North Korean IT Impersonator Tied to BeaverTail Video Conference App Phishing Scheme

Unit 42 identified CL-STA-0237, a North Korean IT worker activity cluster operating from Laos, that used fake job applications and malware-laden video conferencing sites to phish victims and install remote access tools. The campaign (aka “Contagious Interview”) deployed BeaverTail and InvisibleFerret and may be linked to Lazarus; organizations should tighten hiring screening and monitor for insider threats. #CL-STA-0237 #ContagiousInterview #BeaverTail #InvisibleFerret #Lazarus

Keypoints

CL-STA-0237 is a North Korea-linked activity cluster that conducted phishing using fake job processes and video-conference websites.
The cluster operated from Laos, using Lao IP addresses and multiple fabricated identities and resumes to apply for jobs.
Researchers observed the group exploit a U.S.-based IT services company to gain access and potentially harvest credentials.
The campaign deployed remote access malware families BeaverTail and InvisibleFerret to maintain persistence and access.
Evidence suggests this activity is part of a broader North Korean revenue-generation network that supports illicit programs.
Attribution of the Contagious Interview campaign may connect CL-STA-0237 to the Lazarus group and more aggressive malware operations.
Advisory: organizations should strengthen applicant screening, vet video-conference links, and monitor for insider or lateral movement risks.

MITRE Techniques

[T1566] Phishing – Uses fake job offers and malicious video conferencing pages to trick victims into downloading malware. [‘fake job offers and video conferencing to lure victims into downloading malware.’]
[T1003] Credential Dumping – Likely used to steal access credentials from the exploited IT services company to expand access. [‘stealing access credentials from the exploited IT services company.’]
[T1219] Remote Access Tools – Deployment of BeaverTail and InvisibleFerret malware provided remote access and persistence. [‘Deployment of BeaverTail and InvisibleFerret malware for remote access.’]

Indicators of Compromise

[Domain] phishing/job-site and fake conferencing domains – effertz-carroll[.]com, mirotalk[.]io, and 5 more domains used to host malicious pages.
[IP Address] infrastructure – 167.88.36[.]13 observed as part of the campaign’s hosting or control infrastructure.
[Email] malicious/fake applicant addresses – adonis_eros@outlook[.]com, buyerlao@outlook[.]com, and 35 more emails used for fake identities and contact points.

————
North Korea-linked operators in CL-STA-0237 have been running a targeted recruitment ruse: they created convincing applicant profiles and hosted fake video-conference sites to trick interviewees into running malware. By operating from Laos and using many fabricated identities, the group gained footholds inside at least one U.S. IT services company and likely harvested credentials to expand access.

The attackers deployed remote access tools, notably BeaverTail and InvisibleFerret, enabling persistent control and potential data exfiltration. Unit 42 links this “Contagious Interview” approach to a larger revenue-driven network that may support state-sponsored programs and possibly associates with Lazarus, highlighting an evolution from low-risk labor exploitation to overt malware operations.

Organizations should treat unsolicited interview links with caution: validate conferencing domains, harden applicant vetting, monitor for unusual account activity, and be prepared to investigate post-hire access patterns to detect cases where attackers applied as legitimate job candidates.
————