In a sophisticated cyber espionage campaign, North Korean threat actors, identified as PurpleBravo, have targeted over 3,000 IP addresses across multiple sectors and regions. This operation, known as the Contagious Interview campaign, has been active since late 2023, employing deceptive job interviews to infiltrate organizations.
Scope and Impact of the Campaign
Recorded Future’s Insikt Group has uncovered that between August 2024 and September 2025, PurpleBravo targeted 3,136 IP addresses, primarily in South Asia and North America. The campaign affected 20 organizations spanning artificial intelligence, cryptocurrency, financial services, IT services, marketing, and software development sectors. These organizations are located in countries including Belgium, Bulgaria, Costa Rica, India, Italy, the Netherlands, Pakistan, Romania, the United Arab Emirates, and Vietnam.
The attackers utilized fake job interviews to lure candidates into executing malicious code on corporate devices, thereby compromising entire organizations. This method underscores the evolving tactics of cyber adversaries in exploiting human resources processes to gain unauthorized access.
Tactics and Techniques Employed
PurpleBravo’s approach involves creating fraudulent recruiter profiles on platforms like LinkedIn, posing as developers and recruiters from cities such as Odesa, Ukraine. They share malicious code repositories hosted on platforms like GitHub, GitLab, or Bitbucket, disguised as legitimate projects. These repositories deliver malware families like BeaverTail, a JavaScript-based infostealer and loader, and GolangGhost, a Go-based backdoor derived from the HackBrowserData open-source tool.
The command-and-control (C2) infrastructure for these malware families is managed through servers hosted across 17 different providers, administered via Astrill VPN and IP ranges in China. The use of Astrill VPN by North Korean threat actors has been well-documented, highlighting their reliance on such services to obfuscate their activities.
Connection to Other Campaigns
The Contagious Interview campaign is linked to another operation known as Wagemole (also referred to as PurpleDelta). In Wagemole, North Korean IT workers seek unauthorized employment using fraudulent or stolen identities with organizations primarily in the U.S. and other parts of the world. This campaign aims for both financial gain and espionage.
Despite being treated as separate activities, there are significant tactical and infrastructure overlaps between Contagious Interview and Wagemole. For instance, a likely PurpleBravo operator displayed behavior consistent with North Korean IT worker activities. Additionally, IP addresses in Russia linked to North Korean IT workers communicated with PurpleBravo C2 servers, and administration traffic from the same Astrill VPN IP address was associated with PurpleDelta activity.
Implications for Organizations
The use of company-issued devices by job candidates to execute malicious code highlights a critical vulnerability in the IT software supply chain. Organizations outsourcing work in regions targeted by PurpleBravo face acute supply-chain risks. Many of these organizations have large customer bases, amplifying the potential impact of such infiltrations.
While the threat posed by North Korean IT workers seeking unauthorized employment has been widely publicized, the supply-chain risk associated with campaigns like PurpleBravo deserves equal attention. Organizations must prepare, defend, and implement measures to prevent sensitive data leakage to North Korean threat actors.
Recommendations for Mitigation
To mitigate the risks associated with such sophisticated cyber espionage campaigns, organizations should consider the following measures:
1. Enhanced Vetting Processes: Implement rigorous background checks and verification processes for all job candidates, especially those applying for remote positions or roles with access to sensitive information.
2. Security Awareness Training: Educate employees and job candidates about the tactics used in social engineering attacks, including the risks associated with executing code from unverified sources.
3. Network Monitoring: Deploy advanced network monitoring tools to detect unusual activities, such as unauthorized access attempts or data exfiltration.
4. Endpoint Protection: Ensure that all corporate devices are equipped with up-to-date endpoint protection solutions capable of detecting and mitigating malware threats.
5. Access Controls: Implement strict access controls and least privilege principles to limit the exposure of sensitive systems and data.
6. Incident Response Planning: Develop and regularly update incident response plans to quickly address and mitigate the impact of potential breaches.
By adopting these measures, organizations can strengthen their defenses against the evolving tactics of state-sponsored cyber adversaries like PurpleBravo.
Conclusion
The PurpleBravo campaign exemplifies the increasing sophistication of cyber espionage operations conducted by state-sponsored actors. By exploiting human resources processes and trusted developer workflows, these adversaries can infiltrate organizations and compromise sensitive data. It is imperative for organizations to remain vigilant, implement robust security measures, and foster a culture of cybersecurity awareness to defend against such threats.
