Threat Profile: Contagious Interview (G1052)
- Suspected Origin
- North Korea
- Motivation
- Espionage, Financial Gain
- Aliases
- DeceptiveDevelopment, Gwisin Gang, Tenacious Pungsan, DEV#POPPER, PurpleBravo, TAG-121
- Target Sectors
- Software Development, Cryptocurrency, AI, IT, Media and Communications
- Associated Malware
- BeaverTail, InvisibleFerret, OtterCookie, FlexibleFerret, XORIndex, HexEval, PylangGhost, ContagiousDrop
Overview
Contagious Interview, tracked by MITRE ATT&CK as G1052, is a North Korea-aligned threat group that has been actively conducting operations since at least 2023. This group is also known by several aliases, including DeceptiveDevelopment, Gwisin Gang, Tenacious Pungsan, DEV#POPPER, PurpleBravo, and TAG-121. While some reporting associates Contagious Interview with the broader Lazarus Group, they operate with distinct methodologies.
The primary motivations driving Contagious Interview are dual-pronged: cyberespionage and financially motivated operations. These financial operations predominantly involve the theft of cryptocurrency and user credentials, which aligns with North Korea’s broader strategy to circumvent international sanctions and fund its state-sponsored programs.
Contagious Interview targets a specific and high-value demographic: individuals engaged in software development, artificial intelligence (AI) research, and cryptocurrency-related activities. They compromise systems running Windows, Linux, and macOS, demonstrating a cross-platform capability. Their focus on the tech industry, particularly job seekers, exploits a professional necessity, allowing them to embed malware delivery directly into trusted hiring workflows.
Tactics & Techniques
Contagious Interview is characterized by its sophisticated and constantly evolving social engineering tactics, which form the bedrock of their initial access strategy. They routinely impersonate HR personnel, recruiters, or technical collaborators on professional platforms such as LinkedIn, Telegram, and various job boards.
A hallmark of their operations is the use of elaborate fake job recruitment campaigns. This often involves creating convincing, multi-stage interview processes that include technical discussions, coding assessments, and assignments. During these stages, victims are lured into downloading and executing malicious code or packages, masquerading as legitimate software or development tools, from popular code repositories like GitHub, GitLab, Bitbucket, npm, Packagist, Go, and the Chrome Web Store.
They employ “ClickFix” tactics, which involve tricking victims into copying and pasting malicious code directly into their terminals, or persuading them to disable container environments like Docker to ensure malware executes natively on the host system. To enhance their credibility, the group constructs extensive fake infrastructure, including creating artificial social media profiles (sometimes with AI-generated images), fake email accounts, and personas on code repositories. They also register malicious domains and host payloads on legitimate cloud platforms like Vercel for command-and-control (C2) operations. Contagious Interview has also been observed utilizing AI to clone video-conferencing applications and create deepfake videos as part of their lures.
To evade detection, the group encrypts its C2 traffic using algorithms like RC4 and is known to remove archival files post-exfiltration. They configure their C2 endpoints to inspect IP geolocation, request headers, victim environment details, and runtime conditions, enabling selective payload delivery and victim validation. The group also actively monitors cyber threat intelligence to adapt their operations and infrastructure, and they leverage VPN services such as Astrill VPN to obscure their activities.
Persistence is commonly achieved through malware like InvisibleFerret, which can establish a foothold by placing .bat files in the Startup Folder, or through other modular backdoors that modify RUN registry keys. Their exfiltration objectives typically target sensitive data such as API tokens, cloud credentials, cryptocurrency wallets, password manager artifacts, and proprietary source code, often using legitimate cloud storage services like Dropbox to receive stolen information.
In a notable evolution of their tradecraft, Contagious Interview has extensively engaged in software supply chain abuse. This includes publishing hundreds of malicious packages to public registries (e.g., npm), compromising existing legitimate repositories, or subtly modifying packages with malicious code, sometimes leveraging namesquatting techniques. They have also adapted to developers’ integrated development environment (IDE) workflows, using malicious configuration files within seemingly legitimate GitHub or GitLab repositories that, when opened and trusted in Visual Studio Code, execute arbitrary commands on the victim’s system.
