Fireblocks Security Research identified a recruiting impersonation campaign targeting tech workers that mirrors legitimate hiring processes and uses a Contagious Interview framework. The operation delivers malware disguised as a coding assignment and is attributed to North Korean threat actors known as the Lazarus Group (APT 38). The campaign unfolds in multiple phases: initial contact, trust-building, a video interview, and malware delivery, with phase 1 involving LinkedIn outreach from profiles that appear credible, phase 2 using professionally formatted PDFs and a detailed Figma board to reinforce legitimacy, and phase 3 a Google Meet interview followed by phase 4 instructions to clone a GitHub repository and run setup commands.
Indicators of Contagious Interview-style campaigns include red flags such as requests to clone GitHub repositories and run installations, video interviews that end abruptly after a task is assigned, personal email addresses used for corporate recruitment, Calendly links on personal domains, and AI-generated recruiter profiles. The objective is financial theft achieved by gaining access to credentials, authentication materials, and environments that can be leveraged for follow-on activity. Fireblocks identified and disrupted the campaign by validating impersonation personas, reporting malicious activity to LinkedIn, removing malicious repositories, and conducting targeted threat hunting with intelligence partners and law enforcement.
The report also notes that TRES Finance has joined Fireblocks, highlighting a push toward delivering a complete on-chain infrastructure stack to bring customers onchain in the most seamless and secure way possible. The collaboration signals intensified efforts to secure and streamline crypto-related operations across the broader ecosystem.
Leave a Reply