North Korean Hackers Weaponize Threat Intel for Phishing
▼ Summary
– North Korea-aligned hackers attempted to exploit cyber threat intelligence platforms, specifically targeting Validin’s infrastructure portal in 2025.
– The group, known as Contagious Interview, used persistent tactics including creating multiple accounts and coordinating via tools like Slack to share real-time search results.
– They scouted new infrastructure to avoid detection but made operational security mistakes that exposed their workflows and malware delivery systems.
– The campaign primarily targeted cryptocurrency professionals through social engineering, affecting over 230 individuals and serving North Korea’s revenue needs.
– Rapid infrastructure redeployment and continuous victim acquisition were key to their resilience, emphasizing the need for vigilance and provider takedowns.
A sophisticated campaign by North Korea-aligned hackers has weaponized cyber threat intelligence platforms to refine their phishing operations, according to recent cybersecurity findings. This alarming development reveals how threat actors are now turning defensive tools into offensive weapons, posing new challenges for global security teams.
Between March and June 2025, a group known as Contagious Interview, previously identified for targeting job seekers with malware-infected recruitment offers, attempted to infiltrate Validin’s infrastructure intelligence portal. Shortly after a blog post exposed activities linked to the Lazarus group, the hackers registered multiple accounts using Gmail addresses tied to their earlier operations. Although Validin promptly blocked these attempts, the actors returned with freshly registered domains, demonstrating both persistence and adaptability.
Their relentless efforts included repeated account creations and login attempts over several months. In a strategic move, researchers from SentinelLabs allowed one account to remain active to observe the group’s behavior. Evidence pointed to coordinated teamwork, including the suspected use of real-time communication platforms like Slack to share search results and intelligence.
Rather than overhauling their entire infrastructure to evade detection, the hackers focused on rapidly deploying new systems to replace those disabled by service providers. This approach allowed them to maintain a high volume of victim interactions even after exposure.
Investigators noted that the group used Validin not only to monitor signs of detection but also to scout new infrastructure before acquisition. Searches for domains such as skillquestions[.]com and hiringassessment[.]net indicated efforts to sidestep blacklisted assets. However, operational security lapses, such as exposed log files and directory structures, provided rare visibility into their internal workflows.
The campaign also involved ContagiousDrop applications, malware delivery mechanisms embedded within fake recruitment websites. These applications triggered email alerts when victims executed malicious commands and captured personal details including names, phone numbers, and IP addresses. Between January and March 2025, more than 230 individuals, predominantly in the cryptocurrency sector, were affected.
SentinelLabs asserts that the Contagious Interview operation supports North Korea’s revenue-generation objectives by targeting cryptocurrency professionals globally through social engineering. While the group has not implemented systematic measures to protect its infrastructure, its agility in redeploying assets and continuously acquiring new victims has proven effective.
According to the report, “Given the continuous success of their campaigns in engaging targets, it may be more pragmatic and efficient for the threat actors to deploy new infrastructure rather than maintain existing assets.” The findings underscore the critical need for vigilance among job seekers, especially in high-risk industries like cryptocurrency. Infrastructure providers also play a vital role, as swift takedowns can significantly disrupt these malicious operations.
(Source: Info Security)
