CTI-001-StegaBinWave.pdf (258 KB)

SerapHim analyzes the StegaBin wave of the Contagious Interview supply-chain campaign, attributing it to Famous Chollima under the Lazarus Group umbrella with high confidence. The wave used 26 typosquatted npm packages across separate accounts to target software developers through fake interview or coding-assessment lures, while keeping legitimate dependencies in place to reduce suspicion. Installation executed an obfuscated JavaScript chain that resolved C2 infrastructure from Pastebin dead drops using character-level text steganography, then fetched platform-specific payloads and connected to 103[.]106[.]67[.]63:1244 for a nine-module credential stealer. The report documents live pre-takedown observations of the Pastebin structure, fallback URLs, decoding logic, and the analysis offset error, making it useful for defenders tracking evolving DPRK developer-targeting tradecraft.