DPRK Hackers Masquerade as Tech Recruiters, Job Seekers

No one has turned the job market into an attack surface quite like North Korea, which plays both sides for financial gain and, possibly, espionage.

North Korean threat actors are posing as both job recruiters and job seekers on the Web, deceiving companies and applicants for financial gain and, possibly, to gain access into Western organizations.
Palo Alto Networks Unit 42 this week published the details of
two such ongoing campaigns
it tracks as Contagious Interview and Wagemole.
For Contagious Interview, threat actors from the Democratic Peoples Republic of Korea (DPRK) are acting as employers, posting about fake job openings, and engaging with unwitting applicants. Then, during the vetting process, they lure the applicants into installing sophisticated, cross-platform infostealers.
In Wagemole, the baddies switch roles, donning fake personas to apply for jobs at established organizations based in the US and elsewhere.
As Michael Sikorski, chief technology officer and vice president of Unit 42, explains, these elaborate ruses produce much more believable social engineering than your typical phishing email.
People are bombarded with emails all day long — most of those get dumped in the trash bin, or even get flagged as spam. So this is an effort to pivot away and make it seem a lot more realistic, he says.
The DPRK has long been a source of creative espionage and financial cybercrime. Besides traditional cyber theft —
for which it is prolific
— the army of Kim Jong Un, leader of the country, has also ventured off the beaten path, into domains and with tactics largely unseen elsewhere in the world.
For example, its state-sponsored hackers have posed as recruiters for high-tech jobs, luring developers into sometimes weeks- or monthslong engagements with malware waiting at the end of it. One such case last year led to
the heist of Axie Infinity
, a popular Web3 pay-to-play game, totaling north of half a billion dollars.
Ever since, it seems, the hackers have been trying to repeat that success.
Since at least March, the threat actor behind Contagious Interview has posted vague job openings for software developers or jobs specifically tailored to the AI and Web3 fields. After making initial contact via social media, online forums, or other means, the group invites applicants to an online interview.
Its during the interview that the malicious actor sends the applicant an npm-based package hosted on GitHub. This package contains Beavertail, a heavily obfuscated, JavaScript-based infostealer and loader. It targets basic system information as well as credit card and cryptocurrency wallet details stored in a victims browser. It also retrieves and runs a second payload, InvisibleFerret.
InvisibleFerret is a Python-based backdoor capable of fingerprinting, keylogging, credential harvesting, data exfiltration, remote control, and, if need be, downloading the AnyDesk RMM for further control over a compromised computer.
Per the
recent trend among capable APTs
, both Beavertail and InvisibleFerret work across operating systems: Windows, Linux, and macOS.
Interestingly, stealing money and spying on the target may not actually be the primary purpose of either malware. By getting them to install malware, [the attackers] then have a foothold on that system. Now, if that person goes and works somewhere else in the future — they probably will get a real job somewhere else — then all of a sudden that could lead to an infection into that companys supply chain, Sikorski suggests.
North Koreans have also for years
posed as applicants seeking remote work
in the tech space. Through a maze of fake resumes, email, social media, websites, and so on, real applicants using fake personas earn work and then
funnel their earnings back to the Kim regime
.
While investigating the GitHub infrastructure behind Contagious Interview, the researchers came across evidence of these schemes: longstanding, detailed accounts on GitHub, LinkedIn, freelancer marketplaces, scripts for phone interviews, stolen US permanent resident cards, and more.
Its unclear how many of these ersatz IT workers have developed real, long-standing relationships with companies. But just last month
the US Department of Justice noted
that this scheme is so prevalent that companies must be vigilant to verify whom theyre hiring.
Companies that hire employees under fake identities dont just face a risk of embarrassment, Sikorski warns. Just think of the tremendous amount of risk it is to have a state-sponsored actor inside your environment, he says. And remember: these are software developers, which means they have access to source code.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
DPRK Hackers Masquerade as Tech Recruiters, Job Seekers