North Korea-nexus Golang Backdoor/Stealer from Contagious Interview campaign
2025-01-05 • dmpdump •
https://dmpdump.github.io/posts/NorthKorea_Backdoor_Stealer/
The Contagious Interview sample analyzed by dmpdump used fake Willo candidate-screening sites to lure victims into running a copied shell command. The shared VCam_intel.zip artifact contained Windows, macOS and Linux material, with macOS scripts downloading architecture-specific payloads from api.nvidia-cloud[.]online, unpacking them under /var/tmp/VCam and installing a LaunchAgent at ~/Library/LaunchAgents/com.vcam.plist. The vcamservice.sh script built and ran a Golang payload from app.go, which generated a victim ID, checked for duplicate execution and contacted http://216.74.123[.]191:8080. The activity fits North Korea-nexus Contagious Interview tradecraft aimed at crypto-wallet theft through job-interview lures and cross-platform tooling.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | api.jz-aws.info | 2025-01-05 | 2025-08-28 |
| HASH | 60ec2dbe8cfacdff1d4eb093032b030… | 2025-01-05 | 2025-08-25 |
| HASH | b72653bf747b962c67a5999afbc1d91… | 2025-01-05 | 2025-08-25 |
| IPv4 | 216.74.123.191 | 2025-01-05 | 2025-08-25 |
| URL | https://api.nvidia-cloud.online… | 2025-01-05 | 2025-02-13 |
| URL | https://api.nvidia-cloud.online… | 2025-01-05 | 2025-02-13 |
| DOMAIN | connect.trezor.io | 2025-01-05 | 2025-02-13 |
| DOMAIN | api.nvidia-cloud.online | 2025-01-05 | 2025-02-13 |
| URL | https://api.jz-aws.info/public/… | 2025-01-05 | 2025-01-20 |
| HASH | 7a2dea687c9ab3a86a82893014c926b… | 2025-01-05 | 2025-01-05 |
| HASH | b4b0e19a98deeccc9f9f7dc5f18999c… | 2025-01-05 | 2025-01-05 |
| URL | https://www.api.camera-drive.cl… | 2025-01-05 | 2025-01-05 |