Threat Actor Profile
High APT
Description

Contagious Interview is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. Contagious Interview targets Windows, Linux, and macOS systems, with a particular focus on individuals engaged in software development and cryptocurrency-related activities. (Citation: Validin Contagious Interview North Korea ClickFix January 2025)(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: Datadog Contagious Interview Tenacious Pungsan October 2024)(Citation: Recorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025)(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)(Citation: PaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024)

Confidence Score
90%
Known Aliases
Contagious Interview DeceptiveDevelopment Gwisin Gang Tenacious Pungsan DEV#POPPER PurpleBravo TAG-121
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (52)
T1071.003 - Mail Protocols
Command and Control
T1090 - Proxy
Command and Control
T1219.002 - Remote Desktop Software
Command and Control
T1571 - Non-Standard Port
Command and Control
T1573.001 - Symmetric Cryptography
Command and Control
T1555.001 - Keychain
Credential Access
T1027.010 - Command Obfuscation
Defense Evasion
T1027.013 - Encrypted/Encoded File
Defense Evasion
T1036 - Masquerading
Defense Evasion
T1070.004 - File Deletion
Defense Evasion
T1480 - Execution Guardrails
Defense Evasion
T1497 - Virtualization/Sandbox Evasion
Defense Evasion
T1562.001 - Disable or Modify Tools
Defense Evasion
T1656 - Impersonation
Defense Evasion
T1082 - System Information Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1059.003 - Windows Command Shell
Execution
T1059.004 - Unix Shell
Execution
T1059.005 - Visual Basic
Execution
T1059.006 - Python
Execution
T1059.007 - JavaScript
Execution
T1204.001 - Malicious Link
Execution
T1204.002 - Malicious File
Execution
T1204.004 - Malicious Copy and Paste
Execution
T1204.005 - Malicious Library
Execution
T1041 - Exfiltration Over C2 Channel
Exfiltration
T1048.003 - Exfiltration Over Unencrypted Non-C2 Pr…
Exfiltration
T1567 - Exfiltration Over Web Service
Exfiltration
T1567.002 - Exfiltration to Cloud Storage
Exfiltration
T1657 - Financial Theft
Impact
T1566.003 - Spearphishing via Service
Initial Access
T1543.001 - Launch Agent
Persistence
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1547.013 - XDG Autostart Entries
Persistence
T1546.004 - Unix Shell Configuration Modification
Privilege Escalation
T1589 - Gather Victim Identity Information
Reconnaissance
T1593 - Search Open Websites/Domains
Reconnaissance
T1593.001 - Social Media
Reconnaissance
T1593.003 - Code Repositories
Reconnaissance
T1681 - Search Threat Vendor Data
Reconnaissance
T1583 - Acquire Infrastructure
Resource Development
T1583.001 - Domains
Resource Development
T1583.003 - Virtual Private Server
Resource Development
T1583.006 - Web Services
Resource Development
T1585 - Establish Accounts
Resource Development
T1585.001 - Social Media Accounts
Resource Development
T1585.002 - Email Accounts
Resource Development
T1587 - Develop Capabilities
Resource Development
T1587.001 - Malware
Resource Development
T1588.002 - Tool
Resource Development
T1588.007 - Artificial Intelligence
Resource Development
T1608.001 - Upload Malware
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Contagious Interview',
             'DeceptiveDevelopment',
             'Gwisin Gang',
             'Tenacious Pungsan',
             'DEV#POPPER',
             'PurpleBravo',
             'TAG-121'],
 'created': '2025-10-19T17:04:30.994Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Contagious Interview](https://attack.mitre.org/groups/G1052) '
                'is a North Korea–aligned threat group active since 2023. The '
                'group conducts both cyberespionage and financially motivated '
                'operations, including the theft of cryptocurrency and user '
                'credentials. [Contagious '
                'Interview](https://attack.mitre.org/groups/G1052) targets '
                'Windows, Linux, and macOS systems, with a particular focus on '
                'individuals engaged in software development and '
                'cryptocurrency-related activities. (Citation: Validin '
                'Contagious Interview North Korea ClickFix January '
                '2025)(Citation: Esentire ContagiousInterview BeaverTail '
                'InvisibleFerret November 2024)(Citation: Datadog Contagious '
                'Interview Tenacious Pungsan October 2024)(Citation: Recorded '
                'Future Contagious Inteview BeaverTail InvisibleFerret '
                'OtterCookie February 2025)(Citation: ESET Contagious '
                'Interview BeaverTail InvisibleFerret February 2025)(Citation: '
                'Zscaler ContagiousInterview BeaverTail InvisibleFerret '
                'November 2024)(Citation: PaloAlto ContagiousInterview '
                'BeaverTail InvisibleFerret November 2023)(Citation: PaloAlto '
