DPRK's Willo Impersonation Campaign
2025-01-09 • Zeroshadow •
https://www.zeroshadow.io/post/dprk-s-willo-impersonation-campaign
ZeroShadow describes a DPRK Contagious Interview campaign that impersonated the Willo video interview platform to target cryptocurrency workers with fake recruiter outreach. Victims were moved from job messages to a lookalike interview site, where a staged camera error and "fix" instructions pushed them to run attacker commands. The activity used built-out Western recruiter personas, rotated profiles after reporting, and delivered BeaverTail infostealer with InvisibleFerret as a follow-on payload to steal wallet data and maintain access.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | a803c043e12a5dac467fae092b75aa0… | 2025-01-09 | 2025-03-31 |
| HASH | e52118fc7fc9b14e5a8d9f61dfae8b1… | 2025-01-09 | 2025-03-31 |
| DOMAIN | wilio-talent.net | 2025-01-09 | 2025-02-25 |
| DOMAIN | willoassessment.com | 2025-01-09 | 2025-02-25 |
| DOMAIN | hiringinterview.org | 2025-01-09 | 2025-02-25 |
| DOMAIN | willorecruit.com | 2025-01-09 | 2025-02-25 |
| DOMAIN | willotalentes.com | 2025-01-09 | 2025-02-13 |
| DOMAIN | willotalents.org | 2025-01-09 | 2025-02-13 |
| DOMAIN | willohiringtalent.org | 2025-01-09 | 2025-02-13 |
| DOMAIN | videoscreening.org | 2025-01-09 | 2025-02-13 |
| DOMAIN | willoassess.net | 2025-01-09 | 2025-02-13 |
| DOMAIN | willoassess.org | 2025-01-09 | 2025-02-13 |
| DOMAIN | blockchain-assess.com | 2025-01-09 | 2025-02-13 |
| DOMAIN | fundcandidates.com | 2025-01-09 | 2025-02-13 |
| DOMAIN | willocandidate.com | 2025-01-09 | 2025-02-13 |
| DOMAIN | willointerview.com | 2025-01-09 | 2025-02-13 |
| DOMAIN | interviewnest.org | 2025-01-09 | 2025-02-13 |
| DOMAIN | web.videoscreening.org | 2025-01-09 | 2025-02-13 |
| DOMAIN | willoassess.com | 2025-01-09 | 2025-02-13 |
| DOMAIN | willotalent.xyz | 2025-01-09 | 2025-01-16 |
| DOMAIN | willohiring.com | 2025-01-09 | 2025-01-16 |
| HASH | c6472eb993612db72ca50893a34137b… | 2025-01-09 | 2025-01-09 |
| HASH | 3405469811bae511e62cb0a4062aadb… | 2025-01-09 | 2025-01-09 |
| HASH | 321972e4e72c5364ec1d5b9e488d15c… | 2025-01-09 | 2025-01-09 |
| HASH | 86dea05a8f40cf3195e3a6056f2e968… | 2025-01-09 | 2025-01-09 |
| HASH | d05f805d172583f1436eac2cfddcc54… | 2025-01-09 | 2025-01-09 |
| HASH | 96e78074218a0f272f7f94805cabde1… | 2025-01-09 | 2025-01-09 |
| HASH | c0baa450c5f3b6aacde2807642222f6… | 2025-01-09 | 2025-01-09 |
| URL | https://www.willo.video/ | 2025-01-09 | 2025-01-09 |
| DOMAIN | willohire.com | 2025-01-09 | 2025-01-09 |
| DOMAIN | wiilotalent.com | 2025-01-09 | 2025-01-09 |
| DOMAIN | willotalents.com | 2025-01-09 | 2025-01-09 |
| DOMAIN | willotalant.com | 2025-01-09 | 2025-01-09 |
| DOMAIN | crypto-assessment.com | 2025-01-09 | 2025-01-09 |
Related Actors
Related Reports
Shares tag: ContagiousInterview • Shares 18 IOCs • Published within a week
2025-02-13 •
82% Match
#ContagiousInterview
Shares tag: ContagiousInterview • Shares 11 IOCs
2025-02-07 •
80% Match
#ContagiousInterview
#Lazarus
#ClickFix
#T1082
#T1041
#T1555
#T1056.001
#T1027
#T1204.002
#T1555.003
#T1027.002
#T1564.001
#T1016
#T1033
#T1546.008
Shares tag: ContagiousInterview • Published within a month
2025-02-06 •
80% Match
#ContagiousInterview
#FlexibleFerret
#T1567.002
#T1071.001
#T1036
#T1059.004
#T1566.002
#T1567
#T1071
#T1204
#T1547.001
#T1583.001
#T1566
#T1059
#T1105
#T1189
#T1583
#T1547
#T1068
#T1586
#T1202
Shares tag: ContagiousInterview • Published within a month
Shares tag: ContagiousInterview • Published within a month
Shares tag: ContagiousInterview • Published within a month