North Korea-linked threat actors, known for the Contagious Interview campaign, are now using a new, previously unknown backdoor named AkdoorTea, alongside tools like TsunamiKit and Tropidoor.
Slovak cybersecurity firm ESET, which tracks the activity under the name DeceptiveDevelopment, reported that the campaign targets software developers working on cryptocurrency and Web3 projects across all major operating systems: Windows, Linux, and macOS. This group is also known by various other names, including Famous Chollima and Void Dokkaebi.
The Attack Method
The campaign relies heavily on sophisticated social engineering. Impersonating recruiters, the hackers use platforms like LinkedIn, Upwork, and Crypto Jobs List to offer attractive job roles. Once a target expresses interest, they are directed to one of two traps:
- Coding Exercise: Targets are asked to clone projects from GitHub, which secretly install the malware.
- Video Assessment: Targets are sent to a specially designed website that displays fake errors about camera or microphone access being blocked. They are then told to follow "ClickFix-style" instructions using the command prompt or Terminal app, which ultimately delivers the infection.
Regardless of the initial method, the attacks deliver several pieces of malware, including BeaverTail, InvisibleFerret, OtterCookie, and GolangGhost. These tools primarily focus on stealing sensitive data from web browsers and cryptocurrency wallets. Some of the stealers, like WeaselStore, function as a Remote Access Trojan (RAT) that continues to communicate with the command-and-control server after data exfiltration.
The Attack Toolkit
The infection sequence also deploys TsunamiKit and Tropidoor.
- TsunamiKit is a toolkit designed for information and cryptocurrency theft. The multi-stage kit ultimately executes TsunamiClient, which incorporates .NET spyware and drops cryptocurrency miners like XMRig. ESET believes TsunamiKit is a modification of a dark web project, suggesting the group reuses existing code.
- Tropidoor is described by ESET as the most sophisticated payload linked to DeceptiveDevelopment, likely because it is based on code from the more technically advanced Lazarus Group umbrella. Tropidoor and a related malware, PostNapTea, use stealthy techniques to gather system information and execute various commands.
The newest addition, AkdoorTea, is a remote access trojan (RAT) delivered via a Windows batch script that downloads a ZIP file, often disguised as an NVIDIA driver update. This method of using fake NVIDIA updates for "camera fixes" links AkdoorTea directly back to the social engineering tactics of the Contagious Interview campaign. The similarities between AkdoorTea and the existing Akdoor malware further reinforce the connection to the larger Lazarus Group.
Beyond Hacking
ESET notes that the Contagious Interview campaign is part of a broader, more distributed strategy that focuses on volume and creative social engineering. The intelligence gathered from this campaign is also believed to be used to support North Korea’s fraudulent IT worker scheme (WageMole). In this scheme, North Korean operatives use stolen identities to secure remote jobs at companies worldwide.
For instance, cybersecurity company Trellix recently reported uncovering a North Korean IT worker attempting to infiltrate a U.S. healthcare company by applying for a software engineer position using a fabricated identity.
ESET classifies this fraud-for-hire scheme as a hybrid threat, combining classical criminal operations like identity theft with digital tools to secure long-term, lucrative access to companies.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
