2025-09-04 Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms| Threat Intelligence Malaysia

📃Title: Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms
📅Date: 2025-09-04
🔗References:

https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops

Description

North Korean threat actors associated with the Contagious Interview campaign cluster are actively monitoring cyber threat intelligence platforms to detect infrastructure exposure and scout for new assets. They operate in coordinated teams, likely using Slack for real-time collaboration, and leverage multiple intelligence sources including Validin, VirusTotal, and Maltrail. Despite being aware of their infrastructure’s detectability, they make only limited changes to reduce detection risk, focusing instead on rapidly deploying new infrastructure to sustain operations. The actors’ effectiveness is evident in their engagement of over 230 victims between January and March 2025, primarily targeting individuals in the cryptocurrency industry. Their activities involve sophisticated social engineering tactics, including the ClickFix technique, to trick targets into executing malware.

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

producer SentinelOne
target-information=“Malaysia”
target-information=“Australia”
target-information=“Brazil”
target-information=“Canada”
target-information=“Egypt”
target-information=“Finland”
target-information=“France”
target-information=“India”
target-information=“Israel”
target-information=“Japan”
target-information=“Palestine”
target-information=“South Africa”
target-information=“Spain”
target-information=“Sweden”
target-information=“Thailand”
target-information=“United Kingdom”
target-information=“United States”
country=“north korea”
mitre-attack-pattern=[‘T1583’, ‘T1589’, ‘T1059’, ‘T1584’, ‘T1586’, ‘T1608’, ‘T1204’, ‘T1566’, ‘T1585’, ‘T1588’, ‘T1587’]

MISP event uuid: e3637b01-7586-4583-ac45-5de60cd14706

Indicator of Compromise (IoCs)

type,value,comment
email-src, admin@quickproassess.com, 'Contagious Interview Operators'
email-src, awesomium430@gmail.com, 'Contagious Interview Operators'
email-src, betosoto2819@gmail.com, 'Contagious Interview Operators'
email-src, brooksliam534@gmail.com, 'Contagious Interview Operators'
email-src, chris@wegrowup.us, 'Contagious Interview Operators'
email-src, daisukeokitsugu@gmail.com, 'Contagious Interview Operators'
email-src, denys@gmail.com, 'Contagious Interview Operators'
email-src, designedcuratedamy58@gmail.com, 'Contagious Interview Operators'
email-src, dzsignzdcuatzdamy@gmail.com, 'Contagious Interview Operators'
email-src, eliteengineer0523@gmail.com, 'Contagious Interview Operators'
email-src, excellentreporter321@gmail.com, 'Contagious Interview Operators'
email-src, fairdev610@gmail.com, 'Contagious Interview Operators'
email-src, ghostmaxim777@outlook.com, 'Contagious Interview Operators'
email-src, hundredup2023@gmail.com, 'Contagious Interview Operators'
email-src, huzqur023@gmail.com, 'Contagious Interview Operators'
email-src, info@versusx.us, 'Contagious Interview Operators'
email-src, invite@quiz-nest.com, 'Contagious Interview Operators'
email-src, jimmr6587@gmail.com, 'Contagious Interview Operators'
email-src, johnkane84830@gmail.com, 'Contagious Interview Operators'
email-src, legendaryaladdin@motionassess.com, 'Contagious Interview Operators'
email-src, marvel714jm@gmail.com, 'Contagious Interview Operators'
email-src, maxwell@gmail.com, 'Contagious Interview Operators'
email-src, montessantiago9712@gmail.com, 'Contagious Interview Operators'
email-src, mvsolution9@gmail.com, 'Contagious Interview Operators'
email-src, phoenixfire471@gmail.com, 'Contagious Interview Operators'
email-src, richardkdavis45@gmail.com, 'Contagious Interview Operators'
email-src, rockstar96054@gmail.com, 'Contagious Interview Operators'
email-src, rodriguezjamesdaniel0807@gmail.com, 'Contagious Interview Operators'
email-src, rv882866.hstgr.cloud@glitchmedic.com, 'Contagious Interview Operators'
email-src, sinbad@hirelytics360.com, 'Contagious Interview Operators'
email-src, thedrgn1011@gmail.com, 'Contagious Interview Operators'
email-src, trevorgreer9312@gmail.com, 'Contagious Interview Operators'
email-src, yudaiaoyama14@gmail.com, 'Contagious Interview Operators'
ip-dst, 181.215.9.29, 'Used for account registration and logging into Validin'
ip-dst, 181.53.13.189, 'Used for account registration and logging into Validin'
ip-dst, 181.59.180.84, 'Used for account registration and logging into Validin'
ip-dst, 194.33.45.162, 'Used for account registration and logging into Validin'
ip-dst, 216.24.215.231, 'Used for account registration and logging into Validin'
ip-dst, 38.170.181.10, 'Used for account registration and logging into Validin'
ip-dst, 45.86.208.162, 'Used for account registration and logging into Validin'
ip-dst, 70.32.3.15, 'Used for account registration and logging into Validin'
ip-dst, 70.39.70.194, 'Used for account registration and logging into Validin'
ip-dst, 77.247.126.189, 'Used for account registration and logging into Validin'
ip-dst, 89.19.58.51, 'Used for account registration and logging into Validin'
ip-dst, 96.62.127.126, 'Used for account registration and logging into Validin'
domain, careerquestion.com, 'Contagious Interview Domains'
domain, evaluateiq.com, 'Contagious Interview Domains'
domain, hirelytics360.com, 'Contagious Interview Domains'
domain, motionassess.com, 'Contagious Interview Domains'
domain, nvidia-release.us, 'Contagious Interview Domains'
domain, paxos-video-interview.com, 'Contagious Interview Domains'
domain, paxosassessments.com, 'Contagious Interview Domains'
domain, quickproassess.com, 'Contagious Interview Domains'
domain, quiz-nest.com, 'Contagious Interview Domains'
hostname, robinhood.evalvidz.com, 'Contagious Interview Domains'
domain, skill-share.org, 'Contagious Interview Domains'
domain, skillcheck.pro, 'Contagious Interview Domains'
domain, skillmasteryhub.us, 'Contagious Interview Domains'
domain, skillquestions.com, 'Contagious Interview Domains'
domain, talentcheck.pro, 'Contagious Interview Domains'
domain, versusx.us, 'Contagious Interview Domains'
domain, vidassesspro.com, 'Contagious Interview Domains'
domain, vidhirehub.com, 'Contagious Interview Domains'
domain, webcamfixer.online, 'Contagious Interview Domains'
domain, willotalent.us, 'Contagious Interview Domains'
hostname, api.camdriverhelp.club, 'ClickFix Malware Distribution Servers'
hostname, api.drive-release.cloud, 'ClickFix Malware Distribution Servers'
hostname, api.release-drivers.online, 'ClickFix Malware Distribution Servers'
domain, glitchmedic.com, 'ClickFix Malware Distribution Servers'
domain, easyjobinterview.org, 'Domains Scouted by Contagious Interview Operators'
domain, hireassessment.com, 'Domains Scouted by Contagious Interview Operators'
domain, hiringassessment.com, 'Domains Scouted by Contagious Interview Operators'
domain, hiringassessment.net, 'Domains Scouted by Contagious Interview Operators'
domain, screenquestion.org, 'Domains Scouted by Contagious Interview Operators'

Full IOCs available in Rectifyq's MISP```

Rectifyq

Explorer

2025-09-04 Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms

Indicator of Compromise (IoCs)

Graph View