North Korean operators are hiding malware inside innocent looking SVG flag images to backdoor software developers who take fake coding interviews. Researchers at Elastic Security Labs uncovered the campaign, tracked as REF9403, after the DPRK-aligned crew tried to lure members of Elastic's own community Slack with a bogus job offer and a take home "coding challenge." Anyone who ran the project handed the attackers a four stage payload.
The activity lines up with Contagious Interview, the long running North Korean scheme that dangles lucrative developer gigs to plant infostealers. Elastic says this specific infection chain has not been documented before, and the trojanized repositories carried zero detections across every antivirus vendor at the time of writing.
How the attack works
The lure starts on open developer forums. In one case a recruiter named "Maxwell" posted in a jobs channel about upgrading an e commerce platform, then moved interested candidates into direct messages and asked them to run a "test challenge." The projects, with names like next-ecommerce-private-main.zip and shopping-platform.rar, are copied from real open source templates and run perfectly, which is what makes them convincing.
The clever part is where the malware hides. The payload is chopped into Base64 fragments and tucked inside HTML comments in every SVG country flag image in the project's assets folder. A helper script reassembles the chunks in alphabetical order, decodes them with a custom routine, and runs the result with eval(), sidestepping detections that watch for the usual decoding functions. Because the project's start scripts call the loader on every server boot, the malware fires the moment a developer runs the code.
What it steals
Elastic ties the payload to OTTERCOOKIE, a DPRK malware family first flagged in December 2024, and describes four modules bundled into one package: a browser credential and crypto wallet stealer that targets 25 wallet extensions across Windows, macOS and Linux, a recursive file stealer that sweeps up documents, environment files, SSH and cloud credential stores and shell histories, a Socket.IO based remote access trojan that gives the operator a live shell, and a clipboard stealer. One module even masquerades as an npm-cache process to blend into task listings, and the file stealer deliberately skips AI coding tool folders like .claude and .cursor to cut down on noise.
Why it matters
Compromising a single developer can be the first domino in a much larger supply chain attack, since that person often holds keys to downstream code and infrastructure. It is the same developer targeting playbook seen from North Korean crews abusing npm and GitHub workflows, and it echoes an earlier Contagious Interview campaign that used the Tsunami framework to steal cryptocurrency.
What you should do
Treat unsolicited "coding challenge" repositories as untrusted code. Run take home assignments only inside a disposable virtual machine or container, never on a workstation holding real credentials or wallets, and inspect image assets and start scripts before executing anything. Rotate any credentials, tokens or wallet seeds that may have touched an affected machine.
Indicators
Command and control traffic pointed at ldb.rightwidth[.]dev, upload.rightwidth[.]dev, controller.rightwidth[.]dev and file.rightwidth[.]dev, with infrastructure seen at 195[.]26[.]248[.]212 and 188[.]40[.]64[.]61. One trojanized archive, ecommerce-main.zip, carried SHA-256 8e571d58794b9b44ae53c2c67bedef72c500e8adbb80aab7a5c263adcba55b1e.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.