In a significant escalation of cyber warfare, North Korean state-sponsored threat actors, known as Contagious Interview or WaterPlum, have unveiled a sophisticated new method to infiltrate high-value targets. Their latest weapon? Malicious Microsoft Visual Studio Code (VS Code) projects, leveraging an often-overlooked feature to automatically deploy the potent StoatWaffle malware. This alarming development highlights a growing threat to the open-source ecosystem and the critical Web3 and cryptocurrency sectors, where founders, CTOs, and senior engineers are being specifically targeted.
The Deceptive Lure of VS Code: A New Vector for Cyber Espionage
North Korea’s cyber operatives are demonstrating advanced ingenuity by weaponizing VS Code’s tasks.json
feature. Since December 2025, these attackers have exploited the “runOn: folderOpen” option, a seemingly innocuous setting designed for automation, to automatically trigger malware execution whenever a project file is opened. This clever maneuver bypasses traditional security layers, setting the stage for a stealthy compromise.
NTT Security‘s recent analysis reveals that these malicious tasks are configured to download payloads from web applications, initially via Vercel, and now increasingly from GitHub Gist, regardless of the operating system. The initial payload checks for Node.js, installing it if absent, before launching a multi-stage downloader that fetches and executes further Node.js code from external servers.
StoatWaffle: A Modular Menace Unleashed
The primary payload delivered through this VS Code exploit is StoatWaffle, a modular malware written in Node.js. StoatWaffle is equipped with two critical components:
- The Stealer Module: This component is designed to exfiltrate sensitive data, including credentials and extension data from popular web browsers like Chromium-based browsers and Mozilla Firefox. For macOS users, the threat is even greater, as it also targets and steals the iCloud Keychain database, a treasure trove of personal and professional secrets.
- The Remote Access Trojan (RAT) Module: A fully-featured RAT, this module establishes a persistent backdoor, allowing the attackers to communicate with a command-and-control (C2) server. Its capabilities are extensive, enabling the threat actors to manipulate the compromised system by changing directories, enumerating files, executing arbitrary Node.js code, uploading files, performing keyword-based file searches, running shell commands, and even self-terminating to evade detection.
“StoatWaffle is a modular malware implemented by Node.js, and it has Stealer and RAT modules,” notes the Japanese security vendor, emphasizing the continuous evolution of WaterPlum’s toolkit.
Beyond StoatWaffle: A Broader Arsenal and Evolving Tactics
The deployment of StoatWaffle is part of a larger, ongoing campaign by Contagious Interview, which consistently refines its methods and malware families.
Targeting the Open-Source Ecosystem
The North Korean group has a documented history of targeting the open-source community:
- Malicious npm Packages:
They’ve distributed the PylangGhost malware through seemingly legitimate npm packages, marking a significant shift in their propagation strategy.
- PolinRider GitHub Campaign:
A widespread campaign, PolinRider, has seen hundreds of public GitHub repositories injected with obfuscated JavaScript payloads. This ultimately leads to the deployment of a new version of BeaverTail, another notorious stealer and downloader. Disturbingly, this includes compromises within the Neutralinojs GitHub organization, achieved by hijacking a long-time contributor’s account with write access to force-push malicious code. This code then retrieves encrypted payloads from Tron, Aptos, and Binance Smart Chain (BSC) transactions to run BeaverTail.
Victims of these broader attacks are often initially compromised through malicious VS Code extensions or npm packages, highlighting the interconnectedness of these attack vectors.
The Human Element: Sophisticated Social Engineering
Microsoft’s analysis of the Contagious Interview campaign reveals a highly sophisticated social engineering approach. Initial access to developer systems is frequently gained through “convincingly staged recruitment processes” that mimic legitimate technical interviews. These elaborate ruses persuade victims to execute malicious commands or packages hosted on platforms like GitHub, GitLab, or Bitbucket as part of a “technical assessment.”
Crucially, the targets are not junior developers. Instead, the attackers meticulously select founders, CTOs, and senior engineers within the cryptocurrency and Web3 sectors. These individuals typically possess elevated access to corporate infrastructure and, more critically, cryptocurrency wallets, making them incredibly valuable targets. A recent, albeit unsuccessful, attempt involved targeting the founder of AllSecure.io through a fake job interview.
A Menagerie of Malware: OtterCookie, InvisibleFerret, and FlexibleFerret
Beyond StoatWaffle and BeaverTail, the Contagious Interview group employs a diverse array of malware families in their attack chains:
- OtterCookie: A potent backdoor capable of extensive data theft.
- InvisibleFerret: A Python-based backdoor, often delivered via BeaverTail, but now also observed as a follow-on payload after initial access with OtterCookie.
- FlexibleFerret (aka WeaselStore): A modular backdoor implemented in both Go (GolangGhost) and Python (PylangGhost), showcasing the group’s versatility.
In a clear indication of their continuous refinement, newer iterations of the VS Code projects have pivoted from Vercel-based domains to GitHub Gist-hosted scripts for downloading and executing next-stage payloads, ultimately leading to the deployment of FlexibleFerret. This shift underscores the attackers’ agility in adapting their infrastructure to maintain stealth and effectiveness.
Conclusion
The North Korean Contagious Interview campaign represents a significant and evolving threat to the global technology landscape, particularly for those operating in the cryptocurrency and Web3 spaces. By weaponizing trusted development tools like VS Code and employing sophisticated social engineering tactics, these actors are demonstrating a relentless pursuit of high-value targets. Developers, project maintainers, and organizations must remain hyper-vigilant, scrutinizing every recruitment offer, every package dependency, and every project they interact with, to safeguard against these increasingly cunning and destructive cyber threats.
For more details, visit our website.
Source: Link
Leave a comment