North Korean hackers targeted thousands of IP addresses through fake developer job interviews, compromising corporate networks via malicious coding tests.
North Korean state-sponsored hackers have targeted 3,136 IP addresses through an elaborate fake job interview scheme, compromising at least 20 organizations across AI, cryptocurrency, and software development sectors. Recorded Future's Insikt Group, which tracks this cluster as PurpleBravo, revealed the campaign exploited job candidates who unknowingly executed malware during technical assessments.
How the Attack Works
- Social Engineering Lure: Attackers posed as recruiters/developers from Odesa, Ukraine on LinkedIn
- Technical Compromise: Candidates received malicious VS Code projects or GitHub repositories (example analysis)
- Malware Deployment: Successful infections installed:
- BeaverTail JavaScript infostealer
- GolangGhost backdoor (based on HackBrowserData)
- C2 Infrastructure: Servers across 17 hosting providers, routed through China-based IPs via Astrill VPN
Key Findings
- Victim Spread: Companies in Belgium, India, UAE, Vietnam and 7 other countries
- Timeline: Active from August 2024 to September 2025
- Parallel Campaign: Tactical overlap with Wagemole operations where DPRK IT workers seek fraudulent employment
"Candidates executed malicious code on corporate devices during interviews, creating organizational exposure beyond individual targets," Recorded Future analysts noted. This highlights critical supply chain vulnerabilities when outsourcing technical recruitment.
Defense Recommendations
For Organizations:
- Implement isolated environments for technical candidate assessments
- Monitor outbound connections to known C2 IP ranges
- Train HR teams to verify recruiter identities through secondary channels
For Developers:
- Never run interview code tests on employer-managed devices
- Validate GitHub repositories before cloning (security guidelines)
- Use sandboxed environments for unknown code execution
The campaign demonstrates North Korea's evolving exploitation of developer workflows. As Recorded Future warns: "While North Korean IT worker threats are known, PurpleBravo's supply-chain risk deserves equal attention to prevent sensitive data leakage."
Comments
Please log in or register to join the discussion