G1052: Contagious Interview
Contagious Interview is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. Contagious Interview targets Windows, Linux, and macOS systems, with a particular focus on individuals engaged in software development and cryptocurrency-related activities. [1][2][3][4][5][6][7][8]
Analyst context for executives and security teams
Contagious Interview matters because MITRE describes it as a North Korea-aligned group focused on software developers and cryptocurrency-related users, with reported credential and cryptocurrency theft. For leaders, the practical risk is not only malware on an endpoint; it is compromise of people who often hold source code access, package publishing rights, secrets, wallets, and privileged development credentials across Windows, Linux, and macOS environments.
Executive priority
Prioritize this as an identity, developer workstation, and data-loss risk. Ask whether the organization can prove control over developer endpoints, browser-stored credentials, script execution, package/library installation, remote desktop software, and outbound exfiltration paths. This object supports budget and audit discussions around developer security baselines, credential protection, SOC visibility across non-Windows systems, and incident response readiness for credential theft and exfiltration scenarios.
Technical view
MITRE provides no group-level detection text, so defenders should validate coverage through the related software and techniques. The relationship set points to user-driven execution through malicious links, files, copy/paste, and libraries; script and shell execution using Windows command shell, Unix shell, Visual Basic, Python, and JavaScript; obfuscation and masquerading; system and file discovery; command-and-control through mail protocols, proxies, and remote desktop software; and exfiltration over C2 or unencrypted non-C2 protocols. Related malware includes BeaverTail, InvisibleFerret, XORIndex Loader, and HexEval Loader, with Windows, Linux, and macOS relevance supported by the supplied descriptions.
Likely telemetry
- Endpoint process creation and command-line telemetry for cmd, Unix shells, Python, JavaScript runtimes, and Visual Basic execution
- Script content, interpreter invocation, and encoded or obfuscated command indicators where legally and operationally collectable
- File creation, deletion, rename, metadata, and masquerading evidence on developer workstations
- Browser credential store access indicators and suspicious access to local secrets or cryptocurrency-related files where monitored
- Network egress logs for C2-like traffic, mail protocol use, proxy behavior, remote desktop software sessions, and unencrypted outbound transfers
Detection direction
- Do not rely on a single malware signature; validate behavior-based detections across the related ATT&CK techniques and the named software families.
- Tune detections for developer environments where Python, JavaScript, shells, package managers, and remote tools are common, using context such as unusual parent processes, new destinations, encoded commands, and unexpected file access.
- Confirm SOC visibility on macOS and Linux developer systems, not only Windows, because the supplied descriptions and relationships include all three operating systems.
- Review detections for malicious copy/paste and user-assisted execution patterns, including commands pasted into shell or script interpreters after web or messaging activity.
- Correlate discovery, credential access indicators, downloader behavior, C2/proxy/remote desktop activity, and exfiltration telemetry rather than treating each as isolated low-severity noise.
Mitigation priorities
- Harden developer workstations first: least privilege, controlled script execution, endpoint protection, logging, and rapid isolation procedures for Windows, Linux, and macOS.
- Reduce credential theft impact by limiting browser-stored secrets, enforcing MFA where applicable, rotating exposed credentials during incidents, and separating developer, repository, cloud, and financial access.
- Strengthen software supply-chain hygiene by controlling package/library installation, reviewing dependencies, and monitoring developer package manager activity.
- Restrict and monitor remote desktop software and outbound proxy paths; require approved tools, documented business use, and centralized logging.
- Improve user-facing defenses for recruiting, interview, link, file, copy/paste, and library-install lures through targeted awareness and reporting paths for developers and cryptocurrency-related personnel.
Analyst notes and limits
Aliases supplied for this group include Contagious Interview, DeceptiveDevelopment, Gwisin Gang, Tenacious Pungsan, DEV#POPPER, PurpleBravo, and TAG-121. The strongest local validation path is to map the related techniques and software to actual telemetry coverage for developer endpoints and identity systems, then test whether SOC workflows can connect user-assisted execution to credential theft and exfiltration risk.
The official object has no ATT&CK tactics, no object-level platforms field, and no official detection guidance. Platform and behavior discussion here is derived from the official description and supplied relationships. Local exposure depends on the organization’s developer population, cryptocurrency-related activity, endpoint mix, logging depth, and allowed remote access and package-management practices.
