North Korean Threat Actors Leverage Fake IT Worker Campaigns and Contagious Interview Tactics

North Korean nation-state threat actors have been running a two-part operation — posing as job recruiters while embedding fake workers inside real companies.

Since at least 2022, these actors have tricked software developers into running malicious code during fake technical interviews, using the malware families BeaverTail and OtterCookie to steal credentials, take remote control of devices, and carry out financial and identity theft.​

The campaign, tracked publicly as Contagious Interview, has impacted thousands of developers and continues to grow in scale.

Threat actors build convincing recruiter profiles on professional networking platforms and direct targets to run code under the guise of a technical task.

Once a victim runs the project, the malware executes silently in the background.

In parallel, separate North Korean operatives have embedded themselves inside Western technology companies as fraudulent employees, earning wages that reportedly fund the regime.

GitLab analysts identified and banned 131 accounts on GitLab.com in 2025 connected to these North Korean malware distribution campaigns.

Activity peaked in September, averaging 11 account bans per month. Analysts noted that in over 80% of cases, actors did not store the malware directly on GitLab — instead placing a hidden loader that fetched payloads from third-party services like Vercel, making detection much harder for defenders.

The financial scale behind the IT worker scheme is equally serious. One private repository uncovered by analysts belonged to a cell manager named Kil-Nam Kang, who oversaw seven North Korean operatives operating from Beijing.

Financial records show the cell earned over US$1.64 million between Q1 2022 and Q3 2025 through freelance software development under stolen or fabricated identities.

Malware Execution and Concealment Tactics

The most common execution pattern in 2025 spread malicious code across multiple project files, making it easy to miss even during a careful code review.

Threat actors encoded a staging URL inside a .env file, disguised as a routine configuration variable.

When a developer ran the project, a trigger function fetched remote content and passed it to a custom error handler that used JavaScript’s Function.constructor method to execute the downloaded payload as live code.

Staging URLs also returned decoy content unless correct request headers were included, adding another layer of protection against analysis.

In December 2025, analysts observed a new cluster executing malware through VS Code task configurations, decoding hidden payloads from fake font files.​

Organizations should treat job applicants with broken links to professional profiles or code portfolios as suspicious.

Developers should avoid running unfamiliar code from unknown contacts during technical screening. Security teams should watch for encoded values in .env files and unexpected outbound requests triggered at application startup.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.