A recent investigation has uncovered a coordinated effort by hackers aligned with North Korea to exploit cyber threat intelligence (CTI) platforms. The campaign, known as the Contagious Interview cluster, has been targeting job seekers with malware-laced recruitment lures.
Between March and June 2025, hackers attempted to access Validin’s infrastructure intelligence portal, using Gmail addresses previously associated with their operations. Despite being blocked by Validin, they persisted by creating new accounts, including domains registered specifically for the purpose.
The threat actors demonstrated persistence by repeatedly creating accounts and attempting logins over several months. Investigators found evidence of team-based coordination, including the use of Slack to share search results in real-time. Instead of making broad infrastructure changes to avoid detection, the hackers focused on deploying new systems to replace those taken down by service providers.
Researchers observed the group using Validin not only to track signs of detection but also to scout new infrastructure before purchase. Despite their efforts to avoid flagged assets, operational security mistakes exposed log files and directory structures, offering insight into their workflows. The investigation also revealed ContagiousDrop applications, malware delivery systems embedded in recruitment sites.
These applications sent email alerts when victims executed malicious commands and logged details such as names, phone numbers, and IP addresses. More than 230 individuals, mainly in the cryptocurrency industry, were affected between January and March 2025.
The primary goal of the Contagious Interview campaign is to generate revenue for North Korea by targeting cryptocurrency professionals worldwide through social engineering. While the group has not adopted systematic measures to shield their infrastructure, they have shown resilience through rapid redeployment and continuous victim acquisition.
Vigilance from job seekers, especially in the cryptocurrency sector, is crucial. Infrastructure providers also play a key role in disrupting these operations through rapid takedowns. It is essential for both individuals and organizations to remain vigilant in the face of ongoing cyber threats.