North Korean hackers use fake job interviews to attack over 3,100 IP addresses related to AI, cryptocurrency, and financial companies

According to market news, the latest research by the security company Recorded Future shows that the North Korean-linked hacker group PurpleBravo has launched cyber espionage activities targeting over 3,100 IP addresses of companies in artificial intelligence, cryptocurrency, and financial services through fake job interviews.

The organization disguises itself as recruiters or developers, luring targets into executing malicious code under the pretext of technical interviews. The attackers claim to be from cryptocurrency or tech companies, asking job seekers to review code, clone repositories, or complete programming tasks. Security researchers have identified 20 victim organizations from regions such as South Asia and North America. The group uses multiple aliases and employs a fake identity from Odessa, Ukraine for camouflage. The attacks utilized remote access Trojans like PylangGhost and GolangGhost, which can automatically steal browser credentials and cookies.

The hackers also host their malware servers through malicious GitHub repositories, Astrill VPN, and 17 service providers. Additionally, the investigation found related Telegram channels selling LinkedIn and Upwork accounts, and the attackers have also interacted with the cryptocurrency trading platform MEXC Exchange.