Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Contagious Interview

🌐Contagious Interview

🌐 Contagious Interview is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 54 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1052) ↗
14Use cases
0Articles
54Techniques
0IOCs

About this actor (MITRE)

[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. [Contagious Interview](https://attack.mitre.org/groups/G1052) targets Windows, Linux, and macOS systems, with a particular focus on individuals engaged in software development and cryptocurrency-related activities. (Citation: Validin Contagious Interview North Korea ClickFix January 2025)(Citation: Esentire ContagiousInterview BeaverTail Invi

Known aliases

Contagious InterviewDeceptiveDevelopmentGwisin GangTenacious PungsanDEV#POPPERPurpleBravoTAG-121

Top techniques

T1027.010 · Command ObfuscationT1027.013 · Encrypted/Encoded FileT1036 · Masquerading

All other tracked techniques

T1041 · Exfiltration Over C2 ChannelT1048.003 · Exfiltration Over Unencrypted Non-C2 ProtocolT1059.003 · Windows Command ShellT1059.004 · Unix ShellT1059.005 · Visual BasicT1059.006 · PythonT1059.007 · JavaScriptT1070.004 · File DeletionT1071.003 · Mail ProtocolsT1082 · System Information DiscoveryT1083 · File and Directory DiscoveryT1090 · ProxyT1204.001 · Malicious LinkT1204.002 · Malicious FileT1204.004 · Malicious Copy and PasteT1204.005 · Malicious LibraryT1219.002 · Remote Desktop SoftwareT1480 · Execution GuardrailsT1497 · Virtualization/Sandbox EvasionT1543.001 · Launch AgentT1546.004 · Unix Shell Configuration ModificationT1547.001 · Registry Run Keys / Startup FolderT1547.013 · XDG Autostart EntriesT1555.001 · KeychainT1566.003 · Spearphishing via ServiceT1567 · Exfiltration Over Web ServiceT1567.002 · Exfiltration to Cloud StorageT1571 · Non-Standard PortT1573.001 · Symmetric CryptographyT1583 · Acquire InfrastructureT1583.001 · DomainsT1583.003 · Virtual Private ServerT1583.006 · Web ServicesT1585 · Establish AccountsT1585.001 · Social Media AccountsT1585.002 · Email AccountsT1587 · Develop CapabilitiesT1587.001 · MalwareT1588.002 · ToolT1588.007 · Artificial IntelligenceT1589 · Gather Victim Identity InformationT1593 · Search Open Websites/DomainsT1593.001 · Social MediaT1593.003 · Code RepositoriesT1608.001 · Upload MalwareT1657 · Financial TheftT1681 · Search Threat Vendor DataT1683.001 · Written ContentT1683.002 · Audio-Visual ContentT1684.001 · ImpersonationT1685 · Disable or Modify Tools

Detection use cases (14)

Contagious Interview — node/npm spawning Python or shell to stage InvisibleFerret after fake-interview repo clone AI · profile SΣ Contagious Interview ClickFix — explorer.exe spawning shell with developer-targeted curl|iex from fake-interview lure AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm Install-Time Lifecycle Hook Triggers Outbound Egress to Newly-Seen Domain (Shai-Hulud/Miasma/IronWorm pattern) MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match