Beyond the Backdoor: How Contagious Interview Is Surgically Tampering with MetaMask Wallets
2026-02-15 • unpacker •
Recent Contagious Interview activity attributed in the source to North Korean threat actors targets cryptocurrency, Web3, and AI professionals through fake technical assessments and trojanized NPM packages. The updated first-stage JavaScript has been reduced to beaconing, retrieving next-stage C2 details, and downloading additional payloads, including file-stealing JavaScript, a lightweight backdoor, and the Python-based InvisibleFerret backdoor. The malware searches Windows, macOS, and Linux systems for browser credentials, cryptocurrency wallets, password-manager files, private keys, seed phrases, KeePass databases, Solana artifacts, Hardhat files, and related developer secrets. A notable added capability uses a backdoor command to fetch a script that replaces the legitimate MetaMask extension in Chrome or Brave with an attacker-controlled version, modifies browser preference protections, and captures wallet unlock passwords through attacker C2 infrastructure.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 67.203.7.205 | 2026-01-21 | 2026-02-26 |
| HASH | 1b39dfc0ef262baba95b58e3b8d81c8e | 2026-02-15 | 2026-02-15 |
| HASH | 134102aa60f0a97a78a6299b35c30e69 | 2026-02-15 | 2026-02-15 |
| HASH | d80a29cefae892d26567b14ba9ba21c6 | 2026-02-15 | 2026-02-15 |
| HASH | f55560735ae028745cf6c90488b07bd7 | 2026-02-15 | 2026-02-15 |
| HASH | 998cc427b2be37bd9dbb109bd1843366 | 2026-02-15 | 2026-02-15 |
| HASH | 6d3f1aeed4feca39cb5d53f59bf6d9a5 | 2026-02-15 | 2026-02-15 |
| HASH | 6244da9940f50b9f51e3d85766cb1226 | 2026-02-15 | 2026-02-15 |
| HASH | 3013d942ee75ee982f66d7d1021a759d | 2026-02-15 | 2026-02-15 |
| HASH | 8e6db10b5acc15c2cc54592e3dd49bf7 | 2026-02-15 | 2026-02-15 |
| HASH | ddec84f075036f4afee55e708987b05a | 2026-02-15 | 2026-02-15 |
| HASH | 211d0fad75d20a032803e7cc0d277e09 | 2026-02-15 | 2026-02-15 |
| HASH | 6da79a0ddb7c4923f834ba723f8aea6f | 2026-02-15 | 2026-02-15 |
| HASH | 687b235572f3b35c0eb5c6c742862db4 | 2026-02-15 | 2026-02-15 |
| HASH | 800ffb10a79370991c5c918f572fe192 | 2026-02-15 | 2026-02-15 |
| HASH | 900b95205e414e04eacd0ba5dc4868a5 | 2026-02-15 | 2026-02-15 |
| HASH | b18101a943a149cb1cbb3cac3b4f9f6c | 2026-02-15 | 2026-02-15 |
| HASH | d423bf6b18662aed88ddd69c72b4e116 | 2026-02-15 | 2026-02-15 |
| HASH | 427bb906b72388381ed3d1ef22f0b3ad | 2026-02-15 | 2026-02-15 |
| IPv4 | 147.124.202.163 | 2026-02-15 | 2026-02-15 |
| IPv4 | 45.43.11.200 | 2026-02-15 | 2026-02-15 |
| IPv4 | 145.59.1.45 | 2026-02-15 | 2026-02-15 |
| IPv4 | 202.163.147.124 | 2026-02-15 | 2026-02-15 |
| IPv4 | 66.235.28.238 | 2026-02-15 | 2026-02-15 |
| IPv4 | 45.43.11.248 | 2026-02-15 | 2026-02-15 |
| IPv4 | 66.235.168.238 | 2026-01-12 | 2026-02-15 |