Fake Job Interviews Turn Into Cyber Attacks as North Korean Hackers Target Global Tech Firms
Contagious Interview campaign exploits developer hiring workflows to breach organizations worldwide
Cybersecurity researchers have identified a large-scale cyber espionage campaign in which fake job interviews are used as an entry point for malware infections, exposing companies across multiple industries and regions.
Threat intelligence firm Recorded Future reported that attackers linked to North Korea targeted 3,136 individual IP addresses between August 2024 and September 2025. The activity impacted at least 20 organizations across artificial intelligence, cryptocurrency, financial services, IT, marketing, and software development sectors.
Behind the “Contagious Interview” Campaign
Researchers track the activity under the name PurpleBravo, a North Korea–linked threat cluster first documented in late 2023. The campaign also operates under several other aliases, including DeceptiveDevelopment, Famous Chollima, and UNC5342.
The attackers pose as recruiters or developers and approach targets with convincing job offers. They then persuade victims to run malicious code as part of a supposed coding test or technical assessment.
In several cases, job seekers executed the malware on company-issued devices, unintentionally giving attackers access to corporate environments.
Who Was Targeted
Recorded Future identified affected organizations based in multiple countries, including Belgium, India, Italy, the Netherlands, Pakistan, Romania, Vietnam, and the United Arab Emirates.
The researchers warned that this tactic creates supply-chain exposure, especially when employees or contractors work with large customer bases.
Trusted Developer Tools Weaponized
The findings follow a separate report from Jamf Threat Labs, which revealed that the attackers now abuse malicious Visual Studio Code projects to distribute backdoors.
This shift shows a clear focus on trusted developer workflows, where security controls are often relaxed to support productivity.
Malware and Infrastructure
PurpleBravo operates multiple command-and-control infrastructures to manage different malware families, including:
- BeaverTail, a JavaScript-based infostealer and loader
- GolangGhost, a Go-based backdoor derived from an open-source data extraction tool
The attackers host their servers across more than a dozen providers and manage them using Astrill VPN, a service long associated with North Korean cyber operations.
Not Just Fake Interviews — A Bigger Strategy
The Contagious Interview campaign complements another North Korean operation known as Wagemole, where individuals seek real employment using stolen or fraudulent identities.
While researchers track the two campaigns separately, they observed shared infrastructure, VPN usage, and operational overlap, indicating coordination between the groups.
Why This Matters
This campaign shows that hiring processes themselves have become an attack surface. When candidates run unverified code during interviews or assessments, attackers can bypass traditional security defenses.
The risk extends beyond individuals to entire organizations, customers, and partners.
Key Takeaway
Job interviews are no longer just about hiring.
They are now being used as a delivery mechanism for cyber espionage and supply-chain attacks.
Organizations must treat recruitment workflows as part of their security perimeter.