North Korean threat actors have launched a sophisticated attack campaign targeting IT professionals in cryptocurrency, Web3, and artificial intelligence sectors.
The ongoing operation, known as Contagious Interview, deploys remote access backdoors alongside trojanized MetaMask wallet extensions designed to steal digital assets from unsuspecting victims.
The attackers disguise malicious code within fake job interview assessments through poisoned NPM packages that developers unknowingly execute during technical skills evaluations.
The campaign represents a significant evolution in financial cybercrime tactics. Attackers deploy two primary malware families called BeaverTail and InvisibleFerret, which have been continuously updated with enhanced data theft capabilities.
Recent variants demonstrate advanced techniques for manipulating browser extensions and intercepting cryptocurrency credentials.
The malware establishes persistent backdoor access while simultaneously searching for sensitive files including wallet data, password managers, and development environment secrets across Windows, macOS, and Linux systems.
A Threat Intelligence analyst, Seongsu Park identified the latest attack chain revealing how threat actors have streamlined their infection process.
The initial JavaScript payload has been deliberately simplified to perform only essential functions including beacon transmission and downloading subsequent attack stages.
This tactical reduction minimizes detection likelihood while maintaining operational effectiveness.
.webp)
The attack unfolds through multiple coordinated stages. First, victims execute malicious JavaScript hidden within trojanized NPM packages presented during fake technical interviews.
The initial script contacts command-and-control infrastructure to retrieve encoded server addresses and campaign identifiers.
Next, it downloads two specialized JavaScript files and the Python-based InvisibleFerret backdoor.
One JavaScript component functions as a lightweight backdoor enabling remote command execution, while the other systematically searches for and exfiltrates sensitive files containing keywords like wallet, metamask, private, mnemonic, and password.
The most dangerous aspect involves surgical manipulation of legitimate MetaMask cryptocurrency wallet extensions. Through the lightweight backdoor, attackers deploy an additional script that scans Chrome and Brave browsers for installed MetaMask extensions.
When detected, the malware downloads a trojanized version from command-and-control servers and performs complex modifications to browser configuration files.
The attack manipulates Chrome’s security mechanisms by generating valid HMAC-SHA256 signatures that bypass tamper detection systems.
The fake MetaMask extension contains minimally modified code with approximately 15 malicious lines injected into the submitPassword function.
When users unlock their wallets, the trojanized extension captures master passwords and encrypted vault files containing seed phrases and private keys.
This stolen data transmits to attacker servers, providing complete access to victims’ cryptocurrency holdings. The surgical code injection maintains full functional compatibility with legitimate MetaMask, making detection extremely difficult.
Organizations should monitor for suspicious NPM packages during development workflows and implement strict code review processes.
Network administrators should block communication to identified command-and-control infrastructure. Users should verify MetaMask extension integrity through official browser stores.
Regular monitoring of browser extension permissions can help detect compromise attempts. Security teams should implement behavioral detection rules targeting file exfiltration patterns and unauthorized browser configuration modifications.
Developers should avoid executing untrusted NPM packages, especially those received during recruitment processes.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
