Researchers at cybersecurity firm Silent Push have uncovered a sophisticated campaign by the North Korean advanced persistent threat (APT) group known as Contagious Interview (aka โFamous Chollimaโ), a subgroup within the notorious Lazarus Group.
This operation involved the creation of fake cryptocurrency companies in the U.S. and the use of deceptive job interview tactics to distribute malware and infiltrate organizations.
Key Findings
According to Silent Push, the hackers established three front cryptocurrency companies โBlockNovas LLC in New Mexico, Angeloper Agency, and SoftGlide LLC in New York, using false identities and addresses. Angeloper Agency remains unregistered in the U.S.
“In this new campaign, the threat actor group is using three front companies in the cryptocurrency consulting industryโBlockNovas LLC (blocknovas[.] com), Angeloper Agency (angeloper[.]com), and SoftGlide LLC (softglide[.]co)โto spread malware via ‘job interview lures,” Silent Pushย said in a detailed blog post.
These entities, posing as legitimate cryptocurrency consulting firms, were created to lure unsuspecting cryptocurrency job seekers into downloading malware, compromising crypto wallets, and stealing credentials.
Besides fake companies, the job applicants were targeted through counterfeit job postings and LinkedIn-style profiles, during which they were tricked into downloading malware-laden files disguised as application materials or onboarding documents.
The three malware strains identified in this campaign are BeaverTail, InvisibleFerret, and OtterCookie, which were previously tied to North Korean cyber units.? These programs could steal data, provide backdoor access to infected systems, and serve as entry points for follow-up attacks using additional spyware or ransomware.
As per Silent Push, Blocknovas, the most active of the three front companies, was seized by the U.S. Federal Bureau of Investigation (FBI) on April 23, 2025. The notice posted on the site reads that the site was taken down โas part of a law enforcement action against North Korean cyber actors who utilised this domain to deceive individuals with fake job postings and distribute malware.โ
Besides using services like Astrill VPN and residential proxies to obfuscate their infrastructure and activities, the Contagious Interview campaign also employed AI tools, such as โRemaker AIโ (remaker[.]ai), to create convincing profiles of fake employees for the three front crypto companies to enhance the credibility of these fraudulent firms.
Lastly, as part of the crypto attacks, the campaign heavily utilized platforms like GitHub, job listing sites, and freelancer websites to reach potential victims and distribute malicious software.
Implications and Recommendations
As North Korean cyber threats continue to evolve, organizations, particularly in the cryptocurrency sector, this campaign underscores the need for heightened vigilance in cybersecurity practices, especially in the cryptocurrency sector and during the hiring process.
To protect against these sophisticated attacks, organizations should implement stringent verification processes for job applicants, including conducting in-person or video interviews and thorough background checks, and educate employees about the risks of unsolicited job offers and interviews.?
For a detailed analysis of this campaign, you can check out Silent Push’s complete report: Contagious Interview Front Companies.
