ctipilot.ch

Contagious Interview

campaign · campaign:contagious-interview single-source

Long-running DPRK-aligned campaign that lures software developers with fake job offers and take-home coding-interview projects to deliver credential- and crypto-wallet-stealing malware; Elastic's 2026-07-18 instance (REF9403) hid a four-stage OTTERCOOKIE-aligned payload as Base64 fragments in HTML comments across SVG flag images, reassembled and run via eval(), with zero AV detection at publication.

Aliases: DeceptiveDevelopment, REF9403

Coverage timeline
4
first 2026-05-11 → last 2026-07-18
Peak priority
notable
4 notable
Sources cited
9
5 hosts
Sections touched
3
active-threats, research, weekly-annual-reports
Co-occurring entities
3
see Related entities below
ATT&CK techniques
16
pinned v19.1 · see below
2026-05-114 appearances2026-07-18

ATT&CK techniques

16 techniques observed across 3 entries — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1195Supply Chain Compromise×1

Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.

Evidence: 2026-05-16/sentinelone-living-off-the-pipeline-ci-cd-subversion-taxonom · ATT&CK page ↗

T1195.001Supply Chain Compromise: Compromise Software Dependencies and Development Tools×1

Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications, such as pip and NPM packages, may be targeted as a means to add malicious code to users of the dependency. This may also include abandoned packages, which in some cases could be re-registered by threat actors after being removed by adversaries. Adversaries may also employ "typosquatting" or name-confusion by choosing names similar to existing popular libraries or packages in order to deceive a user.

Evidence: 2026-06-16/dprk-unk-deaddrop-weaponises-vs-code-cursor-auto-run-to-hit · ATT&CK page ↗

T1195.002Supply Chain Compromise: Compromise Software Supply Chain×1

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.

Evidence: 2026-05-16/sentinelone-living-off-the-pipeline-ci-cd-subversion-taxonom · ATT&CK page ↗

T1566.002Phishing: Spearphishing Link×1

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

Evidence: 2026-06-16/dprk-unk-deaddrop-weaponises-vs-code-cursor-auto-run-to-hit · ATT&CK page ↗

Execution TA0002

T1059.004Command and Scripting Interpreter: Unix Shell×1

Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations of the Unix shell exist (e.g. sh, ash, bash, zsh, etc.) depending on the specific OS or distribution. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.

Evidence: 2026-06-16/dprk-unk-deaddrop-weaponises-vs-code-cursor-auto-run-to-hit · ATT&CK page ↗

T1072Software Deployment Tools×1

Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager.

Evidence: 2026-05-16/sentinelone-living-off-the-pipeline-ci-cd-subversion-taxonom · ATT&CK page ↗

T1204User Execution×1

An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.

Evidence: 2026-05-16/sentinelone-living-off-the-pipeline-ci-cd-subversion-taxonom · ATT&CK page ↗

T1204.002User Execution: Malicious File×1

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, .reg, and .iso.

Evidence: 2026-07-18/contagious-interview-ottercookie-svg-steganography · ATT&CK page ↗

Persistence TA0003

T1547Boot or Logon Autostart Execution×1

Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon. These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.

Evidence: 2026-05-16/sentinelone-living-off-the-pipeline-ci-cd-subversion-taxonom · ATT&CK page ↗

Privilege Escalation TA0004

T1547Boot or Logon Autostart Execution×1

Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon. These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.

Evidence: 2026-05-16/sentinelone-living-off-the-pipeline-ci-cd-subversion-taxonom · ATT&CK page ↗

Stealth TA0005

T1027.003Obfuscated Files or Information: Steganography×1

Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.