Contagious Interview
Contagious Interview is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. Contagious Interview targets Windows, Linux, and macOS systems, with a particular focus on individuals engaged in software development and cryptocurrency-related activities. [1][2][3][4][5][6][7][8]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1555.001 | Keychain Sub-technique | Contagious Interview has leveraged malware variants configured to dump credentials from the macOS keychain.CitationSekoia ClickFake 2025CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025CitationSocket HexEval BeaverTail Contagious Interview June 2025 |
| Enterprise | T1585 | Establish Accounts | Contagious Interview has created and maintained personas on code repositories to distribute malicious payloads.[9][1]CitationSocket Contagious Interview NPM April 2025CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025CitationSocket HexEval BeaverTail Contagious Interview June 2025[5] |
| Enterprise | T1083 | File and Directory Discovery | Contagious Interview has conducted key word searches within files and directories on a compromised hosts to identify files for exfiltration.[5][7] |
| Enterprise | T1583.006 | Web Services Sub-technique | Contagious Interview has used web services such as Dropbox to receive stolen data and Google Drive, Firebase, GitHub, and Telegram to disseminate files.CitationSekoia ClickFake 2025[4] Contagious Interview has also used a cloud platform such as Vercel for C2 operations leveraging malicious web applications and static pages.CitationSocket Contagious Interview NPM April 2025CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025CitationSocket HexEval BeaverTail Contagious Interview June 2025 Contagious Interview has also used Slack to coordinate their activities.[9] |
| Enterprise | T1571 | Non-Standard Port | Contagious Interview has used TCP port 1224 for C2.CitationSocket Contagious Interview NPM April 2025 |
| Enterprise | T1204.005 | Malicious Library Sub-technique | Contagious Interview has relied on users to install a malicious library from a code repository to infect the victim's device and has led to additional payload distribution and theft of sensitive data.[9][1][2]CitationSocket Contagious Interview NPM April 2025CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025CitationSocket HexEval BeaverTail Contagious Interview June 2025[5][10][6][7] |
| Enterprise | T1219.002 | Remote Desktop Software Sub-technique | Contagious Interview has downloaded remote management and monitoring software such as “AnyDesk” for post compromise activities.[2][5]CitationSecurityScorecard Contagious Interview October 2024[7][8] |
| Enterprise | T1036 | Masquerading | Contagious Interview has delivered BeaverTail malware masquerading as legitimate software or applications.[2][5][6][7][8] Contagious Interview has also delivered malicious payloads masquerading as legitimate software drivers.CitationSekoia ClickFake 2025 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Contagious Interview has distributed malicious files requiring direct victim interaction to execute through the guise of a code test.CitationSecurityScorecard Contagious Interview October 2024CitationSecurityScorecard Contagious Interview FamousChollima October 2024 |
| Enterprise | T1497 | Virtualization/Sandbox Evasion | Contagious Interview has requested victims to disable Docker and other container environments in attempts to thwart container isolation and ensure device infection.CitationSocket HexEval BeaverTail Contagious Interview June 2025 |
| Enterprise | T1567 | Exfiltration Over Web Service | Contagious Interview has leveraged Telegram API to exfiltrate stolen data.[5] |
| Enterprise | T1059.004 | Unix Shell Sub-technique | Contagious Interview has targeted macOS victim hosts using a bash downloader coremedia.sh and a bash script cloud.sh.CitationSekoia ClickFake 2025 |
| Enterprise | T1587.001 | Malware Sub-technique | Contagious Interview has developed malware that utilizes Qt cross-platform framework to include BeaverTail.[5][8] |
| Enterprise | T1593.003 | Code Repositories Sub-technique | Contagious Interview had identified and solicited victims through code repositories such as GitHub.[7] |
| Enterprise | T1583.001 | Domains Sub-technique | Contagious Interview has registered domains to leverage in their social engineering campaigns.[4][5][8] Contagious Interview has also registered domains to utilize for C2.[9]CitationSekoia ClickFake 2025[1]CitationSocket Contagious Interview NPM April 2025CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025CitationSocket HexEval BeaverTail Contagious Interview June 2025 |
| Enterprise | T1566.003 | Spearphishing via Service Sub-technique | Contagious Interview has used fake job advertisements and messages sent via social media to spearphish targets.CitationSekoia ClickFake 2025[1][4][5]CitationSecurityScorecard Contagious Interview October 2024CitationSecurityScorecard Contagious Interview FamousChollima October 2024 Contagious Interview has also leveraged hiring websites to solicit victims.[4] |
