North Korean Hackers Exploit SVG Steganography in 'Contagious Interview' Campaign
North Korean threat actors, identified as REF9403 and linked to the 'Contagious Interview' campaign, are employing sophisticated steganography techniques within SVG image files to hide malicious payloads. This new tactic is part of an ongoing social engineering operation targeting software developers with fake job postings and coding challenges, aiming to steal sensitive data and cryptocurrency.

North Korean threat actors, tracked under the moniker **REF9403** and associated with the **Contagious Interview** campaign, have been observed using steganography in **SVG** image files. This method conceals malicious payloads within seemingly innocuous images, forming a crucial part of a larger operation leveraging fake job postings and coding challenges.
According to **Elastic Security Labs**, any user who executed the compromised project would encounter a four-stage payload. This includes **OTTERCOOKIE**, a browser credential and crypto wallet stealer, a file stealer, a **Socket.IO**-based remote access trojan (**RAT**), and a clipboard stealer.
### Targeting Software Developers
These findings underscore the persistent targeting of software developers by state-sponsored hackers affiliated with the **Democratic People's Republic of Korea (DPRK)**. The primary objective remains the exfiltration of sensitive data and the plundering of cryptocurrency wallets.
**Elastic Security Labs** uncovered this campaign after threat actors targeted members of its community **Slack** workspace. Attackers used social engineering lures disguised as job offers, marking a new initial access vector previously undocumented in **Contagious Interview** operations, which have been ongoing since at least December 2022.
### The Lure: Fake Job Offers and Coding Challenges
Messages, posted by a user named Maxwell in the #jobs Slack channel in late May 2026, sought an experienced developer. The purported role involved upgrading an e-commerce platform using technologies like **Next.js (v14)**, **NestJS**, **PostgreSQL**, **Auth.js**, and **Stripe** integration.
Interested individuals were moved to direct messages and instructed to complete a coding assessment. This is a standard tactic in **Contagious Interview** campaigns. The assignment involved executing a trojanized repository, which, unbeknownst to the victim, contained malware designed to exfiltrate data and establish a **Socket.IO** backdoor.
### Steganography in Action
The repositories distributed in this scheme incorporate fully functional code while embedding malicious code within **SVG** images to evade detection.
"While these legitimate-looking projects run perfectly fine, the malicious code is triggered silently behind-the-scenes," **Elastic** explained. "The payloads are split into base64 fragments inside HTML comments across every SVG flag image inside an assets directory. These files appear to be normal images of country flags (AE.svg, AF.svg), but each file contains an injected comment block with Base64-encoded data."

A JavaScript file named "serverValidation.js" within the repository then assembles this payload. The attack chain ensures the malware executes upon each server boot. **Elastic** noted that the main payload exhibits overlaps with **OtterCookie**, a cross-platform malware first observed in September 2024.
**Microsoft** previously described **OtterCookie** as having evolved "from a basic tool for executing remote commands and searching for crypto keys into a modular program capable of broader data theft with a capability to check for VM environments, install communication clients like socket.io for C2, exfiltrate information, executes arbitrary shell commands, load other modules to collect specific intended data and reports results."
### OtterCookie's Modularity and Data Theft Capabilities
**OtterCookie** features four distinct modules: data harvesting from web browsers and cryptocurrency wallets, collection of files with specific extensions, persistent remote control via a **Socket.IO**-based trojan that can execute shell commands, clipboard content capture, and the ability to drop Windows executables.
Notably, **OtterCookie** targets files associated with artificial intelligence (**AI**) coding tools, including extensions such as .claude, .cursor, .gemini, .windsurf, .pearai, and .llama. This indicates the threat actors are continuously refining their arsenal to maximize information exfiltration.
This malware also shares functional similarities with a data stealer and trojan propagated through fake **npm** packages mimicking **Rollup** polyfill tooling. This suggests the threat actors are employing multiple vectors for propagation.
"This campaign reinforces that developers remain a prime target, where the compromise of a single individual can provide the initial access needed to enable far-reaching supply chain attacks against downstream organizations," **Elastic** concluded. "The success of these operations underscores how compromising an individual developer can provide a path to much broader organizational impact."