According to ChainCatcher, market sources indicate that a recent study by security firm Recorded Future reveals that the North Korean-linked hacking group PurpleBravo launched cyber espionage against more than 3,100 IP addresses of companies in the fields of artificial intelligence, cryptocurrency, and financial services through fake job interviews.
The group posed as recruiters or developers, using technical interviews as a pretext to trick targets into executing malicious code. The attackers claimed to be from crypto or technology companies, asking job seekers to review code, clone repositories, or complete programming tasks. Security researchers have identified 20 victim organizations from South Asia, North America, and other regions. The group used multiple aliases and employed a fake identity in Odessa, Ukraine, for camouflage. The attacks used remote access trojans such as PylangGhost and GolangGhost, which automatically steal browser credentials and cookies.
The hackers also used a malicious GitHub repository, Astrill VPN, and 17 service providers to host their malware servers. Furthermore, the investigation found that related Telegram channels were selling LinkedIn and Upwork accounts, and the attackers had also interacted with the cryptocurrency exchange MEXC Exchange.
