The Invisible Switch: North Korean Hackers Use “Contagious Interviews” to Trojanize Your MetaMask

North Korean cyber-adversaries are endeavoring to surreptitiously supplant the MetaMask cryptocurrency wallet extension directly upon a victim’s workstation—an operation which, if executed successfully, remains ostensibly imperceptible to the user. This stratagem was delineated within the framework of the “Contagious Interview” campaign, an initiative attributed by researchers to North Korean state-sponsored actors. The primary targets of this offensive encompass IT specialists and developers operating within the realms of cryptocurrency, Web3, and artificial intelligence.

The infection typically originates under the guise of a fictitious technical interview. A prospective candidate is enticed to complete a preliminary assessment involving the execution of an NPM package. Concealed within is a deleterious JavaScript payload that establishes a connection with the command-and-control (C2) infrastructure, confirms its presence via a beacon, and retrieves subsequent stages of the malware. This facilitates the deployment of additional components, including two specialized JavaScript modules and InvisibleFerret, a Python-based backdoor that has been a staple of this campaign for several years.

One JavaScript component is tasked with the systematic exfiltration of data, meticulously scouring the file system for sensitive information—ranging from browser metadata and password managers to wallet files and cryptographic keys. The secondary component functions as a lightweight backdoor, awaiting directives from the C2 server. A notable command within its repertoire involves the retrieval of a script specifically engineered to manipulate extensions within Chromium-based browsers.

Subsequently, the aggressors may attempt to replace a legitimate MetaMask installation within Chrome or Brave with a trojanized iteration. The script identifies the existing wallet within the browser profiles, retrieves a malicious extension archive, and overwrites the directory contents. A pivotal aspect of this offensive relies upon the modification of the Preferences and Secure Preferences files; the adversaries recalibrate the extension settings to load from a local directory, enable developer mode, and inject MAC values—which Chrome utilizes to verify configuration integrity via HMAC-SHA256. While the script provides valid MAC values from the attacker’s server, the precise methodology for generating these system-specific values remains undisclosed. To compel the loading of the compromised code, the script purges directories associated with the Service Worker and terminates the browser process.

Should the substitution prevail, the modified MetaMask retains its authentic appearance and functionality. However, upon the user’s attempt to unlock the wallet, the extension exfiltrates the password and the encrypted vault contents to the C2 server. In the analyzed sample, this theft was facilitated by a mere fifteen lines of code integrated into two core functions. Once in possession of the encrypted vault, the adversaries can decrypt it offline, harvest the mnemonic recovery phrase, and seize total dominion over the assets.

The author of the analysis observed that efforts to replicate this substitution on the latest iteration of Chrome were thwarted, as the browser automatically excised the modified extension. This suggests that the exploit requires specific environmental conditions or that Chrome has implemented robust countermeasures against this exact technique. Nevertheless, the threat remains acute, as the campaign targets not only MetaMask but actively hunts for passwords, private keys, KeePass databases, and Solana wallet data. Developers, particularly those engaging in recruitment-related assessments, are urged to treat NPM packages from unfamiliar sources with profound skepticism and to avoid executing them outside of an isolated environment.