North Korean threat actors connected to the Contagious Interview campaign are distributing malware disguised within SVG image files through fake job postings and coding challenges. The attackers embed malicious payloads in Scalable Vector Graphics using steganography, a technique that hides data within seemingly innocent files.
Users who executed the weaponized projects downloaded a four-stage payload aligned with OtterCookie, malware that steals browser credentials, cryptocurrency wallet information, and files from infected systems. The attack chain leverages social engineering to target job seekers, particularly those in technical roles who might engage with legitimate-looking coding tests.
The Contagious Interview campaign represents an established North Korean operation focused on recruitment-themed phishing. By combining fake employment opportunities with steganography, the threat actors reduce detection likelihood. SVG files appear benign during static analysis since they contain XML-based vector graphics, but attackers embed executable code or scripts that trigger when processed.
OtterCookie functions as an information stealer with modular capabilities. Its credential harvesting targets browser autofill data, stored passwords, and session tokens. The cryptocurrency wallet theft component pursues crypto holdings stored locally or in browser extensions. The file stealer exfiltrates sensitive documents and data from the compromised device.
Organizations should brief employees on job posting verification procedures. Legitimate companies rarely distribute custom coding challenges through external channels without vetting. Technical recruitment teams often use established platforms rather than direct file sharing. Users should verify job opportunities through official company websites and LinkedIn profiles before downloading test files.
Security teams benefit from blocking SVG files in email gateways when unnecessary for business operations. Endpoint detection systems should monitor for unusual SVG processing behavior and subsequent credential access attempts. Browser extension audits help identify malicious or compromised wallet management tools. Endpoint protection software should isolate systems showing OtterCookie indicators of compromise immediately
