logo

DPRK Contagious Interview Malware Weaponizes Microsoft VSCode Tasks

ID: c32f7939-bc79-5b32-802a-6e368c84301a

STIX ID: report--c32f7939-bc79-5b32-802a-6e368c84301a

Feed Name: OpenSourceMalware Blog

Threat Score
90/100

Date Published: 2025-11-29

Date Updated: 2026-06-20

Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2

...
...

This report details a Lazarus Group (DPRK) 'Contagious Interview' campaign that lures software developers to clone malicious Git repositories containing .vscode/tasks.json which execute platform-specific loaders to install BeaverTail (JS) and Invisible Ferret (Python) payloads; the malware exfiltrates browser credentials and at least 43 crypto wallet extensions, maintains persistence via VSCode folderOpen tasks, communicates with active C2 infrastructure (notably 146.70.41.188 and multiple Vercel-hosted endpoints), and is observed across numerous GitHub/Bitbucket repositories and variants with provided IOCs and file hashes.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.