Researchers have identified a new twist in the long-running Contagious Interview campaign, attributed to North Korean threat actors, in which malicious code is concealed inside SVG image files disguised as national flag graphics. The technique allows attackers to hide payloads in plain sight within what appear to be ordinary vector image assets bundled into fake coding test projects.
The campaign follows the group’s established playbook: targets, often software developers and job seekers, are approached with fraudulent job offers or invited to complete a coding challenge as part of a supposed hiring process. Victims are directed to download and run a project that appears legitimate but secretly contains the steganographically hidden malware.
Four-Stage Infection Chain
According to the findings, any user who executed the project ended up infected with a multi-stage payload aligned with OTTERCOOKIE malware. The infection chain reportedly includes:
- A browser credential and cryptocurrency wallet stealer
- A file stealer component
- Additional stages consistent with the broader OTTERCOOKIE malware family used in prior Contagious Interview operations
By embedding the malicious code within SVG images rather than more commonly scrutinized file types, the attackers aim to evade detection tools and analysts who may not routinely inspect image assets for hidden executable content or scripts.
Consistent with Ongoing DPRK Operations
Contagious Interview has been active for an extended period and is one of several North Korean-linked campaigns that specifically target the software development and cryptocurrency sectors through fake recruitment lures. The use of steganographic techniques in SVG files represents an evolution in obfuscation methods used to deliver known malware families like OtterCookie while attempting to bypass static and signature-based detection.
Security teams, particularly those supporting developers and technical recruiting workflows, should treat unsolicited coding assignments and take-home projects with heightened scrutiny, especially where they require running unreviewed code or installing dependencies from unfamiliar sources. Organizations are advised to scan image files delivered as part of job application or interview processes for embedded scripts and to monitor for credential and wallet-stealing behavior consistent with OtterCookie infections.