Notable Campaigns
Contagious Interview’s operations date back to at least December 2022, with widespread reporting emerging in November 2023 for their initial campaign targeting job seekers, particularly software developers.
One specific technique within their broader operations is referred to as “ClickFix Interview” or “ClickFake Interview,” which is a social engineering approach designed to trick targets into copying and executing malicious code.
More recently, the “PolinRider Campaign,” active as of July 2026, showcases their capability to publish over 108 malicious packages and web browser extensions across multiple ecosystems, including npm, Packagist, Go, and Google Chrome. This campaign involved implanting obfuscated JavaScript payloads in hundreds of public GitHub repositories. PolinRider has merged with another cluster named “TaskJacker,” which focuses on dropping malicious VS Code task files into GitHub users’ existing repositories.
In April 2025, Silent Push analysts uncovered a campaign involving “Three Front Companies”—BlockNovas LLC, Angeloper Agency, and SoftGlide LLC. These fake cryptocurrency consulting firms were meticulously set up with AI-generated employee profiles to distribute malware via “interview malware lures.” This was followed in November 2025 by the discovery of a highly polished, React Next.js-based fake job platform, lenvny[.]com, specifically designed to compromise job-seeking individuals, including AI researchers.
As late as January 2026, Fireblocks Security Research identified a recruiting impersonation scam that closely mimicked a legitimate Fireblocks hiring process. This campaign delivered malware through staged coding assignments, demonstrating the group’s ongoing adaptation and focus on specific organizational targets.
Associated Malware & Tools
Contagious Interview employs a diverse arsenal of custom malware and leverages legitimate tools to achieve its objectives:
- BeaverTail: A JavaScript-based infostealer and downloader. It’s frequently distributed via NPM packages and is designed to steal cryptocurrency wallets, credit card information from browser caches, and login keychains across Unix and Windows systems. Newer variants have been developed using the Qt cross-platform framework, allowing compilation for both Windows and macOS.
- InvisibleFerret: A multi-stage Python-based backdoor. This malware is crucial for establishing persistence, often by placing
.batfiles in the victim’s Startup Folder, and for loading further stages of attack. - OtterCookie: A JavaScript-based backdoor, first observed in September 2024. It has evolved from basic remote command execution capabilities to a modular program capable of extensive data theft. OtterCookie can collect host fingerprints, check for virtual machine environments, install communication clients (like socket.io for C2), exfiltrate data, and execute arbitrary shell commands.
- FlexibleFerret: A modular backdoor implemented in both Go and Python variants. It uses encrypted HTTP(S) and TCP channels for command and control, supports dynamic plugin loading, remote command execution, and comprehensive file upload/download operations. Persistence is typically achieved through RUN registry modifications, and it includes built-in reconnaissance and lateral movement capabilities.
- ContagiousDrop: Node.js applications specifically designed to distribute malware and send email notifications to threat actors regarding victim engagement.
- XORIndex & HexEval: Identified in July 2025, XORIndex is a malware loader distributed via npm packages containing HexEval. It’s used to collect data and deploy second-stage malware, primarily for cryptocurrency theft.
- PylangGhost: Another malware family associated with the group.
Beyond their custom malware, Contagious Interview utilizes various legitimate services and tools to support their operations: Astrill VPN for anonymization, Dropbox for data exfiltration, and Google Drive, Firebase, GitHub, and Telegram for file dissemination. They have also used Vercel for C2 operations leveraging malicious web applications and static pages, and Slack for internal coordination among operators. Furthermore, they have leveraged AI tools like Remaker AI for generating realistic profile images for fake personas and have employed AI for cloning video-conferencing applications and creating deepfake videos as part of their social engineering efforts.
Current Status
Contagious Interview remains an active and highly adaptive threat actor. Reporting from throughout 2025 and 2026 consistently indicates ongoing campaigns and continuous evolution of their tradecraft, malware, and infrastructure. The “PolinRider Campaign,” which involves the widespread distribution of malicious packages, was reported as active as recently as July 2026. This continuous activity, coupled with their observed practice of monitoring cyber threat intelligence to refine their operations, underscores their resilience and persistent threat to targeted sectors globally.
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call