                'Unit42 ContagiousInterview BeaverTail InvisibileFerret '
                'October 2024)',
 'external_references': [{'external_id': 'G1052',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1052'},
                         {'description': '(Citation: Datadog Contagious '
                                         'Interview Tenacious Pungsan October '
                                         '2024)',
                          'source_name': 'Tenacious Pungsan'},
                         {'description': '(Citation: ESET Contagious Interview '
                                         'BeaverTail InvisibleFerret February '
                                         '2025)',
                          'source_name': 'DeceptiveDevelopment'},
                         {'description': '(Citation: Recorded Future '
                                         'Contagious Inteview BeaverTail '
                                         'InvisibleFerret OtterCookie February '
                                         '2025)',
                          'source_name': 'PurpleBravo'},
                         {'description': '(Citation: Recorded Future '
                                         'Contagious Inteview BeaverTail '
                                         'InvisibleFerret OtterCookie February '
                                         '2025)',
                          'source_name': 'TAG-121'},
                         {'description': '(Citation: Securonix Contagious '
                                         'Interview DEVPOPPER April 2024)',
                          'source_name': 'DEV#POPPER'},
                         {'description': '(Citation: Sentinel One Contagious '
                                         'Interview ClickFix September '
                                         '2025)(Citation: dtex DPRK 2025 '
                                         'structure ITworkers)',
                          'source_name': 'Gwisin Gang'},
                         {'description': 'Aleksandar Milenkoski, Sreekar '
                                         'Madabushi, Kenneth Kinion. (2025, '
                                         'September 4). Contagious Interview | '
                                         'North Korean Threat Actors Reveal '
                                         'Plans and Ops by Abusing Cyber Intel '
                                         'Platforms. Retrieved October 20, '
                                         '2025.',
                          'source_name': 'Sentinel One Contagious Interview '
                                         'ClickFix September 2025',
                          'url': 'https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/'},
                         {'description': 'Efstratios Lontzetidis. (2025, '
                                         'January 16). Lazarus APT: Techniques '
                                         'for Hunting Contagious Interview. '
                                         'Retrieved October 20, 2025.',
                          'source_name': 'Validin Contagious Interview North '
                                         'Korea ClickFix January 2025',
                          'url': 'https://www.validin.com/blog/inoculating_contagious_interview_with_validin/'},
                         {'description': 'eSentire Threat Response Unit (TRU). '
                                         '(2024, November 14). Bored '
                                         'BeaverTail & InvisibleFerret Yacht '
                                         'Club – A Lazarus Lure Pt.2. '
                                         'Retrieved October 17, 2025.',
                          'source_name': 'Esentire ContagiousInterview '
                                         'BeaverTail InvisibleFerret November '
                                         '2024',
                          'url': 'https://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2'},
                         {'description': 'Ian Kretz, Sebastian Obregoso, '
                                         'Datadog Security Research Team. '
                                         '(2024, October 24). Tenacious '
                                         'Pungsan: A DPRK threat actor linked '
                                         'to Contagious Interview. Retrieved '
                                         'October 20, 2025.',
                          'source_name': 'Datadog Contagious Interview '
                                         'Tenacious Pungsan October 2024',
                          'url': 'https://securitylabs.datadoghq.com/articles/tenacious-pungsan-dprk-threat-actor-contagious-interview/'},
                         {'description': 'Insikt Group. (2025, February 13). '
                                         'Inside the Scam: North Korea’s IT '
                                         'Worker Threat. Retrieved October 17, '
