign, the threat actor group is using three front companies in the cryptocurrency consulting industry -- BlockNovas LLC (blocknovas[.] com), Angeloper Agency (angeloper[.]com), and SoftGlide LLC (softglide[.]co) -- to spread malware via 'job interview lures," Silent Push said in a deep-dive analysis. The activity, the cybersecurity company said, is being used to distribute three different known malware families, BeaverTail, InvisibleFerret, and OtterCookie. Contagious Interview is one of the several job-themed social engineering campaigns orchestrated by North Korea to entice targets into downloading cross-platform malware under the pretext of coding assignment or fixing an issue with their browser when turning on camera during a video assessment. The activity is tracked by the broader cybersecurity community under the monikers CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, UNC5342, and Void Dokkaebi. The use of front companies for malware propagation, complemented by setting up fraudulent accounts on Facebook, LinkedIn, Pinterest, X, Medium, GitHub, and GitLab, marks a new escalation for the threat actors, who have been observed using various job boards to lure victims. "The BlockNovas front company has 14 people allegedly working for them, however many of the employee personas [...] appear to be fake," Silent Push said. "When viewing the 'About Us' page of blocknovas[.]com via the Wayback Machine, the group claimed to have been operating for '12+ years' - which is 11 years longer than the business has been registered." The attacks lead to the deployment of a JavaScript stealer and loader called BeaverTail, which is then used to drop a Python backdoor referred to as InvisibleFerret that can establish persistence on Windows, Linux, and macOS hosts. Select infection chains have also been found to serve another malware codenamed OtterCookie via the same JavaScript payload used to launch BeaverTail. BlockNovas has been observed using video assessments to distribute FROSTYFERRET and GolangGhost using ClickFix-related lures, a tactic that was detailed earlier this month by Sekoia, which is tracking the activity under the name ClickFake Interview. BeaverTail is configured to contact an external server ("lianxinxiao[.]com") for command-and-control (C2) to serve InvisibleFerret as the follow-up payload. It comes with various features to harvest system information, launch a reverse shell, download additional modules to steal browser data, files, and initiate the installation of the AnyDesk remote access software. Further analysis of the malicious infrastructure has revealed the presence of a "Status Dashboard" hosted on one of BlockNovas' subdomains to maintain visibility into four of their domains: lianxinxiao[.]com, angeloperonline[.]online, and softglide[.]co. A separate subdomain, mail.blocknovas[.]com domain, has also been found to be hosting an open-source, distributed password cracking management system called Hashtopolis. The fake recruitment drives have led to at least one developer getting their MetaMask wallet allegedly compromised in September 2024. That's not all. The threat actors also appear to be hosting a tool named Kryptoneer on the domain attisscmo[.]com that offers the ability to connect to cryptocurrency wallets such as Suiet Wallet, Ethos Wallet, and Sui Wallet. "It's possible that North Korean threat actors have made additional efforts to target the Sui blockchain, or this domain may be used within job application processes as an example of the 'crypto project' being worked on," Silent Push said. BlockNovas, according to an independent report published by Trend Micro, also advertised in December 2024 an open position for a senior software engineer on LinkedIn, specifically targeting Ukrainian IT professionals. As of April 23, 2025, the BlockNovas domain has been seized by the U.S. Federal Bureau of Investigation (FBI) as part of a law enforcement action against North Korean cyber actors for using it to "deceive individuals with fake job postings and distribute malware." Besides using services like Astrill VPN and residential proxies to obfuscate their infrastructure and activities, a noteworthy aspect of the malicious activity is the use of artificial intelligence (AI)-powered tools like Remaker to create profile pictures. The cybersecurity company, in its analysis of the Contagious Interview campaign, said it identified five Russian IP ranges that have been used to carry out the operation. These IP addresses are obscured by a VPN layer, a proxy layer, or an RDP layer. "The Russian IP address ranges, which are concealed by a large anonymization network that uses commercial VPN services, proxy servers, and numerous VPS servers with RDP, are assigned to two companies in Khasan and Khabarovsk," security researchers Feike Hacquebord and Stephen Hilt said. "Khasan is a mile from the North Korea-Russia border, and Khabarovsk is known for its economic and cultural ties with North Korea." If Contagious Interview is one side of the coin, the other is the fraudulent IT worker threat known as Wagemole, which refers to a tactic that involves crafting fake personas using AI to get their IT workers hired remotely as employees at major companies. These efforts have dual motivations, designed to steal sensitive data and pursue financial gain by funneling a chunk of the monthly salaries back to the Democratic People's Republic of Korea (DPRK). "Facilitators are now using GenAI-based tools to optimize every step in the process of applying and interviewing for roles and to aid DPRK nationals attempting to maintain this employment," Okta said. "These GenAI-enhanced services are required to manage the scheduling of job interviews with multiple DPRK candidate personas by a small cadre of facilitators. These services use GenAI in everything from tools that transcribe or summarize conversations, to real-time translation of voice and text." Telemetry data gathered by Trend Micro points to the Pyongyang-aligned threat actors working from China, Russia, and Pakistan, while using the Russian IP ranges to connect to dozens of VPS servers over RDP and then perform tasks like interacting on job recruitment sites and accessing cryptocurrency-related services. "Given that a significant portion of the deeper layers of the North Korean actors' anonymization network is in Russia, it is plausible, with low to medium confidence, that some form of intentional cooperation or infrastructure sharing exists between North Korea and Russian entities," the company said.

