North Korean Hackers Use SVG Images to Conceal Malware in Fake Coding Tests

North Korean cyber actors associated with the Contagious Interview campaign have adopted steganography techniques, embedding malicious code within SVG image files to distribute malware through fraudulent job postings and coding assessments.

Elastic Security Labs reports that individuals who executed these compromised projects encountered a multi-stage malware sequence linked to OtterCookie. This sequence includes a browser credential and cryptocurrency wallet stealer, a file exfiltration tool, a remote access trojan (RAT) utilizing Socket.IO, and a clipboard data stealer.

This development underscores the persistent targeting of software developers by state-sponsored North Korean hackers aiming to exfiltrate sensitive information and access cryptocurrency assets. The campaign is tracked under the identifier REF9403.

The cybersecurity division of Elastic discovered this campaign when threat actors infiltrated its community Slack workspace, posting deceptive job offers. This represents a novel initial access method not previously documented in Contagious Interview operations, an elaborate social engineering scheme active since at least December 2022.

In late May 2026, a user named Maxwell posted in the #jobs Slack channel, seeking an experienced developer to upgrade an e-commerce platform using technologies like Next.js (v14), NestJS, PostgreSQL, and Auth.js, with Stripe integration.

Interested candidates were directed to complete a coding assessment involving a trojanized repository containing malware designed to exfiltrate valuable data and establish a Socket.IO backdoor.

These repositories contained fully functional code but also embedded malicious code within SVG images to evade detection. The payloads were fragmented into base64-encoded segments hidden in HTML comments across multiple SVG flag images in an assets directory. Each file appeared as a normal country flag image (e.g., AE.svg, AF.svg) but contained injected comment blocks with base64-encoded data.

A JavaScript file named “serverValidation.js” within the repository reassembled and executed the payload. The attack chain was designed to ensure the malware executed upon each server boot. The primary payload shares characteristics with OtterCookie, a cross-platform malware first identified in September 2024.

OtterCookie has evolved from a basic tool for executing remote commands and searching for cryptocurrency keys into a modular program capable of extensive data theft. It can detect virtual machine environments, install communication clients like Socket.IO for command-and-control (C2) operations, exfiltrate information, execute arbitrary shell commands, load additional modules to collect specific data, and report results.

The malware comprises four distinct modules that enable it to harvest data from web browsers and cryptocurrency wallets, collect files matching specific extensions, facilitate persistent remote control using a Socket.IO-based trojan capable of executing shell commands, capture clipboard data, and establish persistence on the compromised system.

These findings highlight the increasing sophistication of North Korean cyber operations, particularly their use of steganography to conceal malicious payloads within seemingly innocuous files. This tactic complicates detection and underscores the need for heightened vigilance among software developers and organizations. As these threat actors continue to refine their methods, it is crucial for individuals and companies to implement robust security measures, conduct thorough code reviews, and remain cautious of unsolicited job offers and coding assessments.