A coordinated effort by North Korea-aligned hackers to exploit cyber threat intelligence (CTI) platforms has been revealed by cybersecurity experts.
The investigation, uncovered by SentinelLabs and the internet intelligence company Validin, linked the activity to the Contagious Interview cluster, a campaign known for targeting job seekers with malware-laced recruitment lures.
Between March and June 2025, the group reportedly attempted to access Validin’s infrastructure intelligence portal, registering multiple accounts within hours of a blog post that detailed Lazarus-linked activity. The hackers used Gmail addresses previously associated with their operations, although Validin quickly blocked them. Despite this, they returned with new accounts, including domains registered specifically for the effort.
Persistent Attempts and Adaptation
The threat actors demonstrated persistence, repeatedly creating accounts and attempting logins over several months. SentinelLabs intentionally allowed one account to remain active to monitor their tactics. Investigators found evidence of team-based coordination, including the suspected use of Slack to share search results in real-time.
Instead of making broad infrastructure changes to avoid discovery, the hackers focused on deploying new systems to replace those taken down by service providers. This strategy enabled them to sustain a high tempo of victim engagement despite exposure.
Read more on Lazarus Group cyber operations: Over 200 Malicious Open Source Packages Traced to Lazarus Campaign
Infrastructure Scouting and OPSEC Failures
Researchers observed the group using Validin not only to track signs of detection but also to scout new infrastructure before purchase. Searches for recruitment-themed domains such as skillquestions[.]com and hiringassessment[.]net suggested efforts to avoid flagged assets.
Still, several operational security mistakes exposed log files and directory structures, offering rare insight into their workflows.
The investigation also revealed ContagiousDrop applications – malware delivery systems embedded in recruitment sites.
These applications sent email alerts when victims executed malicious commands and logged details such as names, phone numbers and IP addresses. More than 230 individuals, mainly in the cryptocurrency industry, were affected between January and March 2025.
Campaign Goals and Wider Impact
According to SentinelLabs, the Contagious Interview campaign primarily serves North Korea’s need for revenue, targeting cryptocurrency professionals worldwide through social engineering.
While the group has not adopted systematic measures to shield infrastructure, its resilience comes from rapid redeployment and continuous victim acquisition.
“Given the continuous success of their campaigns in engaging targets, it may be more pragmatic and efficient for the threat actors to deploy new infrastructure rather than maintain existing assets,” SentinelLabs explained.
The report emphasizes that vigilance from job seekers remains essential, especially in the cryptocurrency sector. Infrastructure providers also play a key role, as rapid takedowns significantly disrupt these operations.