| Enterprise | T1546.004 | Unix Shell Configuration Modification Sub-technique | Contagious Interview has targeted macOS victim hosts using a bash downloader `coremedia.sh` and a bash script `cloud.sh`.CitationSekoia ClickFake 2025 |
| Enterprise | T1683.001 | Written Content Sub-technique | Contagious Interview has created fake social media accounts such as LinkedIn and Telegram accounts for their targeting efforts.[5] |
| Enterprise | T1685 | Disable or Modify Tools | Contagious Interview has convinced victims to disable Docker and other container environments and run code on their machine natively in attempts to bypass container isolation and ensure device infection.CitationSocket HexEval BeaverTail Contagious Interview June 2025 |
| Enterprise | T1681 | Search Threat Vendor Data | Contagious Interview has registered accounts with Threat Intelligence vendor services to check for reporting associated with their infrastructure and to evaluate new potential infrastructure.[9] |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Contagious Interview has utilized VBS scripts to open cmd.exe and run commands to include the go_batch.bat batch file.CitationSekoia ClickFake 2025 |
| Enterprise | T1657 | Financial Theft | Contagious Interview has stolen cryptocurrency wallet credentials and credit card information utilizing BeaverTail and InvisibleFerret malware.[2]CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025CitationSocket HexEval BeaverTail Contagious Interview June 2025[5][6][7][8] |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | Contagious Interview has exfiltrated victim information using FTP.[5][7][8] |
| Enterprise | T1059.007 | JavaScript Sub-technique | Contagious Interview has leveraged JavaScript in the execution of their downloader malware targeting Windows devices using a NodeJS script titled nvidia.js.CitationSekoia ClickFake 2025 |
| Enterprise | T1547.013 | XDG Autostart Entries Sub-technique | Contagious Interview has established persistence using InvisibleFerret malware to create a .desktop entry to run on startup on GNOME-based Linux devices.[6] |
| Enterprise | T1587 | Develop Capabilities | Contagious Interview developed malicious NPM packages for delivery to or retrieval by victims.[9][1][2]CitationSocket Contagious Interview NPM April 2025CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025CitationSocket HexEval BeaverTail Contagious Interview June 2025[7] |
| Enterprise | T1070.004 | File Deletion Sub-technique | Contagious Interview has configured malware to remove archives used in collection activities following successful exfiltration.CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025 |
| Enterprise | T1588.002 | Tool Sub-technique | Contagious Interview has used remote management and monitoring software such as “AnyDesk”.[2][5]CitationSecurityScorecard Contagious Interview October 2024[7][8] |
| Enterprise | T1543.001 | Launch Agent Sub-technique | Contagious Interview has established persistence using InvisibleFerret malware to create file to run the script on Startup via LaunchAgents.[6] Contagious Interview has also utilized a plist file located in `/Library/LaunchAgents` to enable a malicious bash script the ability to persist.CitationSekoia ClickFake 2025 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Contagious Interview has exfiltrated data from a compromised host to actor-controlled C2 servers.[9][2][4]CitationSocket Contagious Interview NPM April 2025CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025CitationSocket HexEval BeaverTail Contagious Interview June 2025[5]CitationSecurityScorecard Contagious Interview October 2024[7][8] |
| Enterprise | T1593.001 | Social Media Sub-technique | Contagious Interview had identified and solicited victims through social media such as LinkedIn, X, and Telegram.CitationSekoia ClickFake 2025[1]CitationSecurityScorecard Contagious Interview October 2024CitationSecurityScorecard Contagious Interview FamousChollima October 2024[7][8] |
| Enterprise | T1583 | Acquire Infrastructure | Contagious Interview has used services such as Astrill VPN.[9][4] |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Contagious Interview has used hexadecimal string encoding to hide critical JavaScript module names, function names, and C2 URLs, which are decoded dynamically at runtime.CitationSocket Contagious Interview NPM April 2025 |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | Contagious Interview has exfiltrated stolen passwords to Dropbox.CitationSekoia ClickFake 2025 |
| Enterprise | T1684.001 | Impersonation Sub-technique | Contagious Interview had impersonated HR hiring personnel through social media, job board notifications, and conducted interviews with victims in order to entice them to download malware disguised as legitimate applications or malicious scripts from code repositories.[9][1]CitationSocket HexEval BeaverTail Contagious Interview June 2025CitationSecurityScorecard Contagious Interview October 2024[10]CitationSecurityScorecard Contagious Interview FamousChollima October 2024[7][8] |
