The operation, known as Contagious Interview, uses social engineering and advanced malware to compromise computers and ultimately steal cryptocurrency funds. The attackers approach victims through fake job interviews or technical tests. Victims are asked to review or run code as part of an assessment. Hidden inside the project files are malicious packages that silently infect the system once executed.
Investigators attribute the activity to North Korean threat actors who have repeatedly targeted crypto professionals. Their objective is clear obtain wallet credentials, private keys, and other sensitive information that can be converted directly into money. According to Security Researcher Seongsu Park, the infection begins when a victim runs a malicious JavaScript file embedded in a trojanized development package. Once executed, the script sends a beacon to a command-and-control (C2) server to confirm a successful compromise.
It then downloads additional components. The second stage installs multiple payloads. These include two JavaScript tools and a Python-based backdoor called InvisibleFerret. One component creates a lightweight remote-access backdoor, while another searches the system for valuable data, such as browser credentials, password manager databases, and cryptocurrency wallets.
The malware uses pattern-based file discovery. It searches for filenames containing keywords like “wallet,” “seed,” “private,” “keys,” “mnemonic,” and “password.” The information is automatically transmitted to attacker servers. The backdoor maintains a persistent connection to the attackers and can execute commands remotely.
Through this access, the criminals can download new scripts, steal files, and monitor activity on Windows, macOS, and Linux systems. After gaining control of the system, the attackers deploy a counterfeit version of the MetaMask cryptocurrency wallet extension. Instead of simply installing new malware, they replace the legitimate browser extension.
The malware scans Chrome and Brave browser profiles for the MetaMask installation folder. It then downloads a malicious extension and modifies the browser’s configuration files to force it to load the attacker’s version. Security checks are bypassed by altering protection signatures and enabling developer mode. The modified wallet looks and functions normally, making the compromise difficult to detect.
However, hidden code captures the user’s wallet unlock password and encrypted vault data when the wallet is opened. Once collected, the credentials are sent to the attackers’ servers. The criminals can later decrypt the vault offline, extract seed phrases, and transfer cryptocurrency funds without the victim’s knowledge.
Researchers say the attackers added only a few lines of malicious code, ensuring the wallet behaves exactly like the legitimate one while secretly stealing credentials. According to Medium, the campaign highlights a growing trend: rather than hacking blockchain networks, criminals compromise users directly. Experts advise developers never to run unknown code during interviews, to verify browser extensions, and to use hardware wallets where possible.
Leave a Reply