PurpleBravo Attack Campaign
Threat intelligence analysts have identified 3,136 individual IP addresses linked to likely targets of the Contagious Interview campaign. The operation is believed to involve 20 potential victim organizations operating across artificial intelligence, cryptocurrency, financial services, IT services, marketing, and software development. Impacted entities span Europe, South Asia, the Middle East, and Central America, underscoring the global scope of the activity.
The IP addresses, largely concentrated in South Asia and North America, are assessed to have been targeted between August 2024 and September 2025. The affected companies are reportedly based in Belgium, Bulgaria, Costa Rica, India, Italy, the Netherlands, Pakistan, Romania, the United Arab Emirates, and Vietnam.
Table of Contents
PurpleBravo: A Prolific North Korean Threat Cluster
The activity is attributed to a North Korean-linked cluster tracked as PurpleBravo, first documented in late 2023. This group is known across the security community under multiple designations, reflecting wide industry tracking:
CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, Void Dokkaebi, and WaterPlum
PurpleBravo has demonstrated sustained investment in long-term infrastructure, social engineering tradecraft, and malware development, aligning with objectives that blend cyber espionage and financial theft.
Exploiting the Hiring Process and Developer Ecosystem
Recent findings follow the disclosure of a major evolution in the Contagious Interview campaign, in which adversaries weaponize malicious Microsoft Visual Studio Code projects to distribute backdoors. This tactic abuses trusted developer tools and workflows, increasing the likelihood of successful compromise.
Researchers have identified fraudulent LinkedIn personas posing as developers and recruiters, claiming to operate from Odesa, Ukraine, alongside malicious GitHub repositories designed to distribute malware such as BeaverTail. In several incidents, job-seeking candidates reportedly executed malicious code on corporate-issued devices, extending the compromise beyond individuals and directly into enterprise environments.
Malware Arsenal and Command Infrastructure
PurpleBravo operates separate command-and-control infrastructures to support multiple malware families. These include BeaverTail, a JavaScript-based infostealer and loader, and GolangGhost (also tracked as FlexibleFerret or WeaselStore), a Go-based backdoor derived from the open-source HackBrowserData project.
The group's C2 servers are distributed across 17 hosting providers and are administered through Astrill VPN, with management activity traced to IP ranges in China. The use of Astrill VPN has been repeatedly documented in previous North Korean cyber operations, reinforcing attribution confidence.
Convergence With the 'Wagemole' IT Worker Threat
Contagious Interview is assessed to complement a separate but related campaign known as Wagemole (PurpleDelta). That operation involves North Korean IT workers securing unauthorized employment under stolen or fabricated identities, primarily to generate revenue and conduct espionage. Although Wagemole has been active since 2017 and is tracked as a distinct cluster, investigators have uncovered notable tactical and infrastructure overlaps.
Observed links include PurpleBravo operators exhibiting behavior consistent with North Korean IT workers, Russian IP addresses tied to known IT worker activity communicating with PurpleBravo infrastructure, and shared Astrill VPN nodes associated with both clusters.
Escalating Supply-Chain and Enterprise Risk
A particularly concerning trend is the use of fictitious job offers to lure candidates into completing coding assessments on employer-owned systems, effectively converting a recruitment scam into an enterprise intrusion vector. This demonstrates that the software and IT supply chain is highly susceptible to infiltration, even outside the well-publicized IT worker employment schemes.
Many of the targeted organizations advertise large customer bases, amplifying the potential for downstream supply-chain compromise. Security researchers warn that, while the North Korean IT worker threat has received broad attention, the PurpleBravo model of supply-chain infiltration warrants equal priority. Organizations are urged to strengthen hiring processes, developer environment controls, and third-party risk management to detect, disrupt, and prevent sensitive data exposure to North Korean threat actors.
