"Contagious Interview” Behavior Evolution
This week’s update continues to highlight our AI adversary & behavior extraction capabilities while also reminding of our regular “extensions” of the formal ATT&CK knowledge base (plus the ability to draw trend insights from the platform).
“Contagious Interview” refers to a North Korea-aligned, hybrid espionage & financially motivated group/campaign, which has heavily targeted software developers and cryptocurrency-related entities since late 2022. As the group gained further attention this year, we added objects related to it in May. ATT&CK added a Contagious Interview object in v18 (late October), which we merged with our existing content.
Late last week, NVISO researchers shared details of newly observed Contagious Interview activity. Our new Tidal Cyber object clearly highlights the group’s evolving behaviors – while key Resource Development, Initial Access, and Impact Techniques continue to be observed, several new ones were featured in recent intrusions (red arrows in graphic), notably in the early- and late (Collection & Exfil) stages of the group’s attacks. Our Procedures data reveal a similar trend: three of 12 identified Sightings “cluster” with previously observed Sightings, but the rest were not considered similar to existing Sightings.
11/19/25: Contagious Interview Q4 2025 Activity – Spotlight Procedures
- PS1031234: Tsunami Payload adds Windows Defender exceptions, creates scheduled tasks, and downloads next stage from Pastebin
- The 'Tsunami Payload' component of InvisibleFerret performs the following actions: Adds exceptions to Windows Defender; Creates scheduled tasks; Downloads the next stage from Pastebin.
Threat-Led Defense commentary: One of the few recent Sightings that does cluster with previously observed Procedures. Defensive strategies should prioritize comprehensive monitoring, auditing, and restriction of scheduled task creation and execution.
- PS1031188: Fetch and execute obfuscated JavaScript code from JSON storage services in Node.js projects
- A spotlight of NVISO’s blog, the actors’ trojanized Node.js project is designed to fetch obfuscated JavaScript code from a JSON storage service (e.g., JSON Keeper) using the URL decoded from a config file. The code is imported and executed in server/controllers/userController.js.
Threat-Led Defense commentary: Inspect project configuration files for signs of malicious activity. And never run code from unknown repositories, or from apparent “recruiters”, including as part of an interview process (especially in cases where contact was recently initiated).