North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms
2025-09-04 • Sentinel One •
SentinelLABS and Validin observed North Korea-aligned Contagious Interview operators creating and using cyber intelligence platform accounts to monitor their own exposed infrastructure. The activity is tied to the ClickFix-style job seeker lure chain, where targets are directed to fake assessment sites and instructed to run commands that download malware. The actors used Gmail accounts already tracked as campaign artifacts, registered from VPN-linked IPs, and appeared to coordinate through multiple CTI sources including Validin, VirusTotal, and Maltrail, with indicators of real-time teamwork such as Slack use. Despite inspecting detection artifacts and scouting new assets before acquisition, they made only limited defensive changes and instead rapidly replaced disrupted infrastructure, supporting continued victim engagement that SentinelLABS measured at more than 230 affected individuals from January to March 2025.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | outlook.com | 2018-09-06 | 2026-04-17 |
| IPv4 | 77.247.126.189 | 2025-02-25 | 2026-02-22 |
| IPv4 | 70.39.70.194 | 2025-02-25 | 2026-02-22 |
| IPv4 | 194.33.45.162 | 2025-02-25 | 2026-01-21 |
| IPv4 | 45.86.208.162 | 2025-02-25 | 2026-01-21 |
| IPv4 | 38.170.181.10 | 2025-01-26 | 2026-01-21 |
| HASH | 4a8bfa28d46ae14e45a50e105e2d34f… | 2025-09-04 | 2025-09-04 |
| HASH | 44ddabf5b5d601077936a130a2863a9… | 2025-09-04 | 2025-09-04 |
| HASH | 24042a8eea9b9c20af1f7bae00296b4… | 2025-09-04 | 2025-09-04 |
| DOMAIN | glitchmedic.com | 2025-09-04 | 2025-09-04 |
| DOMAIN | paxosassessments.com | 2025-09-04 | 2025-09-04 |
| DOMAIN | hiringassessment.net | 2025-09-04 | 2025-09-04 |
| DOMAIN | hireassessment.com | 2025-09-04 | 2025-09-04 |
| DOMAIN | quickproassess.com | 2025-09-04 | 2025-09-04 |
| DOMAIN | motionassess.com | 2025-09-04 | 2025-09-04 |
| DOMAIN | careerquestion.com | 2025-09-04 | 2025-09-04 |
| DOMAIN | evaluateiq.com | 2025-09-04 | 2025-09-04 |
| DOMAIN | screenquestion.org | 2025-09-04 | 2025-09-04 |
| DOMAIN | hirelytics360.com | 2025-09-04 | 2025-09-04 |
| DOMAIN | easyjobinterview.org | 2025-09-04 | 2025-09-04 |
| DOMAIN | paxos-video-interview.com | 2025-09-04 | 2025-09-04 |
| DOMAIN | robinhood.evalvidz.com | 2025-09-04 | 2025-09-04 |
| DOMAIN | hiringassessment.com | 2025-09-04 | 2025-09-04 |
| IPv4 | 181.53.13.189 | 2025-09-04 | 2025-09-04 |
| IPv4 | 96.62.127.126 | 2025-09-04 | 2025-09-04 |
| IPv4 | 181.215.9.29 | 2025-09-04 | 2025-09-04 |
| IPv4 | 89.19.58.51 | 2025-09-04 | 2025-09-04 |
| IPv4 | 181.59.180.84 | 2025-09-04 | 2025-09-04 |
| IPv4 | 216.24.215.231 | 2025-09-04 | 2025-09-04 |
| DOMAIN | skillquestions.com | 2025-06-18 | 2025-09-04 |
| DOMAIN | quiz-nest.com | 2025-06-18 | 2025-09-04 |
| DOMAIN | speakure.com | 2025-06-18 | 2025-09-04 |
| DOMAIN | vidhirehub.com | 2025-03-31 | 2025-09-04 |
| DOMAIN | evalassesso.com | 2025-03-31 | 2025-09-04 |
| DOMAIN | vidassesspro.com | 2025-03-31 | 2025-09-04 |
| IPv4 | 70.32.3.15 | 2025-02-25 | 2025-09-04 |
| DOMAIN | skill-share.org | 2025-02-13 | 2025-09-04 |