A new campaign by North Korean state-backed hackers has compromised hundreds of professionals by impersonating recruiters on platforms like Slack.
What happened
Between March and June 2025, cybersecurity researchers identified a widespread cyber campaign led by North Korean threat actors posing as recruiters or job seekers. The attackers primarily targeted individuals in the blockchain, finance, healthcare, and marketing sectors, with the intent to steal cryptocurrency. SentinelLabs reported that at least 230 victims were identified through exposed server logs, though the actual number is believed to be much higher.
Going deeper
The campaign, dubbed 'Contagious Interview,' is an extension of tactics first seen in 2023 and attributed to the Lazarus Group. It uses social engineering, including fake job offers and phony skill assessments, to trick victims into executing malware, often through a technique known as 'ClickFix,' where fake CAPTCHA tests or error messages prompt users to run malicious scripts.
Once compromised, the hackers can exfiltrate sensitive data or gain access to digital assets. The infrastructure supporting these operations includes fake recruitment websites, compromised Slack workspaces, and tools that monitor for detection using threat intelligence platforms.
SentinelLabs uncovered multiple indicators of poor operational security (OPSEC), including exposed web directories and internal files. These lapses allowed researchers to disrupt portions of the infrastructure and link the campaign to North Korea’s broader efforts to evade sanctions and generate funding through illicit cyber activity.
What was said
SentinelLabs stated that North Korean hackers actively monitor Cyber Threat Intelligence (CTI) feeds to evaluate their own risk of detection. Tools like Validin, VirusTotal, and Maltrail were used to monitor flagged infrastructure and identify new targets. Once a domain or malware strain was detected, the threat actors often abandoned the infrastructure and quickly deployed replacements, rather than modifying or hardening existing systems.
Researchers observed coordinated activity through Slack, including bot-based URL sharing among hacker teams. Despite access to advanced tools, the attackers did not apply systematic improvements to their methods, possibly due to revenue quotas and decentralization within the regime’s cyber units.
FAQs
Why do North Korean hackers target job seekers in blockchain and finance?
These sectors often involve direct access to crypto wallets or sensitive financial data, making individuals attractive targets for theft and extortion.
What is ClickFix, and how does it work in these attacks?
ClickFix is a technique where users are tricked into copying and pasting malicious code, often under the guise of fixing a fake error or completing a CAPTCHA test.
How are cyber intelligence platforms being abused in this campaign?
Hackers use platforms like Validin and VirusTotal to monitor their infrastructure, check if domains are flagged, and adjust operations accordingly.
Why do the attackers avoid improving their infrastructure after detection?
Due to pressure from revenue quotas, teams prioritize speed and output over long-term stealth, often abandoning old infrastructure rather than updating it.
How can individuals protect themselves from fake recruiter attacks?
Verify the authenticity of job offers, avoid running code or downloading files from unverified sources, and be cautious of recruitment processes that deviate from standard practices.
Farah Amod
