The North Korean threat actor behind the ongoing infectious interview campaign is spreading tentacles into the NPM ecosystem by revealing more malicious packages that provide beavertail malware and a new remote access trojan (rat) loader.
“These latest samples employ an automated detection system and hexadecimal strings that encode to avoid manual code auditing, demonstrating variation in threat actor obfuscation techniques,” socket security researcher Kirill Boychenko said in the report.
The packages for the issue that were collectively downloaded over 5,600 times of deletion are listed below –
- Empty Array Validator
- Twitterapis
- Dev Debugger-Vite
- Snoring Log
- Core -ino
- Events-utils
- iCloud-cod
- cln-logger
- Node Clog
- Integrated logs
- Integrated Logger
This disclosure comes almost a month after the discovery of a set of 6 npm packages was discovered in Beavertail, a JavaScript Stealer where Python-based backdoors can deliver backdoors called Invisibleferret.
The ultimate goal of the campaign is to break into developer systems under the guise of a job interview process, steal sensitive data, steal siphon financial assets, and maintain long-term access to the compromised system.
The newly identified NPM library is set in a utility and a debugger, using one of them, Dev Debugger-Vite, using the Command-and-Control (C2) address used by Lazarus Group in December 2024 in the campaign codenamed Phantom Circuit.
What sets these packages apart is that some of them, such as Events, Icloud-Cod, are linked to the Bitbucket repository, as opposed to Github. Furthermore, I found out that the iCloud-Cod package is hosted within a directory named “eiwork_hire”.
Package analysis, CLN-Logger, Node-Colog, Consolidate-Log, and Consolidate-Logger also reveal minor code-level variations, indicating that attackers are exposing multiple malware variations to increase the success rate of their campaigns.
Regardless of the changes, the malicious code embedded in the four packages acts as a remote access trojan (rat) loader that can propagate the next stage payload from the remote server.
Boychenko told Hacker News that the exact nature of the malware propagated through the loader remains unknown at this stage, as C2 endpoints no longer provide payloads.
“The code acts as an active malware loader with remote access trojan (rat) capabilities,” says Boychenko. “It dynamically fetches and runs remote JavaScript via eval(), allowing North Korean attackers to execute arbitrary code on the infected system. This behavior allows you to deploy select follow-up malware, making the loader a major threat in itself.”
The findings demonstrate the persistent nature of contagious interviews. In addition to pose a lasting threat to the software supply chain, this also employs the infamous Clickfix social engineering tactics to distribute malware.
“The infectious interview threat actors have created new NPM accounts across platforms such as the NPM Registry, Github, and Bitbucket, continue to deploy malicious code, show persistence and show no signs of slowing down,” Boychenko said.
“Advanced Persistent Threat (APT) groups are diversifying their tactics. They publish new malware under fresh aliases, host payloads on both Github and Bitbucket repositories, and reuse core components such as Beavertail and Invisiblet along with newly observed rat/loader variants.”
Beavertail drops Tropidoor
The discovery of the new NPM package will be used to detail a recruitment-themed phishing campaign offered by South Korean cybersecurity company Ahnlab, and to deploy Tropidoor, a previously undocumented Windows backdoor code name. Artifacts analyzed by the company show that Beavertail is being used to actively target Korean developers.
The email message claiming it was from a company called Autosquare contained a link to a project hosted on Bitbucket, prompting recipients to clone the project locally on their machine to confirm their understanding of the program.
This application is nothing more than an NPM library that contains Beavertail (“Tailwind.config.js”) and DLL downloader malware (“Car.dll”).
Tropidoor is a backdoor that allows you to contact your C2 server to receive instructions that allow you to exclude files, collect drive and file information, run and terminate processes, capture screenshots, and overwrite them with null or junk data so that you can delete or delete files.
An important aspect of implants is to implement Windows commands directly, such as Schtasks, Ping, and Reg. This is a feature that was also observed in another Lazarus group malware called Lightlesscan.
“Users need to be careful about not only email attachments, but also executables from unknown sources,” Ahnlab said.
(The story was updated after publication to include responses from sockets.)
