NEW: Group Profiler — instant APT intel lookup. Try it →

← threatfilter.dev / all groups / Contagious Interview

Contagious Interview

G1052 North Korea MITRE ATT&CK →

Also known as: DeceptiveDevelopment · Gwisin Gang · Tenacious Pungsan · DEV#POPPER · PurpleBravo · TAG-121

Overview

Contagious Interview is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. Contagious Interview targets Windows, Linux, and macOS systems, with a particular focus on individuals engaged in software development and cryptocurrency-related activities.

Capabilities

Custom malware/implant development — ATT&CK: 4 attributed custom malware families

TTPs — 54 techniques across 13 tactics

Reconnaissance

T1589 Gather Victim Identity Information
T1593 Search Open Websites/Domains
T1593.001 Social Media
T1593.003 Code Repositories
T1681 Search Threat Vendor Data

Resource Development

T1583 Acquire Infrastructure
T1583.001 Domains
T1583.003 Virtual Private Server
T1583.006 Web Services
T1585 Establish Accounts
T1585.001 Social Media Accounts
T1585.002 Email Accounts
T1587 Develop Capabilities
T1587.001 Malware
T1588.002 Tool
T1588.007 Artificial Intelligence
T1608.001 Upload Malware
T1683.001 Written Content
T1683.002 Audio-Visual Content

Initial Access

T1566.003 Spearphishing via Service

Execution

T1059.003 Windows Command Shell
T1059.004 Unix Shell
T1059.005 Visual Basic
T1059.006 Python
T1059.007 JavaScript
T1204.001 Malicious Link
T1204.002 Malicious File
T1204.004 Malicious Copy and Paste
T1204.005 Malicious Library

Persistence

T1543.001 Launch Agent
T1547.001 Registry Run Keys / Startup Folder
T1547.013 XDG Autostart Entries

Privilege Escalation

T1546.004 Unix Shell Configuration Modification

Stealth

Defense Impairment

T1685 Disable or Modify Tools

Credential Access

T1555.001 Keychain

Discovery

T1082 System Information Discovery
T1083 File and Directory Discovery

Command and Control

T1071.003 Mail Protocols
T1090 Proxy
T1219.002 Remote Desktop Software
T1571 Non-Standard Port
T1573.001 Symmetric Cryptography

Exfiltration

T1041 Exfiltration Over C2 Channel
T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol
T1567 Exfiltration Over Web Service
T1567.002 Exfiltration to Cloud Storage

Impact

T1657 Financial Theft

Tools & malware (4)

InvisibleFerret · BeaverTail · XORIndex Loader · HexEval Loader

Reporting (3)

Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms — Aleksandar Milenkoski, Sreekar Madabushi, Kenneth Kinion
Exposing DPRK's Cyber Syndicate and Hidden IT Workforce — Michael “Barni” Barnhart, DTEX, and Anonymous SMEs
DeceptiveDevelopment targets freelance developers — Matej Havranek