North Korean hackers set up 3 shell companies to scam crypto devs

Silent Push senior threat analyst Zach Edwards says the FBI has since shut down at least one of the companies. A subgroup of the North Korea-linked hacker organization Lazarus set up three shell companies, two in the US, to deliver malware to unsuspecting users. The three sham crypto consulting firms -- BlockNovas, Angeloper Agency and SoftGlide -- are being used by the North Korean hacker group Contagious Interview to distribute malware through fake job interviews, Silent Push Threat Analysts said in an April 24 report. Silent Push senior threat analyst Zach Edwards said in an April 24 statement to X that two shell companies are registered as legitimate businesses in the United States. "These websites and a huge network of accounts on hiring / recruiting websites are being used to trick people into applying for jobs," he said. "During the job application process an error message is displayed as someone tries to record an introduction video. The solution is an easy click fix copy and paste trick, which leads to malware if the unsuspecting developer completes the process." Three strains of malware -- BeaverTail, InvisibleFerret and Otter Cookie -- are being used according to Silent Push. BeaverTail is malware primarily designed for information theft and to load further stages of malware. OtterCookie and InvisibleFerret mainly target sensitive information, including crypto wallet keys and clipboard data. Silent Push analysts said in the report that hackers use GitHub, job listing's and freelancer websites to look for victims. The ruse also involves the hackers using AI-generated images to create profiles of employees for the three front crypto companies and stealing images of real people. "There are numerous fake employees and stolen images from real people being used across this network. We've documented some of the obvious fakes and stolen images, but it's very important to appreciate that the impersonation efforts from this campaign are different," Edwards said. "In one of the examples, the threat actors took a real photo from a real person, and then appeared to have run it through an AI image modifier tool to create a subtly different version of that same image." Related: Fake Zoom malware steals crypto while it's 'stuck' loading, user warns This malware campaign has been ongoing since 2024. Edwards says there are known public victims. Silent Push identified two developers targeted by the campaign; one of them reportedly had their MetaMask wallet compromised. The FBI has since shut down at least one of the companies. "The Federal Bureau of Investigation (FBI) acquired the Blocknovas domain, but Softglide is still live, along with some of their other infrastructure," Edwards said. At least three crypto founders have reported in March that they foiled an attempt from alleged North Korean hackers to steal sensitive data through fake Zoom calls. Groups such as the Lazarus Group are the prime suspects in some of the biggest cyber thefts in Web3, including the Bybit $1.4 billion hack and the $600 million Ronin network hack.

Crypto Hack Alert: North Korean Hackers Target Developers With New Campaign

Via fake job intervies, the scammers steal individual's credentials which help them attack businesses. Amidst increasing crypto hacks, experts caution against a newly identified malware campaign. North Korean hackers, linked to the notorious Lazarus Group, have reportedly created three shell companies, including two in the US, to spread malware targeting crypto developers. Through phony job interviews, these scammers trick people into compromising their crypto wallets and stealing credentials, which enables further attacks on legitimate businesses. North Korean Hackers Target Developers: Know the Crypto Hack Risks Cybersecurity firm Silent Push recently released a warning against the increasing crypto hacks orchestrated by the notorious North Korean hackers. The Lazarus-linked group has set up three fake companies to deliver malware to the targeted victims. These companies include BlockNovas, Angeloper Agency, and SoftGlide. Via fake interviews, these scammers send malware to crypto developers, which will help them steal credentials and attack the businesses. The cybersecurity firm stated, "These websites and a huge network of accounts on hiring / recruiting websites are being used to trick people into applying for jobs." Further explaining the procedures involved in the hacking, the firm added, During the job application process an error message is displayed as someone tries to record an introduction video. The solution is an easy click fix copy and paste trick, which leads to malware if the unsuspecting developer completes the process. Fake Employees via AI An interesting part of the North Korean hackers' crypto hack is the use of artificial intelligence to create fake employees. The hackers use AI to generate images and profiles for fake employees for the three front companies. In some cases, the hackers have even stolen real images of crypto developers working in prominent firms. Silent Push noted, There are numerous fake employees and stolen images from real people being used across this network...In one of the examples, the threat actors took a real photo from a real person, and then appeared to have run it through an AI image modifier tool to create a subtly different version of that same image. Earlier this year, crypto exchange Deribit released a similar warning against crypto job scams. The platform identified scammers attracting job seekers by impersonating prominent crypto platforms. FBI Seizes Fake Companies to Tackle Crypto Hacks Though the Federal Bureau of Investigation declined to comment on the two fake companies in the US, they revealed the seizure of the Blocknovas domain as part of a law enforcement action against North Korean hackers. The bureau is targeting not only the actors but also those facilitating their schemes. An FBI official described North Korean cyber operations as "one of the most advanced persistent threats" facing the US. This development comes following Australia's increased scrutiny over companies involved in pig butchering crypto scams. Australia's Securities and Investments Commission has taken the initiative to shut down 95 firms that reportedly facilitate crypto hacks.