Skip to content
.ca
sign in
6 minhigh

North Korea’s Contagious Interview Campaign Spreads Across 5 Ecosystems, Delivering Staged RAT Payloads

North Korea's Contagious Interview campaign has launched a coordinated supply chain attack across five major open-source ecosystems. The threat actors published malicious packages masquerading as legitimate developer tools that act as staged loaders to deliver remote access trojans (RATs) and infostealers to developer workstations.

Sens:ImmediateConf:highAnalyzed:2026-04-09reports

Authors: Socket.dev

ActorsNorth KoreaContagious Interview
Malicious PackagesNorth KoreaSupply ChainContagious InterviewRAT

Source:Socket

IOCs · 3

Key Takeaways

  • North Korea's Contagious Interview campaign has expanded to target five major open-source ecosystems: npm, PyPI, Go Modules, Rust (crates.io), and Packagist.
  • Malicious payloads are hidden within normal-looking functions of packages masquerading as legitimate developer tools (e.g., loggers, license checkers).
  • The standard attack chain involves fetching a ZIP archive (often 'ecw_update.zip') from Google Drive via a C2-provided URL and executing platform-specific payloads.
  • A Windows-specific variant ('license-utils-kit') deploys a full post-compromise RAT with infostealing, keylogging, and remote shell capabilities.
  • Threat actors utilize multiple interconnected GitHub personas (e.g., 'golangorg', 'maxcointech1010') to host code, build legitimacy, and support infrastructure staging.

Affected Systems

  • Windows
  • Linux
  • macOS
  • Developer Workstations
  • Node.js
  • Python
  • Go
  • Rust
  • PHP

Attack Chain

The attack begins when a developer installs a malicious package masquerading as a legitimate utility library. When specific, normal-looking functions are called within the library, a hidden loader routine is triggered. This loader contacts a C2 server to retrieve a download URL, fetches a ZIP archive (often from Google Drive), and extracts it to a hardcoded temporary directory. Finally, it executes a platform-specific payload (such as a RAT or infostealer) to compromise the developer's workstation.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.), but lists actionable IOCs including domains, IP addresses, and file hashes.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions should easily detect the execution of suspicious child processes (like py.exe or dropped binaries like systemd-resolved) spawned by development tools (Node, Python, Go). Network Visibility: Medium — Network monitoring can detect connections to known malicious Vercel/Render subdomains and unexpected downloads from Google Drive, though the traffic is likely HTTPS encrypted. Detection Difficulty: Moderate — While the initial access is hidden within legitimate-looking code, the subsequent staging behavior (downloading ZIPs, extracting to specific temp folders, spawning new processes) creates distinct behavioral anomalies.

Required Log Sources

  • Process Creation (Event ID 4688 / Sysmon Event ID 1)
  • Network Connections (Sysmon Event ID 3)
  • File Creation (Sysmon Event ID 11)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for development processes (node, python, go) initiating unexpected network connections to Vercel or Render subdomains followed by file creation events.Process, Network, FileExecution/Command and ControlMedium
Search for the creation of directories matching the specific hardcoded temporary path '410BB449A-72C6-4500-9765-ACD04JBV827V32V'.FileExecutionLow
Identify instances of 'py.exe' executing scripts from temporary directories, especially those with '.tmp' extensions.ProcessExecutionMedium

Control Gaps

  • Lack of strict egress filtering on developer workstations
  • Insufficient scanning of open-source dependencies before integration

Key Behavioral Indicators

  • Hardcoded extraction directory '410BB449A-72C6-4500-9765-ACD04JBV827V32V'
  • Processes spawning from development environments executing files named 'systemd-resolved' or 'com.apple.systemevents'

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Search the environment for the listed malicious packages and remove them immediately.
  • Block access to the identified C2 domains and IP addresses at the network perimeter.

Infrastructure Hardening

  • Implement strict egress filtering for developer workstations to prevent unauthorized C2 communication.
  • Enforce the use of internal, curated package repositories instead of direct internet access to public registries.

User Protection

  • Deploy EDR solutions on all developer workstations and monitor for anomalous child processes.
  • Sandbox suspicious packages before they reach developer workstations or CI systems.

Security Awareness

  • Train developers on the risks of supply chain attacks and the importance of verifying package authenticity.
  • Establish a policy for vetting new open-source dependencies, scrutinizing newly published or low-download packages before adoption.

MITRE ATT&CK Mapping

  • T1195.001 - Compromise Software Dependencies and Development Tools
  • T1608.001 - Stage Capabilities: Upload Malware
  • T1036.005 - Masquerading: Match Legitimate Resource Name or Location
  • T1059.007 - Command and Scripting Interpreter: JavaScript
  • T1059.006 - Command and Scripting Interpreter: Python
  • T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File
  • T1140 - Deobfuscate/Decode Files or Information
  • T1105 - Ingress Tool Transfer
  • T1071.001 - Application Layer Protocol: Web Protocols
  • T1005 - Data from Local System
  • T1082 - System Information Discovery
  • T1083 - File and Directory Discovery
  • T1217 - Browser Information Discovery
  • T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
  • T1555.005 - Credentials from Password Stores: Password Managers
  • T1119 - Automated Collection
  • T1041 - Exfiltration Over C2 Channel
  • T1657 - Financial Theft

Additional IOCs

  • Ips:
    • 66[.]45[.]225[.]94 - C2 infrastructure for Windows RAT variant
  • Domains:
    • ngrok-free[.]vercel[.]app - C2 and delivery endpoint
    • logkit[.]onrender[.]com - C2 and delivery endpoint
    • apachelicense[.]vercel[.]app - C2 and delivery endpoint
    • logkit-tau[.]vercel[.]app - C2 and delivery endpoint
  • Urls:
    • hxxps://apachelicense[.]vercel[.]app/getAddress?platform=<platform> - Endpoint used by loaders to retrieve the next stage download URL
    • hxxps://logkit-tau[.]vercel[.]app/debugCheck?id=<namespaces> - Endpoint used by npm packages to fetch base64 payloads
  • File Hashes:
    • 9a541dffb7fc18dc71dbc8523ec6c3a71c224ffeb518ae3a8d7d16377aebee58 (SHA256) - Linux payload
    • bb2a89001410fa5a11dea6477d4f5573130261badc67fe952cfad1174c2f0edd (SHA256) - macOS payload
    • 7c5adef4b5aee7a4aa6e795a86f8b7d601618c3bc003f1326ca57d03ec7d6524 (SHA256) - Windows payload
  • File Paths:
    • 410BB449A-72C6-4500-9765-ACD04JBV827V32V - Hardcoded temporary extraction directory used by the loaders
    • com.apple.systemevents - macOS payload filename
    • systemd-resolved - Linux payload filename
    • start.py - Execution artifact
    • py.exe - Execution artifact
    • a91c2b7f-9d5f-487e-9e6f-63d1a42bf3db.tmp - Execution artifact
  • Command Lines:
    • Purpose: Execute decoded Python script | Tools: py.exe | Stage: Execution | py.exe <temp_script>
    • Purpose: Execute decoded PHP stage | Tools: php | Stage: Execution | -c
    • Purpose: Execute base64 decoded JavaScript in memory | Tools: Node.js | Stage: Execution | new Function('require', decodedCode)(require)
  • Other:
    • aokisasaki1122@gmail.com - Threat actor registration email
    • shiningup1996@gmail.com - Threat actor registration email
    • golangorg - Malicious GitHub alias
    • aokisasakidev - Malicious GitHub alias
    • maxcointech1010 - Malicious GitHub alias used for persona building

Related