North Korea’s PurpleBravo Uses Fake Job Interviews to Breach Global Networks

A long-running cyber espionage campaign linked to a North Korean threat actor known as PurpleBravo has quietly compromised thousands of systems worldwide by exploiting trust in the global hiring process. Dubbed the “Contagious Interview” campaign, the operation has targeted developers and IT professionals through fake job interviews, turning recruitment workflows into an attack vector.

Security researchers estimate that between August 2024 and September 2025, the campaign interacted with or directly targeted 3,136 IP addresses associated with organizations across multiple sectors. The scale and persistence of the activity underscore how social engineering has become a central pillar of modern state-backed cyber operations.

Inside the Contagious Interview Campaign

The Contagious Interview campaign is built around carefully crafted fake job offers that appear legitimate to experienced developers. Targets are approached through professional networking platforms, most commonly LinkedIn, by personas posing as recruiters from well-known technology companies.

Once trust is established, victims are invited to technical interviews that require them to review or run shared coding projects. These projects, often packaged as Visual Studio Code workspaces, contain malicious components hidden among otherwise functional files.

Malware Hidden in Developer Tools

PurpleBravo’s operators abuse the familiarity and trust developers place in their tools. The malicious VS Code projects deliver custom malware families, including BeaverTail and GolangGhost, which are designed to blend into development environments without raising immediate suspicion.

BeaverTail focuses on reconnaissance and credential collection, while GolangGhost provides persistent remote access. Together, they allow attackers to monitor activity, exfiltrate sensitive data, and pivot into corporate networks once a developer connects their compromised system to work infrastructure.

From Job Seekers to Corporate Networks

What makes the campaign particularly dangerous is its indirect path into organizations. Instead of attacking companies head-on, PurpleBravo compromises individuals who later connect to internal systems, source code repositories, and cloud services.

This technique effectively turns job seekers into unwitting entry points. Once inside, attackers can access proprietary code, authentication tokens, and internal documentation, expanding their reach far beyond the original victim.

Global Reach and Targeted Sectors

The 3,136 IP addresses associated with the campaign span North America, Europe, and parts of Asia. Targets include software vendors, IT consultancies, financial services firms, and technology startups, sectors where developer access often overlaps with sensitive systems.

Researchers note that the geographic spread aligns with regions actively hiring remote developers, suggesting the attackers deliberately follow global labor and outsourcing trends.

Command and Control Infrastructure

The campaign relies on a distributed command and control network hosted across multiple cloud providers. Traffic analysis shows operators frequently using Astrill VPN endpoints routed through China, a pattern that has appeared in previous North Korea-linked operations.

This infrastructure allows PurpleBravo to manage infected systems, update payloads, and exfiltrate data while complicating attribution and takedown efforts.

Supply Chain Risk Through Hiring Processes

The Contagious Interview campaign highlights a growing blind spot in cybersecurity defenses. Recruitment and onboarding workflows are rarely treated as part of the attack surface, yet they now represent a direct path into sensitive environments.

By exploiting the trust inherent in job interviews and developer collaboration, PurpleBravo demonstrates how supply chain risks extend beyond software dependencies to human processes and professional networks.

Defensive Measures and Awareness

Security teams are urging organizations to educate developers about the risks of running unverified projects, even during job interviews. Using isolated environments, such as disposable virtual machines, for interview tasks can significantly reduce exposure.

On a broader level, the campaign serves as a reminder that cybersecurity is no longer confined to firewalls and endpoints. In an era of remote work and global hiring, even a job interview can become a gateway for state-backed cyber espionage.