Contagious Interview cryptocurrency social-engineering and malware-delivery campaign
Campaign
Summary
Hide ▲
Show ▼
A North Korean cluster behind Contagious Interview / WaterPlum is running a coordinated malware campaign against cryptocurrency professionals, increasing the risk of credential theft and malicious code execution. The operation uses LinkedIn outreach, fake venture capital firms, and fraudulent video conferencing links to steer victims into the delivery chain. The targeting focus on founders, CTOs, and senior engineers suggests a deliberate effort to reach people with privileged access to crypto infrastructure and wallets. The activity overlaps with related clusters and continues to evolve across trusted hiring and developer workflows.
Related Happenings
KongTuke ClickFix and Teams access-seeking campaign
Campaign
H score33
First: 25.06.2026 11:54
Last: 25.06.2026 11:54
Sources 1
About this happening:
The **KongTuke** operation is using **ClickFix** lures and **Microsoft Teams** messages to widen access-seeking attacks against **multiple organizations**, increasing the risk of...
KongTuke ClickFix and Teams access-seeking campaign
CampaignAbout this happening: The **KongTuke** operation is using **ClickFix** lures and **Microsoft Teams** messages to widen access-seeking attacks against **multiple organizations**, increasing the risk of...
Ghost Networks crypto-clipper promotion campaign
Campaign
H score15
First: 17.06.2026 21:14
Last: 17.06.2026 21:14
Sources 1
About this happening:
**Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
Ghost Networks crypto-clipper promotion campaign
CampaignAbout this happening: **Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
North Korea-aligned developer-targeting operations shift from fake interviews to recruitment phishing at scale
Threat Actor Meta
H score31
First: 15.06.2026 22:32
Last: 15.06.2026 22:32
Sources 1
About this happening:
North Korea-aligned developer-targeting operations are shifting from **fake interviews** to **recruitment-themed phishing** at scale, increasing the risk of industrialized **crede...
North Korea-aligned developer-targeting operations shift from fake interviews to recruitment phishing at scale
Threat Actor MetaAbout this happening: North Korea-aligned developer-targeting operations are shifting from **fake interviews** to **recruitment-themed phishing** at scale, increasing the risk of industrialized **crede...
Contagious Interview UNK_DeadDrop GitHub phishing campaign
Campaign
H score37
First: 15.06.2026 22:32
Last: 15.06.2026 22:32
Sources 1
About this happening:
The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...
Contagious Interview UNK_DeadDrop GitHub phishing campaign
CampaignAbout this happening: The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...
UNK_DeadDrop developer phishing campaign using fake job and code-review lures
Campaign
H score30
First: 08.06.2026 18:00
Last: 08.06.2026 18:00
Sources 1
About this happening:
A **UNK_DeadDrop** phishing campaign sent **more than 250 emails** to software developers at **almost 100 organizations**, using fake job and code-review lures to steal **cryptocu...
UNK_DeadDrop developer phishing campaign using fake job and code-review lures
CampaignAbout this happening: A **UNK_DeadDrop** phishing campaign sent **more than 250 emails** to software developers at **almost 100 organizations**, using fake job and code-review lures to steal **cryptocu...
Timeline
-
23.03.2026 20:09 2 articles · 3mo ago
Contagious Interview expands developer and crypto targeting
Campaign Scope UpdateNorth Korean threat actors behind Contagious Interview / WaterPlum are using malicious Microsoft Visual Studio Code projects and `tasks.json` `runOn: folderOpen` to auto-execute StoatWaffle, a Node.js-based malware family that can install Node.js when missing and deliver both stealer and RAT modules. The same operator set is also targeting cryptocurrency and Web3 professionals through LinkedIn social engineering, fake venture capital firms, and fraudulent video conferencing links.
Show sources
- North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware — thehackernews.com — 23.03.2026 20:09
- UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack — thehackernews.com — 03.04.2026 14:04