Resilience threat intelligence reports on two recent social engineering campaigns
This post is based on threat intelligence compiled by Resilience Intelligence Analyst Steph Barnes, published May 8, 2025.
North Korean hackers have turned the interview chair into a staging ground for cyberattacks. Two sophisticated campaigns—Contagious Interview and WageMole—are actively targeting job seekers and employers alike, with a clear endgame: funneling money back to the North Korean regime while gathering valuable intelligence along the way.
Picture this: You’ve landed an interview for that software development role you’ve been eyeing. The job description seems legitimate, if a bit vague. The recruiter’s profile looks professional enough. But what you don’t see is the trap being set—one where completing a simple coding test or installing a “required” communication tool could compromise not just your personal security, but potentially your current employer’s entire network.
This isn’t hypothetical—it’s happening right now through two interconnected campaigns attributed to DPRK threat actors, notably the infamous Lazarus Group and Famous Chollima.
Contagious Interview and WageMole: A two-pronged social engineering attack
The first prong, Contagious Interview, is simple but effective. Threat actors pose as recruiters and convince candidates to download malware disguised as interview tools or coding tests during what appears to be a standard interview process.
In the second prong, WageMole, North Korean operatives attempt to secure employment at target companies, creating an insider threat that can bypass even the most robust perimeter defenses.
Both campaigns have predominantly targeted cryptocurrency and technology sectors—areas where North Korea has historically sought to extract financial gain—though security experts warn these tactics could easily expand to other industries.
What makes these attacks particularly effective is their exploitation of human psychology and professional norms. When we’re pursuing new career opportunities, we’re often eager to please potential employers and may be less likely to question unusual requests.
The final payload in many Contagious Interview incidents is the deployment of InvisibleFerret or similar backdoor malware from the Ferret family. Once installed, this backdoor gives threat actors persistent access to the victim’s system—and potentially their employer’s network—allowing them to steal cryptocurrency keys or sensitive information.
Another clever tactic involves the Node Package Manager (NPM), where malicious code is embedded in seemingly legitimate open-source packages that candidates are required to use during technical assessments.
Spotting the red flags
For job seekers, several red flags might indicate a Contagious Interview attempt:
- Suspiciously vague job descriptions
- Recruiter profiles that seem hastily created
- Company names that mimic established organizations with small additions (LLC, AG, Inc.)
- Unusual requirements to download custom software for interviews
- Coding projects with hidden malicious code in comment fields
- Pop-ups claiming to “fix errors” using the ClickFix technique
For employers, WageMole attempts might reveal themselves through:
- Inconsistencies between interview performance and claimed experience
- Candidates who appear to be receiving off-camera coaching
- Difficulty answering basic questions about claimed residence or background
- ID documents that don’t match the person on screen
- Suspicious excuses for keeping cameras turned off during interviews
Protecting your organization and yourself
As these sophisticated campaigns continue to evolve, both organizations and individuals must develop proactive defense strategies. The good news is that with awareness and diligence, many of these attacks can be thwarted before they succeed. Here are concrete steps to strengthen your defenses against these dual threats.
For organizations:
Tighten device and usage policies
Create strict policies prohibiting employees from using company-issued devices for personal activities, including job interviews or job searches. This simple boundary creates a critical firewall between personal vulnerabilities and corporate assets.
Additionally, implement technical controls that restrict the installation of non-approved software, with special attention to suspicious GitHub repositories with limited history or questionable provenance.
Strengthen hiring processes
Transform your hiring processes into a security strength rather than a vulnerability. Conduct comprehensive background checks that verify all aspects of an applicant’s claimed history, including employment, education, and certifications.
For remote interviews, always use live video conferencing to confirm the applicant’s identity matches their documentation. Develop a healthy skepticism toward candidates who apply for onsite roles but then strongly advocate for remote arrangements without clear justification.
Implement forensic examination of identification documents to detect alterations, and design onboarding procedures that include a probationary period with appropriately limited access to sensitive systems.
Enhance security monitoring
Maintain heightened vigilance for execution patterns or network traffic associated with known indicators of compromise from these campaigns. Before allowing any unfamiliar code or applications to run in your production environment, analyze them in isolated sandbox environments to identify suspicious behaviors.
Take the time to customize your endpoint detection and response (EDR) rules to reflect your organization’s specific threat landscape, ensuring that alerts are meaningful and investigations are thorough.
Implement robust data protection
Deploy multi-factor authentication across all systems, with particular attention to privileged accounts, and establish protocols for regular credential rotation, especially for roles with access to sensitive information. Additionally, eliminate the practice of storing sensitive information like credentials, identity documents, or cryptocurrency keys in unencrypted formats.
For jobseekers:
Before engaging with potential employers, take time to verify the company’s legitimacy through multiple independent channels, such as business registries or industry associations. When interacting with recruiters or interviewers, confirm their affiliation with the organization through official channels rather than just the contact information they provide.
Approach with extreme caution any interview process that requires downloading unfamiliar software tools or communication applications, particularly when these aren’t industry-standard platforms. Finally, treat unexpected job offers or recruitment messages from unknown sources with healthy skepticism, especially when they come with unusual urgency or seem too perfectly aligned with your specific skills and interests.
This isn’t just about individual compromise—it’s part of North Korea’s broader cyber strategy to fund its regime and gather intelligence despite international sanctions. By targeting the employment process, these threat actors have found a particularly effective vector that exploits trust and professional norms.
For organizations and individuals alike, awareness is the first line of defense against these sophisticated social engineering attacks. In a job market where remote interviews and digital interactions are increasingly the norm, the ability to identify these threats has never been more critical.