| Enterprise | T1204.004 | Malicious Copy and Paste Sub-technique | Contagious Interview has leveraged ClickFix type tactics enticing victims to copy and paste malicious code.[9]CitationSekoia ClickFake 2025[1] |
| Enterprise | T1059.006 | Python Sub-technique | Contagious Interview has used the Python-based malware such as InvisibleFerret to install and execute Python Packages and Python modules.[2][5][7] |
| Enterprise | T1589 | Gather Victim Identity Information | Contagious Interview has researched specific professional groups such as software developers for targeting.CitationSocket HexEval BeaverTail Contagious Interview June 2025CitationSecurityScorecard Contagious Interview October 2024[10]CitationSecurityScorecard Contagious Interview FamousChollima October 2024[7][8] Contagious Interview has also researched individuals who work in roles related to cryptocurrency and blockchain technologies.[9]CitationSekoia ClickFake 2025 |
| Enterprise | T1583.003 | Virtual Private Server Sub-technique | Contagious Interview has acquired virtual private servers from services such as Stark Industries Solutions and RouterHosting.[2][7] Contagious Interview has also utilized hosting providers to include Tier[.]Net, Majestic Hosting, Leaseweb Singapore, and Kaopu Cloud.[4] |
| Enterprise | T1588.007 | Artificial Intelligence Sub-technique | Contagious Interview has appeared to have used AI to generate images and content to facilitate their campaigns.[4] |
| Enterprise | T1090 | Proxy | Contagious Interview has leveraged Astrill VPN for C2.[4] |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Contagious Interview has encrypted C2 traffic using RC4.CitationSekoia ClickFake 2025 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Contagious Interview has lured victims to click on a malicious link that led to download of a malicious payload.[4] Contagious Interview has also leveraged links to malicious payloads on social media and code repositories.[4] |
| Enterprise | T1071.003 | Mail Protocols Sub-technique | Contagious Interview has utilized email notifications from malware distribution servers to track victim engagement.[9] |
| Enterprise | T1082 | System Information Discovery | Contagious Interview has configured malicious webpages to identify the victim’s operating system by reviewing the details of the victims User-Agent of their browser.CitationSekoia ClickFake 2025 |
| Enterprise | T1593 | Search Open Websites/Domains | Contagious Interview has utilized open-source indicator of compromise repositories to determine their exposure to include VirusTotal, and MalTrail.[9] |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | Contagious Interview has obfuscated JavaScript code using Base64 and variable substitutions.[5]CitationSecurityScorecard Contagious Interview October 2024[10][6] |
| Enterprise | T1608.001 | Upload Malware Sub-technique | Contagious Interview has hosted malicious payloads on code repositories used as lures for victims to download.[9][1][2][4]CitationSocket Contagious Interview NPM April 2025CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025CitationSocket HexEval BeaverTail Contagious Interview June 2025[5]CitationSecurityScorecard Contagious Interview October 2024[10][6][7] |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Contagious Interview has utilized Visual Basic scripts in the execution of their downloader malware targeting Windows devices including as script called update.vbs.CitationSekoia ClickFake 2025 |
| Enterprise | T1480 | Execution Guardrails | Contagious Interview has configured C2 endpoints to review IP geolocation, request headers, victim environment details and runtime conditions prior to delivering payloads.CitationSocket HexEval BeaverTail Contagious Interview June 2025 |
| Enterprise | T1585.001 | Social Media Accounts Sub-technique | Contagious Interview has created fake social media accounts such as LinkedIn and Telegram accounts for their targeting efforts.[4][5]CitationSecurityScorecard Contagious Interview October 2024CitationSecurityScorecard Contagious Interview FamousChollima October 2024[8][6] |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Contagious Interview has established persistence using InvisibleFerret malware to place a .bat file in the Startup Folder.[6] |
| Enterprise | T1585.002 | Email Accounts Sub-technique | Contagious Interview has created fake email accounts to correspond with social media accounts, fake LinkedIn personas, code repository accounts, and job announcements on development job board services.[9][4]CitationSocket HexEval BeaverTail Contagious Interview June 2025[5][6][8] Contagious Interview has also utilized fake email accounts with Threat Intelligence vendor services.[9] |
| Enterprise | T1683.002 | Audio-Visual Content Sub-technique | Contagious Interview has used AI to clone video-conferencing applications to distribute their BeaverTail malware. They have also used AI to create deepfake videos. [8] |
