Malware Operation Exploited Fake Job Interviews and AI-Generated Profiles

A subgroup of the notorious Lazarus Group, believed to be backed by North Korea, has established at least three shell companies — two of which were registered in the United States — to execute an ongoing malware campaign targeting cryptocurrency developers, according to an April 24 report by cybersecurity firm Silent Push.

The fake companies, identified as BlockNovas, Angeloper Agency, and SoftGlide, were created under the guise of crypto consulting firms. They are part of a broader operation known as Contagious Interview, which uses fraudulent job interviews to trick victims into installing malicious software.

“These websites and a huge network of accounts on hiring/recruiting platforms are being used to trick people into applying for jobs,” said Silent Push senior threat analyst Zach Edwards in a post on X.

Our team at Silent Push has been hard at work on the largest report we’ve ever made public – and along with Reuters – today we’re explaining how North Korean threat actors associated with the “Contagious Interview” subgroup created 3 front companies…🧵

— Zach Edwards (@thezedwards) April 24, 2025

Fake Interviews, Real Malware

In the reported attacks, crypto developers are invited to fake interviews via freelancer platforms and GitHub job boards. During the application process, victims are prompted to record an introductory video, which triggers an error message. The attackers then provide a “quick fix” solution — a copy-and-paste script — which, when executed, installs malware on the victim’s device.

Silent Push identified three strains of malware being deployed in the campaign:

• BeaverTail – used for information theft and multi-stage malware deployment.

• InvisibleFerret – focused on extracting sensitive data such as clipboard contents and stored credentials.

• OtterCookie – designed to steal cryptocurrency wallet keys, among other personal information.

One known victim had their MetaMask wallet compromised, according to the report.

FBI Steps In, But Infrastructure Remains Active

The Federal Bureau of Investigation (FBI) has since taken action, seizing the domain of one of the shell companies, BlockNovas. However, SoftGlide and related infrastructure remain live, raising concerns about the persistence and scale of the threat.

“The FBI acquired the BlockNovas domain, but Softglide is still live, along with some of their other infrastructure,” Edwards confirmed.

AI-Generated Identities and Stolen Images

The attackers also used AI-generated images and modified photos of real individuals to create credible-looking employee profiles for the fake companies. These images were distributed across LinkedIn-like platforms and freelance sites to boost legitimacy.

“The impersonation tactics used in this campaign are more advanced than usual,” said Edwards.
“In some cases, real photos were passed through AI modifiers to create subtly altered versions — a tactic designed to bypass facial recognition tools and identity checks.”

Broader Campaign Tied to Previous Lazarus Hacks

The ongoing campaign, which reportedly began in early 2024, is part of a larger trend of North Korean state-sponsored cybercrime targeting the crypto sector. Silent Push’s findings follow multiple reports of attempted Zoom-based phishing attacks on crypto founders in March, which were also attributed to Lazarus-affiliated groups.

The Lazarus Group has been linked to several of the largest crypto hacks in history, including:

• The $600 million Ronin bridge exploit (Axie Infinity)

• The $1.4 billion Bybit hack

---

Final Thoughts: Targeted and Evolving Threats in Web3

The emergence of legitimate-seeming shell companies in the U.S., combined with AI-powered identity fraud and sophisticated social engineering, marks a new evolution in how North Korean hackers are infiltrating the crypto space.

As Edwards warns, these campaigns are not hypothetical — they’ve already succeeded in compromising wallets and identities. With only part of the infrastructure taken down, the threat remains active and ongoing.

For developers and founders in the Web3 space, the message is clear: even job interviews could be a vector for attack. Always verify, never download blindly, and question everything — especially when it comes wrapped in professionalism.