GitLab Threat Intelligence Team reveals North Korean tradecraft
2026-02-19 • Gitlab •
https://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/
GitLab reports that North Korean nation-state actors used GitLab.com in 2025 for Contagious Interview malware distribution and related fake IT-worker operations. The activity targeted software developers, especially in cryptocurrency, finance, real estate, AI, and gaming, with JavaScript projects that commonly delivered BeaverTail and Ottercookie or loaded remote payloads from services such as Vercel. GitLab banned 131 accounts, observed malicious repositories using concealed staging URLs, `.env`-encoded configuration, `Function.constructor` execution, VS Code task abuse, malicious npm dependencies, invite-only private projects, and anti-analysis behavior. The report also describes operational artifacts including a target list of more than 1,000 people, 88 recorded executions of malicious projects, front-company-style email domains, and AI-assisted work on a custom BeaverTail obfuscator.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| URL | https://jsonkeeper.com/b/XRGF3 | 2026-02-19 | 2026-04-03 |
| URL | https://jsonkeeper.com/b/4NAKK | 2026-02-19 | 2026-04-03 |
| DOMAIN | chainlink-api-v3.com | 2025-10-21 | 2026-03-23 |
| HASH | f90ec1a7066e8a5d0218c405ba68c58c | 2026-02-19 | 2026-02-19 |
| HASH | 1a049de15ad9d038a35f0e8b162dff76 | 2026-02-19 | 2026-02-19 |
| HASH | 3ae1d04a7c1a35b9edf045a7d131c4a7 | 2026-02-19 | 2026-02-19 |
| HASH | d6a8d0d14d3fbb3d5e66c8b007b7a2eb | 2026-02-19 | 2026-02-19 |
| HASH | 7d6c3b0f7d1f3ae96e1d116cbeff2875 | 2026-02-19 | 2026-02-19 |
| HASH | 792a2e10b9eaf9f0a73a71916e4269bc | 2026-02-19 | 2026-02-19 |
| URL | http://chainlink-api-v3.com/api… | 2026-02-19 | 2026-02-19 |
| URL | https://api-server-mocha.vercel… | 2026-02-19 | 2026-02-19 |
| URL | https://jsonkeeper.com/b/PQPTZ | 2026-02-19 | 2026-02-19 |
| URL | https://vscode-load.vercel.app/… | 2026-02-19 | 2026-02-19 |
| URL | http://openmodules.org/api/serv… | 2026-02-19 | 2026-02-19 |
| URL | https://vscode-load.vercel.app/… | 2026-02-19 | 2026-02-19 |
| URL | https://api.npoint.io/d1ef256fc… | 2026-02-19 | 2026-02-19 |
| URL | https://jsonkeeper.com/b/E4YPZ | 2026-02-19 | 2026-02-19 |
| URL | https://jsonkeeper.com/b/CNMYL | 2026-02-19 | 2026-02-19 |
| URL | https://vscode-config-settings.… | 2026-02-19 | 2026-02-19 |
| URL | https://api.npoint.io/f4be0f771… | 2026-02-19 | 2026-02-19 |
| URL | https://vscode-load.vercel.app/… | 2026-02-19 | 2026-02-19 |
| URL | http://chainlink-api-v3.cloud/a… | 2026-02-19 | 2026-02-19 |
| URL | https://vscode-load.vercel.app/… | 2026-02-19 | 2026-02-19 |
| URL | https://vscode-config-settings.… | 2026-02-19 | 2026-02-19 |
| URL | https://bs-production.up.railwa… | 2026-02-19 | 2026-02-19 |
| URL | http://chainlink-api-v3.cloud/a… | 2026-02-19 | 2026-02-19 |
| URL | https://vscode-load.vercel.app/… | 2026-02-19 | 2026-02-19 |
