Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack
2024-11-14 • Paloalto Networks •
https://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cluster/
This is the second instance where we have observed connections between the Contagious Interview malware campaign and North Korean IT worker activities, also known as the Wagemole campaign. Since our previous report on the two job-related campaigns, some researchers have begun attributing the Contagious Interview campaign to the well-known North Korean threat group, Lazarus. Fake North Korean IT Worker CL-STA-0237 Linked to the Phishing Attack Our internal telemetry identified newly registered domains resolving to a known IP address, 167.88.36[.]13, which is associated with the MiroTalk fake job campaign from July 2024 discussed above. Despite this uncertainty, we continue to observe links between malware campaigns and North Korean IT workers, thus we track these activities under our temporary cluster names.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | outlook.com | 2018-09-06 | 2026-04-17 |
| DOMAIN | regioncheck.net | 2024-09-04 | 2025-05-30 |
| DOMAIN | mirotalk.net | 2024-07-15 | 2025-02-20 |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| [email protected] | 2024-11-14 | 2024-11-14 | |
| DOMAIN | mirotalk.io | 2024-11-14 | 2024-11-14 |
| DOMAIN | europe.com | 2024-11-14 | 2024-11-14 |
| DOMAIN | ftpserver0909.com | 2024-11-14 | 2024-11-14 |
| DOMAIN | effertz-carroll.com | 2024-11-14 | 2024-11-14 |
| DOMAIN | freeconference.io | 2024-09-04 | 2024-11-14 |
| IPv4 | 167.88.36.13 | 2024-08-29 | 2024-11-14 |