GitLab Threat Intelligence linked infrastructure active since at least May 2025 to North Korean operators distributing BeaverTail and InvisibleFerret variants associated with Contagious Interview and Famous Chollima activity. The campaign used a fake hiring platform at businesshire.top and ClickFix-style camera or microphone troubleshooting lures aimed at cryptocurrency, web3, retail marketing, sales, trader, and investment roles rather than only software developers. The site collected visitor IP, geolocation, and browser cryptocurrency wallet signals before presenting OS-specific commands that fetched payloads from nvidiasdk.fly.dev with numeric user-agent headers as execution guardrails. The infection chains delivered compiled BeaverTail for macOS and Windows, used bundled dependencies and redundancy such as PyInstaller-compiled InvisibleFerret, and showed low static detection despite recognizable network and file-system behavior. The shift toward compiled payloads and non-developer job roles suggests adaptation for victims less likely to have scripting runtimes installed.