| URL | https://jsonkeeper.com/b/L4T7Y | 2026-02-19 | 2026-02-19 |
| URL | https://jsonkeeper.com/b/E7GKK | 2026-02-19 | 2026-02-19 |
| URL | https://api-server-mocha.vercel… | 2026-02-19 | 2026-02-19 |
| URL | https://vscode-load.vercel.app/… | 2026-02-19 | 2026-02-19 |
| URL | https://vscode-config-settings.… | 2026-02-19 | 2026-02-19 |
| URL | http://chainlink-api-v3.com/api… | 2026-02-19 | 2026-02-19 |
| URL | https://jsonkeeper.com/b/8RLOV | 2026-02-19 | 2026-02-19 |
| URL | https://api.npoint.io/d4dfbbac8… | 2026-02-19 | 2026-02-19 |
| URL | https://api.npoint.io/e6a6bfb97… | 2026-02-19 | 2026-02-19 |
| URL | https://api.npoint.io/b1f111907… | 2026-02-19 | 2026-02-19 |
| URL | https://ip-api-test.vercel.app/… | 2026-02-19 | 2026-02-19 |
| URL | https://vscode-config-settings.… | 2026-02-19 | 2026-02-19 |
| URL | https://vscode-config-settings.… | 2026-02-19 | 2026-02-19 |
| URL | https://jsonkeeper.com/b/FM8D6 | 2026-02-19 | 2026-02-19 |
| URL | https://vscode-config-settings.… | 2026-02-19 | 2026-02-19 |
| URL | https://api.npoint.io/62755a9b3… | 2026-02-19 | 2026-02-19 |
| URL | https://api-server-mocha.vercel… | 2026-02-19 | 2026-02-19 |
| URL | https://web3-metric-analytics.v… | 2026-02-19 | 2026-02-19 |
| URL | https://vscode-load-config.verc… | 2026-02-19 | 2026-02-19 |
| URL | https://api-server-mocha.vercel… | 2026-02-19 | 2026-02-19 |
| URL | https://jsonkeeper.com/b/GLGT4 | 2026-02-19 | 2026-02-19 |
| URL | https://getApilatency.onrender.… | 2026-02-19 | 2026-02-19 |
| URL | https://jsonkeeper.com/b/DMVPT | 2026-02-19 | 2026-02-19 |
| URL | https://jsonkeeper.com/b/XV3WO | 2026-02-19 | 2026-02-19 |
| URL | https://api.npoint.io/b68a5c259… | 2026-02-19 | 2026-02-19 |
| URL | https://zone-api-navy.vercel.ap… | 2026-02-19 | 2026-02-19 |
| URL | https://pngconvert-p0kl4fodi-jh… | 2026-02-19 | 2026-02-19 |
| URL | https://vscode-load-config.verc… | 2026-02-19 | 2026-02-19 |
| URL | https://vscode-load.vercel.app/… | 2026-02-19 | 2026-02-19 |
| URL | https://vscode-config-settings.… | 2026-02-19 | 2026-02-19 |
| URL | https://metric-analytics.vercel… | 2026-02-19 | 2026-02-19 |
| URL | https://vscode-config-settings.… | 2026-02-19 | 2026-02-19 |
| URL | https://vscode-config-settings.… | 2026-02-19 | 2026-02-19 |
| URL | https://vscode-load.vercel.app/… | 2026-02-19 | 2026-02-19 |
| URL | https://api.npoint.io/f96fb4e85… | 2026-02-19 | 2026-02-19 |
| URL | https://ip-check-server.vercel.… | 2026-02-19 | 2026-02-19 |
| URL | https://astraluck-vercel.vercel… | 2026-02-19 | 2026-02-19 |
| URL | https://api-server-mocha.vercel… | 2026-02-19 | 2026-02-19 |
| URL | https://googlezauthtoken.vercel… | 2026-02-19 | 2026-02-19 |
| URL | https://jwt-alpha-woad.vercel.a… | 2026-02-19 | 2026-02-19 |
| URL | https://api.mocki.io/v2/8sg8bhs… | 2026-02-19 | 2026-02-19 |
| URL | https://jsonkeeper.com/b/PCDZO | 2026-02-19 | 2026-02-19 |
| URL | https://getpngdata.vercel.app/a… | 2026-02-19 | 2026-02-19 |
| URL | https://vscode-load.vercel.app/… | 2026-02-19 | 2026-02-19 |
