PurpleBravo, a North Korean state-sponsored threat group, has escalated its cyber espionage efforts by targeting software developers through fake job interviews. Linked to the “Contagious Interview” campaign first noted in 2023, the group uses deceptive LinkedIn personas and malicious GitHub repositories to deliver malware.
Campaign Overview
PurpleBravo masquerades as recruiters from Ukraine (e.g., Odesa-based personas) offering roles in software development and cryptocurrency sectors. Victims receive “coding tests” that are actually malware loaders like BeaverTail, a JavaScript infostealer.Corporate devices are often compromised when candidates test code at work, enabling supply chain risks.
Malware Arsenal
- BeaverTail: JavaScript loader stealing credentials and cryptocurrency data via RC4-encrypted HTTP C2 channels.
- GolangGhost: Go-based RAT derived from HackBrowserData for browser credential theft across Windows, Linux, macOS.
- PyLangGhost and InvisibleFerret: Multi-platform trojans for persistence, file exfiltration, and remote access; exfiltrate to endpoints like
/keysand/uploads.
Infrastructure includes Astrill VPN-linked C2 servers across 17 providers, with ties to PurpleDelta ops.
Impact and Targets
The campaign hit 3,136 IP addresses, mainly in South Asia and North America, affecting 20+ organizations. Lures mimic firms like Indian dev companies and DEX projects. Downstream risks amplify via developer privileges.
Mitigation Steps
- Vet recruiters: Reverse-search profiles and verify company domains.
- Sandbox coding tests: Use isolated VMs; scan repos with VirusTotal.
- Monitor for anomalies: Watch for Astrill VPN, unusual GitHub activity, browser stealers.
- Tools: Enable MFA, restrict corporate device use for interviews, deploy EDR like CrowdStrike or Qualys.
