North Korean threat actors have been identified engaging in deceptive tactics on the web [4], posing as job recruiters and seekers in campaigns known as Contagious Interview and Wagemole. These campaigns aim to deceive organizations and individuals [3], gain financial profit [3] [4], and potentially infiltrate Western organizations [3] [4].


In the Contagious Interview campaign [3], the threat actors act as employers and trick applicants into installing sophisticated infostealers during the vetting process [4]. They exploit the trust of job seekers to gain access to sensitive information. In the Wagemole campaign [1] [2] [3], they assume the role of job applicants at established US organizations [4], using fake personas [4]. These campaigns are more convincing than typical phishing emails and aim to appear realistic to unsuspecting victims [3].

The threat actors have a history of engaging in espionage and financial cybercrime [3]. They have previously posed as high-tech job recruiters to entice skilled employees into prolonged engagements [3], leading to malware attacks [3]. The infostealers used in these campaigns target system information [3], credit card details [3], and cryptocurrency wallet information [3]. They work across various operating systems and may be used to gain a foothold in target systems for future infections [3].

The threat actors have also been known to pose as job applicants seeking remote work in the tech space [3]. This highlights the need for companies to exercise caution and verify the identities of potential employees [3]. The US Department of Justice has advised companies to remain vigilant and employ robust security measures to protect against these deceptive schemes.

Palo Alto Networks Unit 42 [1] [4], a cybersecurity company [1], has identified these ongoing campaigns and expects continued activity from Contagious Interview. They see Wagemole as an opportunity for the threat actors to infiltrate targeted companies with insiders. These campaigns align with recent disclosures from the US government regarding North Korea’s efforts to beat sanctions by employing highly-skilled IT workers to fund their weapons programs [2].

Researchers have discovered evidence of these schemes on various platforms, including GitHub, LinkedIn [4], and freelancer marketplaces [4]. The US Department of Justice has warned companies to be vigilant in verifying the identities of their hires [4], as hiring employees under fake identities poses significant risks [4], as these individuals have access to source code [4].


The deceptive tactics employed by North Korean threat actors in the Contagious Interview and Wagemole campaigns pose a significant threat to organizations and individuals. It is crucial for companies and job seekers to remain vigilant and employ robust security measures to protect against these schemes [3]. Verifying the identities of potential employees is essential to mitigate the risks associated with hiring individuals under fake identities. The ongoing nature of these campaigns and their alignment with North Korea’s efforts to fund their weapons programs highlight the need for continued vigilance and proactive measures in the cybersecurity landscape.