North Korean Hackers Exploit False Conversations to Spread Developers with Cross-Platform Malware

AndyC 10 October 2024

October 09, 2024Ravie LakshmananPhishing Attack / Malware

Threat actors associated with North Korea have been identified targeting job seekers in the technology sector to propagate updated versions of known malware families recognized as BeaverTa

N. Korean Hackers Use Fake Interviews to Infect Developers with Cross-Platform Malware

October 09, 2024Ravie LakshmananPhishing Attack / Malware

N. Korean Hackers Use Fake Interviews to Infect Developers with Cross-Platform Malware

Threat actors associated with North Korea have been identified targeting job seekers in the technology sector to propagate updated versions of known malware families recognized as BeaverTail and InvisibleFerret.

The cluster of actions, identified as CL-STA-0240, forms part of an initiative named Contagious Interview that was initially revealed by Palo Alto Networks Unit 42 in November 2023.

“The threat actor linked with CL-STA-0240 reaches out to software developers via job search platforms by pretending to be a potential employer,” Unit 42 clarified in a recent report published on their site.

Cybersecurity

“The hackers invite the victim to engage in an online discussion, where the threat actor persuades the victim to download and install malware.”

The initial phase of the attack incorporates the BeaverTail downloader and information thief crafted to target both Windows and Apple macOS systems. The malware serves as a pathway for the Python-based InvisibleFerret backdoor.

Reports indicate that the activity remains ongoing even after being publicly disclosed, suggesting that the threat actors responsible for the operation are successfully enticing developers to execute harmful code under the pretense of a coding task.

North Korean Hackers

Security analyst Patrick Wardle and cybersecurity firm Group-IB, in two recent assessments, outlined an exploit sequence that utilized fake Windows and macOS video conferencing apps impersonating MiroTalk and FreeConference.com to infiltrate developer systems with BeaverTail and InvisibleFerret.

Noteworthy is the fact that the false application is built using Qt, which facilitates cross-compilation for both Windows and macOS. The Qt-based edition of BeaverTail can pilfer browser passwords and collect data from various cryptocurrency wallets.

Cybersecurity

Besides sending the data to a server controlled by the adversary, BeaverTail is programmed to fetch and run the InvisibleFerret backdoor, which comprises two components –

  • A primary payload enabling host fingerprinting, remote control, keylogging, data extraction, and retrieval of AnyDesk
  • A browser thief that gathers browser credentials and credit card details

“North Korean threat actors engage in financial offenses to secure funds for the DPRK regime,” Unit 42 mentioned. “This campaign might be financially driven, given that the BeaverTail malware can steal 13 different cryptocurrency wallets.”

Found this article intriguing? Follow us on Twitter and LinkedIn to access more exclusive content we share.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

AndyC 19 December 2025
HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution

HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution

AndyC 19 December 2025
ThreatsDay Bulletin: WhatsApp Hijacks, MCP Leaks, AI Recon, React2Shell Exploit and 15 More Stories

ThreatsDay Bulletin: WhatsApp Hijacks, MCP Leaks, AI Recon, React2Shell Exploit and 15 More Stories

AndyC 19 December 2025
North Korea-Linked Hackers Steal .02 Billion in 2025, Leading Global Crypto Theft

North Korea-Linked Hackers Steal $2.02 Billion in 2025, Leading Global Crypto Theft

AndyC 19 December 2025
The Case for Dynamic AI-SaaS Security as Copilots Scale

The Case for Dynamic AI-SaaS Security as Copilots Scale

AndyC 19 December 2025
Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App

Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App

AndyC 19 December 2025

You may have missed

Chinese Hackers Exploited a Zero-Day in Cisco Email Security Systems

Chinese Hackers Exploited a Zero-Day in Cisco Email Security Systems

AndyC 19 December 2025
Chinese Hackers Exploited a Zero-Day in Cisco Email Security Systems

Risk Management in Banking: Leveraging AI and Advanced Analytics

AndyC 19 December 2025
LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan

LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan

AndyC 19 December 2025
Hewlett Packard Enterprise (HPE) fixed maximum severity OneView flaw

Hewlett Packard Enterprise (HPE) fixed maximum severity OneView flaw

AndyC 19 December 2025
Chinese Hackers Exploited a Zero-Day in Cisco Email Security Systems

RegScale Open Sources OSCAL Hub to Further Compliance-as-Code Adoption

AndyC 19 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.