The North Korea-related threat actors behind the infectious interviews have set up front companies as a way to distribute malware during the fake employment process.
“In this new campaign, Threat Actor Group uses three front companies from Cryptocurrency Consulting Industry: BlockNovas LLC (BlockNovas (.)com), Angeloper Agency (Angeloper (.)com), and Softglide LLC (Softglide (.)co).
According to the cybersecurity company, the activity is used to distribute three different known malware families: Beavertail, Invisibleferret and Ottercookies.
The Infectious Interview is one of several employment-themed social engineering campaigns North Korea has organized to seduce targets to seduce targets under the pretext of coding and fixing browser issues when turning on cameras during video evaluations.
This activity will be tracked by the broader cybersecurity community under Monikers CL-STA-0240, Deceptivedevelopment, Dev#Popper, Famous Chollima, UNC5342, and Void Dokkaebi.
The use of front companies for malware propagation, complemented by setting up fraudulent accounts on Facebook, LinkedIn, Pinterest, X, Medium, GitHub, and GitLab, shows a new escalation of threat actors observed using various recruitment boards to seduce victims.
“It is said that 14 people work for them at BlockNovas Front Company, but many of the employee personas (…) look like fakes,” says Silent Push. “When viewing the “About Us” page on BlockNovas (.)com via the Wayback machine, the group claimed it has been operating for “more than 12 years.” This is 11 years older than the business is registered. ”
The attack leads to the deployment of JavaScript Stealer and Loader, known as Beavertail. It is used to drop a Python backdoor called Invisibleferret, which can establish persistence for Windows, Linux, and MacOS hosts. It is also known that the selected infection chain will provide another malware called OtterCookie via the same JavaScript payload used to launch Beavertail.
BlockNovas has been observed to distribute Frostyferret and Golangghost using Clickfix-related lures using video ratings. This is a tactic detailed earlier this month by Sekoia, who tracks activities under the name Clickfake Interview.
Beavertail is configured to contact an external server (“lianxinxiao(.)com”) for command and control (c2) and provides Invisibleferret as a follow-up payload. It comes with a variety of features that collect system information, launch a reverse shell, download additional modules to steal browser data, files, and start installing AnyDesk remote access software.
Further analysis of malicious infrastructure revealed the existence of a “status dashboard” hosted in one of the BlockNovas subdomains.
Another subdomain, the mail.blocknovas(.)com domain, is also known to host an open source distributed password cracking management system called Hashtopolis. A fake recruitment drive has resulted in at least one developer getting a Metamask wallet allegedly compromised in September 2024.
That’s not all. The threat actor appears to be hosting a tool named Kryptoneer on the domain Attisscmo (.)com, which provides the ability to connect to cryptocurrency wallets such as Suiet Wallet, Ethos Wallet, and Sui Wallet.
“It is possible that North Korean threat actors have made additional efforts to target the SUI blockchain, or that domain could be used within the recruitment process as an example of a “crypto project,” Silent Push said.
BlockNovas was an open position for Senior Software Engineers at LinkedIn in December 2024, particularly targeting IT professionals in Ukrainian, according to an independent report published by Trend Micro.
As of April 23, 2025, the BlockNovas domain was seized by the US Federal Bureau of Investigation (FBI) as part of law enforcement action against North Korean cyber actors.
In addition to obfuscating infrastructure and activity using services such as Astlill VPN and Residential Proxies, a notable aspect of malicious activity is the use of artificial intelligence (AI) like Remaker to create profile photos.
The cybersecurity company said in its analysis of its contagious interview campaign it identified five Russian IP ranges that were used to carry out the operations. These IP addresses are obscure by the VPN, proxy, or RDP layer.
“The Russian IP address is hidden by a large anonymous network that uses numerous VPS servers with commercial VPN services, proxy servers and RDP, and is assigned to two companies, Khasan and Khabarovsk.
“Kassan is a mile away from the North-Russian border, and Khabarovsk is known for its economic and cultural ties with North Korea.”
If the infectious interview is one side of the coin, the other is a threat to fraudulent IT workers known as Wagemole, referring to a tactic that involves using AI to create fake personas and hiring IT workers remotely as employees of large companies.
These efforts have a dual motivation designed to steal sensitive data and pursue financial gains by concentrating the monthly salary chunks in the Democratic Republic of Korea (DPRK).
“Facilitators are currently using Genai-based tools to optimize every step of the process of applying for roles and interviewing, and helping DPRK Nationals try to maintain this employment,” Okta said.
“These genai-enhanced services are necessary to manage the scheduling of job interviews with multiple DPRK candidate personas by small facilitator executives. These services use all Genais, from tools to transcription or summarizing conversations to real-time translation of speech and text.”
Telemetry data collected by Trend Micropoints uses threat actors located in Pyongyang, working from China, Russia and Pakistan, and connects to dozens of VPS servers via RDP using Russian IP ranges to perform tasks such as dialogue at job recruitment sites and accessing Clypt currency-related services.
“It is plausible that there is some form of deliberate cooperation or shared infrastructure between North Korean entities, given that a significant portion of the deeper layer of the anonymization network of North Korean actors is in Russia.
