North Korean Hackers use Code Abuse Tactics for ‘Contagious Interview’ Campaign

The campaign, known as Contagious Interview, uses malicious repositories disguised as technical assessment projects to deploy a dual-layer malware system.

When developers open the project folder to review code or enable AI-assisted inspection, a concealed task automatically executes without requiring direct code execution.

This controller deploys five specialized modules to steal sensitive data. The keylogger and screenshot module monitors user activity and uploads results to the attacker’s command server at 172.86.116.178.

Following the Node.js stage, the malware deploys Python payloads that establish stronger persistence. On Windows systems specifically, the malware creates startup folder injections and scheduled tasks mimicking legitimate Windows processes like RuntimeBroker.exe.

To read the complete article see: North Korean Hackers use Code Abuse Tactics