- Trending
- Comments
- Latest
North Korean hackers have launched a wide-ranging cyber espionage campaign targeting more than 3,100 internet protocol (IP) addresses linked to companies in artificial intelligence, cryptocurrency, and financial services, according to new findings by Recorded Future’s Insikt Group.
The operation, identified in January 2026 and spanning multiple regions, relied on fake job interviews, malicious developer tools, and deceptive online personas to compromise corporate systems and steal credentials.
The campaign, tracked under the name PurpleBravo, marks the latest activity attributed to North Korean hackers after security researchers estimated that similar groups siphoned more than $2 billion from the crypto sector in 2025.
Analysts say the latest effort underscores how recruitment-themed social engineering has become a central tactic in state-linked cyber operations.
Insikt Group said the PurpleBravo operation, also referred to as the “Contagious Interview” campaign, involved attackers posing as recruiters or developers and approaching job seekers with supposed technical interview exercises. During the monitoring period, researchers observed at least 3,136 IP addresses being targeted globally.
The attackers typically presented themselves as representatives of crypto or technology firms and asked candidates to review code, clone GitHub repositories, or complete coding challenges. According to Insikt Group, this method increased the likelihood that victims would execute malicious code on work devices rather than isolated personal systems.
“In several cases, it is likely that job-seeking candidates executed malicious code on corporate devices, creating organizational exposure beyond the individual target,” — Insikt Group, Recorded Future.
The researchers identified 20 victim organizations across South Asia, North America, Europe, the Middle East, and Central America. They also noted that the campaign has appeared under multiple aliases linked to North Korean hackers, including DeceptiveDevelopment, Famous Chollima, Void Dokkaebi, and WaterPlum.
To support the operation, North Korean hackers relied on a network of fake online personas, malicious GitHub repositories, and regionally misleading cover stories.
Insikt Group identified four personas connected to PurpleBravo that consistently claimed to be based in Odessa, Ukraine, while primarily targeting job seekers in South Asia. Researchers said they could not determine why Ukrainian identities were chosen.
The group also leveraged China-based command-and-control infrastructure, administering servers through Astrill VPN and specific IP ranges. Insikt Group reported that at least 17 service providers hosted malware strains such as BeaverTail and GolangGhost on behalf of the attackers.
As part of the campaign, the hackers promoted fake crypto-related projects, including a website advertising a token linked to a food brand. Investigators were unable to verify any legitimate connection between the token and the company it referenced, noting that the project’s Telegram channel was populated by scammers, automated bots, and malicious links.
Security researchers said the campaign demonstrated evolving malware tactics by North Korean hackers, particularly through the use of remote access trojans designed to steal credentials and maintain long-term access. Two malware families, PylangGhost and GolangGhost, were identified as core tools in the operation.
GolangGhost is compatible with multiple operating systems, while PylangGhost targets Windows systems and can bypass Chrome’s app-bound credential protections in newer browser versions. Both tools automate the theft of browser cookies and login data, enabling attackers to expand access across compromised networks.
Insikt Group also observed Telegram channels advertising LinkedIn and Upwork accounts for sale, supported by proxy services and virtual private servers used to obscure operators’ locations. The campaign infrastructure was further linked to interactions with the cryptocurrency trading platform MEXC Exchange, highlighting the financial dimension of the operation.
Additional findings from Jamf Threat Labs indicate that North Korean hackers have refined their techniques by weaponizing Microsoft Visual Studio Code. The method, first detected in December 2025, involves embedding malicious commands within Git repositories that activate when a developer opens the project in VS Code.
According to Jamf security researcher Thijs Xhaflaire, the attack chain begins when a victim clones a malicious repository and is prompted to trust the author.
“When the project is opened, Visual Studio Code prompts the user to trust the repository author. If that trust is granted, the application automatically processes the repository’s tasks.json configuration file, which can result in embedded arbitrary commands being executed on the system,” — Thijs Xhaflaire, Security Researcher, Jamf Threat Labs.
Researchers say this approach allows North Korean hackers to achieve remote code execution and maintain persistent access, particularly within developer environments common in AI and crypto firms.
The latest findings suggest that North Korean hackers are increasingly targeting human behavior rather than software vulnerabilities, exploiting trust built during recruitment processes.
By combining social engineering with sophisticated malware, the PurpleBravo campaign illustrates how state-linked actors continue to adapt their methods.
While the full financial impact of the operation remains unclear, security analysts warn that the scale and geographic spread of the campaign highlight ongoing risks for companies operating in high-value sectors.
As North Korean hackers refine recruitment-based tactics, researchers stress the importance of tighter controls around developer tools, code repositories, and hiring processes to limit future exposure.
