We recently identified multiple instances of malware on Github that abuse VS Code automation features. Our analysis attributes this activity to Contagious Interview, a DPRK-nexus campaign active since at least 2025-08 that primarily targets developers.In this campaign, threat actors typically pose as recruiters to approach targets. Under the guise of coding tests or video interviews, they lure victims into downloading malicious payloads such as BeaverTail, InvisibleFerret, and OtterCookie.The Github accounts identified in this investigation purported to be recruiters for legitimate companies, Web3 developers, and fictitious organizations. The threat actors likely employed these personas to blend in with normal recruitment and development activities, establishing trust to facilitate malware distribution.Furthermore, our analysis of the deployed malware revealed artifacts suggesting the code was generated using LLMs. This indicates that the threat actors are actively using AI technologies to develop malicious tools more efficiently and complicate reverse engineering efforts.This report examines the threat actors' Github activities and details the operational mechanisms and capabilities of the malware used in these attacks.

EtherRAT is a JavaScript-based implant first documented by Sysdig. The malware was originally observed targeting Linux environments via the React2Shell vulnerability (CVE-2025-55182).During our analysis of EtherRAT, we obtained multiple MSI files communicating with the malware’s C&C server. Our analysis confirmed the existence of EtherRAT variants targeting Windows. Notably, some files were distributed within archive files masquerading as installers for game mods.This report details the analysis of the Windows-based EtherRAT variant disguised as a game mod installer and examines the associated smart contract infrastructure.

In September 2025, the ENKI WhiteHat Threat Research Team detected a malicious mobile application distributed via phishing websites. The threat actor leveraged QR codes and notification pop-ups to lure victims into installing and executing the malware on their mobile devices.Our analysis confirms this sample as the latest iteration of "DOCSWAP," a malware strain originally named by S2W in March 2025. While this version retains the behavioral patterns of earlier variants, it implements a distinct internal APK decryption mechanism. Additionally, we uncovered multiple indicators connecting this activity to the DPRK-nexus threat actor, Kimsuky.Leveraging APK metadata and infrastructure overlaps, we identified three additional malicious applications and seven C&C servers. The threat actor designed each application with distinct decoy themes to deceive victims and evade suspicion.