| URL | https://jsonkeeper.com/b/WCXNT | 2026-02-19 | 2026-02-19 |
| URL | https://api.npoint.io/c82d987dd… | 2026-02-19 | 2026-02-19 |
| URL | https://vscode-load-config.verc… | 2026-02-19 | 2026-02-19 |
| URL | http://w3capi.marketing/api/v2/… | 2026-02-19 | 2026-02-19 |
| DOMAIN | w3capi.marketing | 2026-02-19 | 2026-02-19 |
| DOMAIN | openmodules.org | 2026-02-19 | 2026-02-19 |
| DOMAIN | getapilatency.onrender.com | 2026-02-19 | 2026-02-19 |
| DOMAIN | api.mocki.io | 2026-02-19 | 2026-02-19 |
| IPv4 | 113.160.133.32 | 2026-02-19 | 2026-02-19 |
| IPv4 | 45.144.166.24 | 2026-02-19 | 2026-02-19 |
| IPv4 | 1.20.169.90 | 2026-02-19 | 2026-02-19 |
| IPv4 | 153.92.214.226 | 2026-02-19 | 2026-02-19 |
| IPv4 | 51.159.75.249 | 2026-02-19 | 2026-02-19 |
| IPv4 | 45.81.115.86 | 2026-02-19 | 2026-02-19 |
| IPv4 | 195.159.124.57 | 2026-02-19 | 2026-02-19 |
| IPv4 | 193.227.129.196 | 2026-02-19 | 2026-02-19 |
| IPv4 | 107.178.11.226 | 2026-02-19 | 2026-02-19 |
| IPv4 | 184.168.124.233 | 2026-02-19 | 2026-02-19 |
| IPv4 | 23.237.145.36 | 2026-02-19 | 2026-02-19 |
| IPv4 | 146.190.114.113 | 2026-02-19 | 2026-02-19 |
| IPv4 | 67.43.236.19 | 2026-02-19 | 2026-02-19 |
| IPv4 | 152.26.231.93 | 2026-02-19 | 2026-02-19 |
| IPv4 | 194.164.206.37 | 2026-02-19 | 2026-02-19 |
| IPv4 | 54.37.207.54 | 2026-02-19 | 2026-02-19 |
| IPv4 | 157.245.59.236 | 2026-02-19 | 2026-02-19 |
| IPv4 | 95.182.97.53 | 2026-02-19 | 2026-02-19 |
| IPv4 | 38.158.202.121 | 2026-02-19 | 2026-02-19 |
| IPv4 | 67.43.228.253 | 2026-02-19 | 2026-02-19 |
| IPv4 | 57.128.201.50 | 2026-02-19 | 2026-02-19 |
| IPv4 | 103.152.100.221 | 2026-02-19 | 2026-02-19 |
| IPv4 | 178.63.180.104 | 2026-02-19 | 2026-02-19 |
| IPv4 | 152.26.231.94 | 2026-02-19 | 2026-02-19 |
| IPv4 | 200.24.159.153 | 2026-02-19 | 2026-02-19 |
| IPv4 | 67.43.227.226 | 2026-02-19 | 2026-02-19 |
| IPv4 | 103.190.171.37 | 2026-02-19 | 2026-02-19 |
| IPv4 | 31.41.216.122 | 2026-02-19 | 2026-02-19 |
| IPv4 | 152.26.229.46 | 2026-02-19 | 2026-02-19 |
| IPv4 | 45.119.114.203 | 2026-02-19 | 2026-02-19 |
| IPv4 | 94.23.153.15 | 2026-02-19 | 2026-02-19 |
| IPv4 | 103.174.81.10 | 2026-02-19 | 2026-02-19 |
| IPv4 | 125.26.238.166 | 2026-02-19 | 2026-02-19 |
| IPv4 | 37.46.135.225 | 2026-02-19 | 2026-02-19 |
| IPv4 | 103.39.70.248 | 2026-02-19 | 2026-02-19 |
| IPv4 | 171.228.181.120 | 2026-02-19 | 2026-02-19 |
| IPv4 | 152.26.229.47 | 2026-02-19 | 2026-02-19 |
| IPv4 | 47.220.151.116 | 2026-02-19 | 2026-02-19 |
| IPv4 | 152.26.229.93 | 2026-02-19 | 2026-02-19 |
| IPv4 | 204.12.227.114 | 2026-02-19 | 2026-02-19 |
| IPv4 | 139.178.67.134 | 2026-02-19 | 2026-02-19 |
| IPv4 | 195.85.250.12 | 2026-02-19 | 2026-02-19 |
| IPv4 | 67.43.236.20 | 2026-02-19 | 2026-02-19 |
| IPv4 | 200.60.20.11 | 2026-02-19 | 2026-02-19 |
| IPv4 | 61.198.87.1 | 2026-02-19 | 2026-02-19 |
| IPv4 | 222.252.194.204 | 2026-02-19 | 2026-02-19 |
| IPv4 | 173.255.223.18 | 2026-02-19 | 2026-02-19 |
| IPv4 | 152.26.229.34 | 2026-02-19 | 2026-02-19 |