Evidence: 2026-07-18/contagious-interview-ottercookie-svg-steganography · ATT&CK page ↗

Credential Access TA0006

T1552.001Unsecured Credentials: Credentials In Files×1

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

Evidence: 2026-07-18/contagious-interview-ottercookie-svg-steganography · ATT&CK page ↗

T1555Credentials from Password Stores×1

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

Evidence: 2026-05-16/sentinelone-living-off-the-pipeline-ci-cd-subversion-taxonom · ATT&CK page ↗

T1555.003Credentials from Password Stores: Credentials from Web Browsers×2

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

Evidence: 2026-07-18/contagious-interview-ottercookie-svg-steganography · 2026-06-16/dprk-unk-deaddrop-weaponises-vs-code-cursor-auto-run-to-hit · ATT&CK page ↗

Discovery TA0007

T1083File and Directory Discovery×1

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Evidence: 2026-07-18/contagious-interview-ottercookie-svg-steganography · ATT&CK page ↗

Lateral Movement TA0008

T1072Software Deployment Tools×1

Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager.

Evidence: 2026-05-16/sentinelone-living-off-the-pipeline-ci-cd-subversion-taxonom · ATT&CK page ↗

Collection TA0009

T1115Clipboard Data×1

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

Evidence: 2026-07-18/contagious-interview-ottercookie-svg-steganography · ATT&CK page ↗

Command and Control TA0011

T1071.001Application Layer Protocol: Web Protocols×1

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Evidence: 2026-07-18/contagious-interview-ottercookie-svg-steganography · ATT&CK page ↗

Story timeline

  1. 2026-07-18Contagious Interview (DPRK) hides an OTTERCOOKIE-aligned payload in SVG-comment steganography inside fake coding-interview repos
    researchElastic finds a new Contagious Interview chain that splits its payload across Base64 comments in every SVG flag image and reassembles it via eval()
  2. 2026-06-16DPRK UNK_DeadDrop weaponises VS Code / Cursor auto-run to hit developers, including EU targets
    active-threats
  3. 2026-05-16SentinelOne: "Living Off the Pipeline" — CI/CD subversion taxonomy with three real intrusion cases (TeamCity, GitLab service-account pivot, Contagious Interview)
    researchSentinelOne: "Living Off the Pipeline" — CI/CD subversion taxonomy with three real intrusion cases (TeamCity, GitLab service-account pivot, Contagious
  4. 2026-05-11SentinelOne — Living Off the Pipeline: CI/CD subversion taxonomy
    weekly-annual-reports

Relationships explore in graph

Typed, source-stated connections from the entity registry — each edge cites the entry whose reporting establishes it.

uses

Where this entity is cited

  • research2
  • weekly-annual-reports1
  • active-threats1

Source distribution

  • attack.mitre.org5 (56%)
  • elastic.co1 (11%)
  • proofpoint.com1 (11%)
  • sentinelone.com1 (11%)
  • thehackernews.com1 (11%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about Contagious Interview (4)

2026-07-18 · view entry permalink →

NOTABLENATOB2

Contagious Interview (DPRK) hides an OTTERCOOKIE-aligned payload in SVG-comment steganography inside fake coding-interview repos

Elastic Security Labs disclosed a new instance of the long-running DPRK-aligned Contagious Interview campaign (internally tracked REF9403) after the operators targeted Elastic's own community Slack workspace with a fake job posting and a "coding challenge" project (Elastic Security Labs, 2026-07-18). The lure is a fully functional take-home project — a Next.js e-commerce template copied from a real open-source repository — that a candidate is asked to run. The novelty is where the payload hides: it is "split into Base64 fragments inside HTML comments across every SVG flag image inside an assets directory" (Elastic Security Labs, 2026-07-18). The files look like ordinary country-flag images; a JavaScript loader in the repo reassembles the comment fragments from every flag in alphabetical order, decodes them with a custom Base64 routine, and runs the result with eval() — deliberately avoiding atob() and Buffer.from so simple content scanners do not flag the decode. Because the project's package.json wires the loader into the server entry point, the payload runs on every npm run dev / npm start, and the trojanized repositories "have zero detections and are not flagged by any AV vendors" (Elastic Security Labs, 2026-07-18).

The payload is a four-stage chain Elastic assesses as aligned with OTTERCOOKIE (first documented by NTT Security in December 2024, overlapping the BEAVERTAIL lineage). Stage one enumerates browser profiles across Windows, macOS and Linux and steals saved credentials, autofill data and cryptocurrency-wallet-extension stores, masquerading its process as a benign npm-cache process. Stage two recursively discovers and exfiltrates sensitive files — environment files, private keys, keychains, shell histories, documents and source code. Stage three opens a persistent Socket.IO command-and-control channel giving the operator interactive shell execution, with sandbox/VM detection used to tag rather than halt on analysis machines. Stage four (Windows) drops further second-stage binaries disguised as text files and adds a clipboard stealer polling every 500 ms.

