A Comprehensive Analysis of DPRK's Contagious Interview
ID: 8d03e2ef-7a2d-59bd-9c8f-ed5eb9860dd2
STIX ID: report--8d03e2ef-7a2d-59bd-9c8f-ed5eb9860dd2
Feed Name: OpenSourceMalware Blog
Date Published: 2026-01-20
Date Updated: 2026-06-20
Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2
This analysis documents a three-stage DPRK-operated supply-chain campaign targeting software developers: a malicious npm package used in social-engineered 'interviews' installs a JavaScript loader that connects to Socket.IO C2s to harvest browser and cloud credentials and download a second-stage OtterCookie backdoor, which in turn retrieves a PyInstaller-compiled InvisibleFerret payload; the combined toolset enables credential theft (including DPAPI/keychain decryption), cryptocurrency wallet theft, system-wide keylogging, persistent remote access, and multi-channel exfiltration. The report includes file hashes, C2 IPs and ports, persistence artifacts, targeted file paths, and recommended developer-focused mitigations and detection/hardening controls.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