                                         '2025.',
                          'source_name': 'Recorded Future Contagious Inteview '
                                         'BeaverTail InvisibleFerret '
                                         'OtterCookie February 2025',
                          'url': 'https://www.recordedfuture.com/research/inside-the-scam-north-koreas-it-worker-threat'},
                         {'description': 'Matej Havranek. (2025, February 20). '
                                         'DeceptiveDevelopment targets '
                                         'freelance developers. Retrieved '
                                         'October 17, 2025.',
                          'source_name': 'ESET Contagious Interview BeaverTail '
                                         'InvisibleFerret February 2025',
                          'url': 'https://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/'},
                         {'description': 'Michael “Barni” Barnhart, DTEX, and '
                                         'Anonymous SMEs. (2025, May 14). '
                                         "Exposing DPRK's Cyber Syndicate and "
                                         'Hidden IT Workforce. Retrieved '
                                         'September 3, 2025.',
                          'source_name': 'dtex DPRK 2025 structure ITworkers',
                          'url': 'https://reports.dtexsystems.com/DTEX-Exposing+DPRK+Cyber+Syndicate+and+Hidden+IT+Workforce.pdf'},
                         {'description': 'Securonix Threat Research, D.Iuzvyk, '
                                         'T. Peck, O.Kolesnikov. (2024, April '
                                         '24). Analysis of DEV#POPPER: New '
                                         'Attack Campaign Targeting Software '
                                         'Developers Likely Associated With '
                                         'North Korean Threat Actors. '
                                         'Retrieved October 20, 2025.',
                          'source_name': 'Securonix Contagious Interview '
                                         'DEVPOPPER April 2024',
                          'url': 'https://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors/'},
                         {'description': 'Seongsu Park. (2024, November 4). '
                                         'From Pyongyang to Your Payroll: The '
                                         'Rise of North Korean Remote Workers '
                                         'in the West. Retrieved October 17, '
                                         '2025.',
                          'source_name': 'Zscaler ContagiousInterview '
                                         'BeaverTail InvisibleFerret November '
                                         '2024',
                          'url': 'https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west'},
                         {'description': 'Unit 42. (2023, November 21). '
                                         'Hacking Employers and Seeking '
                                         'Employment: Two Job-Related '
                                         'Campaigns Bear Hallmarks of North '
                                         'Korean Threat Actors. Retrieved '
                                         'October 17, 2025.',
                          'source_name': 'PaloAlto ContagiousInterview '
                                         'BeaverTail InvisibleFerret November '
                                         '2023',
                          'url': 'https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/'},
                         {'description': 'Unit42. (2024, October 9). '
                                         'Contagious Interview: DPRK Threat '
                                         'Actors Lure Tech Industry Job '
                                         'Seekers to Install New Variants of '
                                         'BeaverTail and InvisibleFerret '
                                         'Malware. Retrieved October 17, 2025.',
                          'source_name': 'PaloAlto Unit42 ContagiousInterview '
                                         'BeaverTail InvisibileFerret October '
                                         '2024',
                          'url': 'https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/'}],
 'id': 'intrusion-set--46599a4a-77ee-4697-9474-2683b6464859',
 'modified': '2025-10-24T02:54:55.039Z',
 'name': 'Contagious Interview',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.3.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.0'}
Quick Actions
Related TTPs (52)
Mail Protocols
Command and Control
Proxy
Command and Control
Remote Desktop Software
Command and Control
Non-Standard Port
Command and Control
Symmetric Cryptography
Command and Control
View All 52 TTPs
Back to Threat Actors
Dashboard Home