Reflecting on President Trump’s first 100 days in office
News
North Korea-linked threat actors utilize falsified companies and job interviews to distribute malware
08 May 2025
A threat actor group with ties to the Democratic People’s Republic of Korea (“North Korea”) called Contagious Interview is using front companies to spread malware through fake job interviews. This group has a history of launching cyberattacks against individuals and organizations, but they have escalated their methods by combining “job interview lures” with setting up fraudulent social media accounts and utilizing AI-powered tools. Contagious Interview is predominantly using GitHub, job listings, and freelancer websites to target job applicants.
Contagious Interview has started a new campaign by utilizing three front companies in the cryptocurrency industry to lure individuals with fake job interviews. This activity is used as a means to distribute three different forms of malware, including BeaverTail, Invisible Ferret, and OtterCookie. This group was implicated in various cyber-espionage campaigns and their tactics often involve social engineering. The three front companies created as part of this campaign are BlockNovas LLC, Angeloper Agency, and SoftGlideLLC. All three companies spread malware through “job interview lures.” The main targets of this campaign include job applicants for cryptocurrency positions.
The group operates by creating fake job offers to distribute the malware which allows them to enable remote access and engage in data theft. Contagious Interview has previously used job boards as a luring mechanism, but they have escalated their practices by creating front companies and setting up fraudulent accounts on social medial platforms such as Facebook and LinkedIn. BlockNovas, the most active of the front companies, claims to have 14 individuals working for them. However, most of these personas appear to be fake and the company claims to have been in operation longer than it was registered. Another component of the malicious activity is the group utilizes AI-powered tools to create profile pictures of “employees” for the front companies using Remaker AI. The U.S. Federal Bureau of Investigation (FBI) seized the BlockNovas domain as of April 23, 2025 as part of a law enforcement action against Contagious Interview.
BlockNovas has used video assessments to distribute various forms of malware using ClickFix tactics. ClickFix is a social engineering tool that tricks users into downloading malware by using the premise of a non-existent error. Candidates are approached via legitimate job interview platforms such as LinkedIn and are asked to prepare for a video call interview. From there, they are asked to enable their camera after which an error message appears indicating that the user needs to download a driver. Contagious Interview employs the ClickFix technique at this point as the driver they are requested to download is a form of malware designed to steal cryptocurrency and other sensitive data.
Hogan Lovells has previously covered security threats surrounding North Korean nationals attempts to secure remote positions, implications for the job interview process, and methods to reduce risk. For more information, you can read this article here.
Authored by Nathan Salminen and Surya Swaroop.
Washington, D.C.
Articles you may be interested in
View more insights and analysis
