This week’s update continues to highlight our AI adversary & behavior extraction capabilities while also reminding of our regular “extensions” of the formal ATT&CK knowledge base (plus the ability to draw trend insights from the platform).
“Contagious Interview” refers to a North Korea-aligned, hybrid espionage & financially motivated group/campaign, which has heavily targeted software developers and cryptocurrency-related entities since late 2022. As the group gained further attention this year, we added objects related to it in May. ATT&CK added a Contagious Interview object in v18 (late October), which we merged with our existing content.
Late last week, NVISO researchers shared details of newly observed Contagious Interview activity. Our new Tidal Cyber object clearly highlights the group’s evolving behaviors – while key Resource Development, Initial Access, and Impact Techniques continue to be observed, several new ones were featured in recent intrusions (red arrows in graphic), notably in the early- and late (Collection & Exfil) stages of the group’s attacks. Our Procedures data reveal a similar trend: three of 12 identified Sightings “cluster” with previously observed Sightings, but the rest were not considered similar to existing Sightings.
11/19/25: Contagious Interview Q4 2025 Activity – Spotlight Procedures
Threat-Led Defense commentary: One of the few recent Sightings that does cluster with previously observed Procedures. Defensive strategies should prioritize comprehensive monitoring, auditing, and restriction of scheduled task creation and execution.
Threat-Led Defense commentary: Inspect project configuration files for signs of malicious activity. And never run code from unknown repositories, or from apparent “recruiters”, including as part of an interview process (especially in cases where contact was recently initiated).