North Korean Hackers Return with Fake Job Interview Attacks on 3,100+ IP Addresses

BlockBeats News, January 22nd. Following a more than $2 billion theft from the cryptocurrency market in 2025, North Korean hackers, known as the PurpleBravo group, have resurfaced. They launched a large-scale fake recruitment campaign, targeting over 3,100 internet addresses associated with artificial intelligence, cryptocurrency, and financial services companies. The attackers, posing as recruiters or developers, tricked job seekers into performing technical interview tasks, including code reviews, code cloning, or completing programming assignments, leading to the execution of malicious code on corporate devices. Currently, 20 organizations from South Asia, North America, Europe, the Middle East, and Central America have been confirmed as victims.

Researchers found that the North Korean hackers used forged Ukrainian identities for obfuscation and deployed two remote access trojans, PylangGhost and GolangGhost, to steal browser credentials. They also developed a weaponized version of Microsoft Visual Studio Code to implant backdoors through malicious Git repositories.