Groups, software, and campaigns
S1245: InvisibleFerret
InvisibleFerret is a modular python malware that is leveraged for data exfiltration and remote access capabilities.[1][2][3] InvisibleFerret consists of four modules: main, payload, browser, and AnyDesk.[1] InvisibleFerret malware has been leveraged by North Korea-affiliated threat actors identified as DeceptiveDevelopment or Contagious Interview since 2023.[4][2][3][5] InvisibleFerret has historically been introduced to the victim environment through the use of the BeaverTail malware.[6][1][2][3][5]
S1246: BeaverTail
BeaverTail is a malware that has both a JavaScript and C++ variant. Active since 2022, BeaverTail is capable of stealing logins from browsers and serves as a downloader for second stage payloads. BeaverTail has previously been leveraged by North Korea-affiliated actors identified as DeceptiveDevelopment or Contagious Interview. BeaverTail has been delivered to victims through code repository sites and has been embedded within malicious attachments.[1][2][3][4]
S1248: XORIndex Loader
XORIndex Loader is a XOR-encoded loader that collects host data, decodes follow-on scripts and acts as a downloader for the BeaverTail malware. XORIndex Loader was first reported in June 2025. XORIndex Loader has been leveraged by North Korea-affiliated threat actors identified as Contagious Interview. XORIndex Loader has been delivered to victims through code repository sites utilizing typo squatting naming conventions of various npm packages.[1]
S1249: HexEval Loader
HexEval Loader is a hex-encoded loader that collects host data, decodes follow-on scripts and acts as a downloader for the BeaverTail malware. HexEval Loader was first reported in April 2025. HexEval Loader has previously been leveraged by North Korea-affiliated threat actors identified as Contagious Interview. HexEval Loader has been delivered to victims through code repository sites utilizing typosquatting naming conventions of various npm packages.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 77ebb9f03c55… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Validin Contagious Interview North Korea ClickFix January 2025
Efstratios Lontzetidis. (2025, January 16). Lazarus APT: Techniques for Hunting Contagious Interview. Retrieved October 20, 2025.
Open source URL -
[2]
Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024
eSentire Threat Response Unit (TRU). (2024, November 14). Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2. Retrieved October 17, 2025.
Open source URL -
[3]
Datadog Contagious Interview Tenacious Pungsan October 2024
Ian Kretz, Sebastian Obregoso, Datadog Security Research Team. (2024, October 24). Tenacious Pungsan: A DPRK threat actor linked to Contagious Interview. Retrieved October 20, 2025.
Open source URL -
[4]
Recorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025
Insikt Group. (2025, February 13). Inside the Scam: North Korea’s IT Worker Threat. Retrieved October 17, 2025.
Open source URL -
[5]
ESET Contagious Interview BeaverTail InvisibleFerret February 2025
Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025.
Open source URL -
[6]
Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024
Seongsu Park. (2024, November 4). From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West. Retrieved October 17, 2025.
Open source URL -
[7]
PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023
Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025.
Open source URL -
[8]
PaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024
Unit42. (2024, October 9). Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware. Retrieved October 17, 2025.
Open source URL -
[9]
Sentinel One Contagious Interview ClickFix September 2025
Aleksandar Milenkoski, Sreekar Madabushi, Kenneth Kinion. (2025, September 4). Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms. Retrieved October 20, 2025.
Open source URL -
[10]
Securonix Contagious Interview DEVPOPPER April 2024
Securonix Threat Research, D.Iuzvyk, T. Peck, O.Kolesnikov. (2024, April 24). Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors. Retrieved October 20, 2025.
Open source URL -
[11]
DEV#POPPER
(Citation: Securonix Contagious Interview DEVPOPPER April 2024)
-
[12]
DeceptiveDevelopment
(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)
-
[13]
Gwisin Gang
(Citation: Sentinel One Contagious Interview ClickFix September 2025)(Citation: dtex DPRK 2025 structure ITworkers)
-
[14]
PurpleBravo
(Citation: Recorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025)
-
[15]
TAG-121
(Citation: Recorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025)
-
[16]
Tenacious Pungsan
(Citation: Datadog Contagious Interview Tenacious Pungsan October 2024)
-
[17]
dtex DPRK 2025 structure ITworkers
Michael “Barni” Barnhart, DTEX, and Anonymous SMEs. (2025, May 14). Exposing DPRK's Cyber Syndicate and Hidden IT Workforce. Retrieved September 3, 2025.
Open source URL -
[18]
mitre-attack G1052Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.