DPRK-Linked Malware Targeting Job Seekers via Wellfound

Severity: Critical (Score: 80.0)

Sources: Reddit

Summary

A cybersecurity incident involved a fake job interview scheme on Wellfound, where an operator named 'Felix' from 'HyperHive' targeted an individual using a social engineering tactic referencing their real CV. The attack led to the deployment of a sophisticated infostealer malware, a Rust-compiled binary that was 8.5MB in size and capable of stealing sensitive information such as browser passwords and crypto wallet data. The malware was delivered through a malicious script executed via a fake password dialog. The attacker’s command and control (C2) server was identified as cloudproxy.link, with multiple endpoints exposed. The malware's configuration values were encrypted using a custom cipher, which the victim successfully decrypted, revealing 571 operationally significant strings. The incident was reported to the FBI's Internet Crime Complaint Center (IC3) shortly after the analysis was completed. The malware currently has a low detection rate on VirusTotal, with only 9 out of 72 antivirus engines flagging it. The attack aligns with known tactics attributed to North Korean cyber operations, specifically the DPRK Contagious Interview campaign. Key Points: • A fake job interview scheme was used to deliver sophisticated malware. • The malware is a Rust-compiled infostealer targeting sensitive information. • The attack is linked to North Korean cyber operations, specifically DPRK Contagious Interview.

Key Entities

• Malware (attack_type)
• Phishing (attack_type)
• Contagious Interview (campaign)
• hyperhives.net (domain)
• o4509139651198976.ingest.de.sentry.io (domain)
• 526eff9f8bb7aafd7117ca5e33a6a183 (md5)
• T1059.004 - Unix Shell (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• T1566.002 - Spearphishing Link (mitre_attack)
• MacOS (platform)