For over a year, the North Korean group PurpleBravo has been running a targeted malware campaign called “Contagious Interview,” using fake job interviews to attack companies in Europe, Asia, the Middle East, and Central America.
Recorded Future researchers identified 3,136 IP addresses suspected of being linked to this operation, as well as 20 targeted organizations. These included companies in the fields of artificial intelligence, cryptocurrency, finance, IT services, marketing, and software development.
The attacks were carried out between August 2024 and September 2025. Most of the targeted IP addresses are located in South Asia and North America. The affected companies were located in Belgium, Bulgaria, India, Italy, Costa Rica, the Netherlands, the United Arab Emirates, Pakistan, Romania, and Vietnam .
The report’s authors emphasize that in some cases , malicious code was executed directly on corporate devices, extending the risk not only to the individual user, but to the entire organization.
One of the infection mechanisms was project replacement in Visual Studio Code . Users were offered tasks containing malicious files disguised as working projects. This allowed attackers to install backdoors and gain access to corporate infrastructure.
Fake LinkedIn profiles belonging to PurpleBravo members were also discovered. They posed as Odessa-based developers and recruiters and used several GitHub repositories to distribute malicious code.
The PurpleBravo team operates at least two sets of command-and-control servers for different types of malware. One is a JavaScript infostealer called BeaverTail , and the other is a GolangGhost backdoor, written in Go and based on the open-source HackBrowserData project. The servers are hosted by 17 different providers, administered via the Astrill VPN service, and use IP addresses located in China.
In parallel with Contagious Interview, another operation called Wagemole is active. This scheme involves recruiting North Korean employees from foreign companies, concealing their origins. Despite their differences, similarities in infrastructure and tactics have been documented between the two networks. There have been cases where the same IP address associated with PurpleBravo was also used to run Wagemole-related activities.
One of the main vulnerabilities exploited by PurpleBravo is the trust companies have in external collaborators and candidates.
Attackers submit tasks supposedly for technical evaluation, and candidates, unaware of the threat, execute malicious code on the assigned devices. This scheme compromises not only individual users, but the entire organization. Companies with large customer bases are particularly vulnerable, posing serious risks to the software supply chain.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