The payloads are split into Base64 fragments inside HTML comments across every SVG flag image inside an assets directory.

These trojanized repositories at the time of writing have zero detections and are not flagged by any AV vendors

Elastic Security Labs 2026-07-18
research18 Jul 04:35Zsingle-sourceOpen finding ↗

2026-06-16 · view entry permalink →

NOTABLE

DPRK UNK_DeadDrop weaponises VS Code / Cursor auto-run to hit developers, including EU targets

Proofpoint details UNK_DeadDrop, a North-Korea-aligned cluster (related to but distinct from Contagious Interview / Famous Chollima) that sent 250+ recruitment-themed phishing emails to ~100 finance, crypto, education and technology organisations over April–May 2026 (Proofpoint, 2026-06-15); the targeted geographies are a US majority followed by the UK, Australia, France, Germany and the Netherlands, among others (The Hacker News, 2026-06-16). The lure links to attacker-controlled GitHub/GitLab repositories carrying a .vscode/tasks.json with runOn: folderOpen; VS Code shows a workspace-trust prompt, but Cursor IDE executes the task silently with no prompt, dropping the open-source Overlord Go C2 that steals browser credentials and crypto wallets (The Hacker News, 2026-06-16). Mapped to T1566.002, T1195.001, T1059.004 and T1555.003.

Why it matters to us: public-sector and fintech development teams that have adopted Cursor are exposed to silent execution on repository open. Hunt for editor processes (code, cursor) spawning shell/script interpreters outside build directories (Sysmon EID 1 parent-image filter); enforce workspace-trust policy and restrict VSIX installation to an approved-publisher allowlist via enterprise policy.

threat16 Jun 05:08Zmulti-sourceOpen finding ↗

2026-05-16 · view entry permalink →

NOTABLE

SentinelOne: "Living Off the Pipeline" — CI/CD subversion taxonomy with three real intrusion cases (TeamCity, GitLab service-account pivot, Contagious Interview)

SentinelOne published on 2026-05-15 a practitioner-focused taxonomy of CI/CD pipeline subversion techniques, illustrated with three real intrusion case studies that are immediately useful for SOC and DevSecOps teams running JetBrains TeamCity, GitLab, or GitHub Actions (SentinelOne, 2026-05-15). Case 1: an unpatched TeamCity server (CVE-2023-42793) exploited to deploy backdoors via privileged build tasks, remaining undetected for 12+ months. Case 2: a GitLab service-account token compromise enabling creation of malicious Ansible playbooks that were then automatically executed by pipelines — a clean demonstration of how service-account over-privilege translates directly into production code execution. Case 3: the Contagious Interview campaign using fraudulent job offers directing developer victims to fake skill-assessment sites that deploy malware silently to developer workstations. Additional vectors covered include attacker-registered self-hosted runners, workflow triggers from repository discussion comments, dependency poisoning with reconnaissance preinstall scripts, and maintainer-account compromise appending malicious code; the article cross-links a separate SentinelOne analysis of the "Sha1-Hulud" NPM compromise as a related supply-chain case. MITRE ATT&CK: T1195.002, T1547 (rogue runner registration as persistence), T1555 (pipeline secret extraction), T1204 (user execution via fake job-offer social engineering), T1072 (software-deployment-tool abuse via Ansible). Defender monitoring priorities surfaced in the report: GitHub / GitLab audit logs for runner.registered events with unfamiliar names or unexpected source IP ranges; new or modified pipelines authored by service accounts; suspicious child-process spawn from build agents (cmd.exe, powershell.exe, curl, wget outside baseline); credential-access and reverse-tunnel traffic originating from build infrastructure; and secret-injection patterns in workflow-config modifications. Single-source — SentinelOne only.

research16 May 05:00Zsingle-sourceOpen finding ↗

Earlier coverage (1)