A sophisticated recruitment scam linked to North Korea has emerged, targeting American artificial intelligence developers, software engineers, and cryptocurrency professionals through an elaborate fake job platform.
Validin security researchers have uncovered a new variant of what they call the “Contagious Interview” operation, designed to compromise job seekers through a seemingly legitimate hiring process.
The campaign uses a fully functional React and Next.js-based job platform hosted at lenvny[.]com that mimics leading technology companies and recruitment software, with surprising polish and authenticity.
The fake job platform presents itself as an “Integrated AI-Powered Interview Tool” intended for hiring teams. The website features a polished marketing interface, gradient-heavy design, and synthetic branding that appears carefully crafted to align with how the operators believe the AI and tech industry looks in 2025.
This level of sophistication marks a significant escalation from previous DPRK-linked recruitment lures, which typically used basic login forms or simple phishing pages.
The platform includes dozens of routes, dynamically generated job listings, and a complete application workflow that mirrors modern hiring systems, making it dangerously convincing to unsuspecting candidates.
Validin security analysts identified the malware after the second paragraph, noting that the operation follows a specific infection pattern: LinkedIn message leads to interview process, which directs candidates to record video responses, then prompts them to “fix their webcam” using a helper tool.
.webp "Beware of North Korean Fake Job Platform Targeting U.S. Based AI-Developers 3")
This seemingly innocent troubleshooting step actually delivers malware directly to the target’s system.
Infection mechanism
The infection mechanism operates through what security researchers call the “ClickFix” technique, a social engineering approach that tricks users into downloading malicious software while appearing to resolve technical issues.
When candidates visit the platform, they encounter job listings specifically designed to attract high-value targets in the artificial intelligence and cryptocurrency sectors.
.webp "Beware of North Korean Fake Job Platform Targeting U.S. Based AI-Developers 4")
The application process feels authentic, complete with video interviews and technical assessments that require users to run code or scripts on their machines.
This attack vector leverages the remote-friendly hiring practices common in tech industries, where video interviews and take-home coding assessments are standard.
North Korea targets explicitly this demographic because AI researchers and cryptocurrency professionals provide access to valuable assets and expertise.
AI developers have access to proprietary research, model weights, and inference infrastructure, while crypto professionals often operate in environments managing high-value digital assets.
Additionally, individuals in these fields typically maintain workstations with elevated system privileges, development environments, and custom tooling that increase initial payload execution success rates.
Job seekers should verify that company career pages are hosted on official domains and avoid uploading personal documents to unverified platforms.
When asked to execute code during interviews, candidates should review scripts carefully and always run unfamiliar code inside virtual machines or sandboxed environments rather than directly on their primary workstations.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
