{ "type": "bundle", "id": "bundle--75cf6d6d-b0a4-440b-8254-97e2c2e73663", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--de9ce4f0-ea1f-4912-a553-66e9c7d0ebbd", "created": "2025-10-21T04:21:26.951393Z", "modified": "2025-10-21T11:59:21.772648Z", "name": "KL4R10N", "identity_class": "organization" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--2c0e4f67-173e-40d4-bb1e-1dec082dceb8", "value": "chainlink-api-v3.com" }, { "type": "file", "spec_version": "2.1", "id": "file--13425371-0f6c-41db-a71e-6fc10c4d4801", "hashes": { "MD5": "b2040f01294c183945fdbe487022cf8e" } }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--a21e2b20-cfdd-4f25-91e3-8c19318e3740", "value": "chainlink-api-v3.cloud" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--76e814ac-d2f3-4d26-be36-7630b0a468cf", "value": "172.86.116.178" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--734836fc-ea38-48b9-b9a6-7c8615509cfe", "created": "2026-06-24T19:55:27.175144Z", "modified": "2026-06-24T19:55:27.175144Z", "name": "YARA Rule", "pattern": "rule Node_Beyond_eval_Contagious_Interview\r\n\r\n{\r\n\r\n meta:\r\n\r\n author = \"KL4R10N\"\r\n\r\n description = \"Detects Node.js payloads used in the beyond Eval 'Contagious Interview' campaign\"\r\n\r\n strings:\r\n\r\n $a1 = \"Node.js Javascript Runtime\" nocase\r\n\r\n $a2 = \"/api/service/makelog\" nocase\r\n\r\n $a3 = \"/api/service/process/\" nocase\r\n\r\n $a4 = \"socket.io-client\" nocase\r\n\r\n $a5 = \"Get-Clipboard\" nocase\r\n\r\n $a6 = \"pbpaste\" nocase\r\n\r\n $a7 = \"wmic logicaldisk get name\" nocase\r\n\r\n $a8 = \"node-global-key-listener\" nocase\r\n\r\n $a9 = \"172.86.116.178\" ascii\r\n\r\n $b1 = \"cc.pid\" ascii\r\n\r\n $b2 = \"up.pid\" ascii\r\n\r\n condition:\r\n\r\n 3 of ($a*) or ( $a9 and any of ($b*) )\r\n\r\n}", "pattern_type": "yara", "valid_from": "2025-10-21T00:00:00Z" }, { "type": "url", "spec_version": "2.1", "id": "url--10f9c781-704f-4fe9-a70b-3100bb0df085", "value": "http://chainlink-api-v3.com" }, { "type": "url", "spec_version": "2.1", "id": "url--7e9e7e85-ab71-4528-9b9d-52e43e1026e3", "value": "https://chainlink-api-v3.cloud" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--517f1d6a-514b-592b-8216-43a310ad6d08", "created": "2026-06-24T19:55:27.181127Z", "modified": "2026-06-24T19:55:27.181127Z", "name": "ContagiousInterview" }, { "type": "report", "spec_version": "2.1", "id": "report--cad77542-d7a1-4407-bbee-32d04c8b0260", "created_by_ref": "identity--de9ce4f0-ea1f-4912-a553-66e9c7d0ebbd", "created": "2026-06-24T19:55:27.201289Z", "modified": "2026-06-24T19:55:27.201289Z", "name": "Beyond eval(): DPRK\u2019s New Malware Strategy Hidden in Job Assignments", "published": "2025-10-21T00:00:00Z", "object_refs": [ "identity--de9ce4f0-ea1f-4912-a553-66e9c7d0ebbd", "domain-name--2c0e4f67-173e-40d4-bb1e-1dec082dceb8", "file--13425371-0f6c-41db-a71e-6fc10c4d4801", "domain-name--a21e2b20-cfdd-4f25-91e3-8c19318e3740", "ipv4-addr--76e814ac-d2f3-4d26-be36-7630b0a468cf", "indicator--734836fc-ea38-48b9-b9a6-7c8615509cfe", "url--10f9c781-704f-4fe9-a70b-3100bb0df085", "url--7e9e7e85-ab71-4528-9b9d-52e43e1026e3", "threat-actor--517f1d6a-514b-592b-8216-43a310ad6d08" ], "external_references": [ { "source_name": "source", "url": "https://kl4r10n.tech/blog/dprk-new-malware" } ] } ] }