| IPv4 | 72.10.164.178 | 2026-02-19 | 2026-02-19 |
| IPv4 | 152.26.229.83 | 2026-02-19 | 2026-02-19 |
| IPv4 | 107.189.8.240 | 2026-02-19 | 2026-02-19 |
| IPv4 | 147.28.155.20 | 2026-02-19 | 2026-02-19 |
| IPv4 | 121.132.60.117 | 2026-02-19 | 2026-02-19 |
| IPv4 | 179.1.195.163 | 2026-02-19 | 2026-02-19 |
| IPv4 | 37.210.118.247 | 2026-02-19 | 2026-02-19 |
| IPv4 | 115.72.1.61 | 2026-02-19 | 2026-02-19 |
| IPv4 | 38.183.146.125 | 2026-02-19 | 2026-02-19 |
| IPv4 | 72.10.160.171 | 2026-02-19 | 2026-02-19 |
| IPv4 | 152.26.229.86 | 2026-02-19 | 2026-02-19 |
| IPv4 | 143.110.226.180 | 2026-02-19 | 2026-02-19 |
| IPv4 | 50.6.193.80 | 2026-02-19 | 2026-02-19 |
| IPv4 | 103.106.112.166 | 2026-02-19 | 2026-02-19 |
| IPv4 | 82.180.146.116 | 2026-02-19 | 2026-02-19 |
| IPv4 | 152.26.229.42 | 2026-02-19 | 2026-02-19 |
| IPv4 | 222.252.194.29 | 2026-02-19 | 2026-02-19 |
| IPv4 | 45.189.252.218 | 2026-02-19 | 2026-02-19 |
| IPv4 | 14.225.215.117 | 2026-02-19 | 2026-02-19 |
| IPv4 | 172.105.247.219 | 2026-02-19 | 2026-02-19 |
| IPv4 | 193.38.244.17 | 2026-02-19 | 2026-02-19 |
| IPv4 | 144.217.207.22 | 2026-02-19 | 2026-02-19 |
| IPv4 | 4.7.147.233 | 2026-02-19 | 2026-02-19 |
| IPv4 | 64.92.82.58 | 2026-02-19 | 2026-02-19 |
| IPv4 | 111.197.183.74 | 2026-02-19 | 2026-02-19 |
| IPv4 | 74.255.219.229 | 2026-02-19 | 2026-02-19 |
| IPv4 | 203.150.128.86 | 2026-02-19 | 2026-02-19 |
| IPv4 | 34.122.58.60 | 2026-02-19 | 2026-02-19 |
| IPv4 | 152.26.231.83 | 2026-02-19 | 2026-02-19 |
| IPv4 | 152.26.231.42 | 2026-02-19 | 2026-02-19 |
| IPv4 | 194.104.136.243 | 2026-02-19 | 2026-02-19 |
| IPv4 | 185.92.220.208 | 2026-02-19 | 2026-02-19 |
| IPv4 | 72.10.160.92 | 2026-02-19 | 2026-02-19 |
| IPv4 | 67.43.227.227 | 2026-02-19 | 2026-02-19 |
| IPv4 | 2.59.181.125 | 2026-02-19 | 2026-02-19 |
| IPv4 | 148.72.168.81 | 2026-02-19 | 2026-02-19 |
| IPv4 | 152.26.231.86 | 2026-02-19 | 2026-02-19 |
| IPv4 | 117.1.101.198 | 2026-02-19 | 2026-02-19 |
| IPv4 | 64.92.82.59 | 2026-02-19 | 2026-02-19 |
| IPv4 | 103.155.199.28 | 2026-02-19 | 2026-02-19 |
| IPv4 | 171.99.253.154 | 2026-02-19 | 2026-02-19 |
| URL | http://chainlink-api-v3.com/api… | 2026-01-13 | 2026-02-19 |
| HASH | b2040f01294c183945fdbe487022cf8e | 2025-10-21 | 2026-02-19 |
| DOMAIN | chainlink-api-v3.cloud | 2025-04-11 | 2026-02-19 |
| URL | https://api.npoint.io/159a15993… | 2025-03-10 | 2026-02-19 |
Related Actors
Related Reports
2026-02-20 •
80% Match
GitLab doxxes North Korea .gov hackers; fresh Ivanti zero-days; AI addiction and human purpose
Security Conversations
Shares tags: ContagiousInterview, ITWorker • Published within a week
2025-09-10 •
65% Match
#ContagiousInterview
#InvisibleFerret
#ITWorker
#Lazarus
#OtterCookie
#PylangGhost
Shares tags: ContagiousInterview, ITWorker
Shares tags: ContagiousInterview, ITWorker
Shares tag: ContagiousInterview • Published within a month
Shares tag: ContagiousInterview • Published within a month
Shares tag: ContagiousInterview • Published within a month