A DPRK Contagious Interview macOS lure used an “Algorand Hiring Assessment” theme to push a ClickFix-style prompt that told victims to update FFmpeg macOS drivers. The prompt led to execution of a script from /var/tmp that selected an ARM or Intel release ZIP, unpacked files under /var/tmp/CDrivers, and set LaunchAgent persistence through drivfixer.sh running a Go backdoor. The Swift app bundle, named MediaPatcher, used Dropbox and NSAlerts to capture the user’s password, while the backdoor and stealer code included browser and Chrome extension collection behavior. Reported IOCs include levinpros.com, patch.levinpros.com, C2 95.169.180.140:8080, and hashes for drivfixer.sh, the app, and a related script.