North Korean Job-Interview Scam Hides Malware Inside Flag Images
Fake coding tests planted a four-stage stealer on developers' machines, with the payload smuggled inside SVG picture files.

Key points
- Researchers tied the campaign to North Korea's long-running Contagious Interview operation, which uses fake job offers to lure software developers.
- Victims who ran the supplied coding project received a four-stage payload aligned with OtterCookie, a known North Korean malware family.
- The malware was hidden inside SVG image files using steganography, a technique that conceals data inside pictures.
- The final stages steal browser passwords, cryptocurrency wallet contents, and files from the victim's computer.
North Korean hackers are back with a familiar trick and a new hiding place.
Security researchers have flagged a fresh wave of the Contagious Interview campaign, a long-running operation in which people posing as recruiters approach software developers with fake job offers and coding challenges. The trap is the take-home test. Run the sample project and you infect your own machine.
This time, first reported by The Hacker News, the criminals hid their malware inside SVG files. SVG stands for Scalable Vector Graphics, a common image format used across the web. The hackers used steganography, meaning they buried malicious code inside the pixels of an ordinary-looking picture, in this case a national flag image bundled with the coding test.
Anyone who opened the project and ran it triggered a chain of four separate malware stages.
What does the malware actually do?
It empties your browser and your crypto wallet, then rifles through your files.
The payload is aligned with OtterCookie, a malware family researchers have previously tied to North Korean operators. Stage one and two set up the infection quietly. The later stages do the damage: one component scrapes saved passwords and cookies from web browsers and pulls credentials out of cryptocurrency wallet apps. Another sweeps the machine for interesting files and sends them back to the attackers.
For a developer, that can mean stolen source code, stolen API keys, and a drained wallet in the space of an afternoon.
Who is being targeted?
The pattern is consistent with earlier Contagious Interview activity: software engineers, particularly those working in cryptocurrency, blockchain, and Web3 projects.
The approach usually arrives through LinkedIn, Telegram, or a freelance job site. A recruiter with a plausible profile pitches a role, arranges a chat, and asks the candidate to complete a coding exercise hosted on GitHub or a shared drive. The project looks legitimate. The malicious code sits inside a dependency, a build script, or, as in this case, an image file the project loads at runtime.
North Korean groups have been running versions of this playbook since at least 2022. The goal is money. Pyongyang uses stolen cryptocurrency to fund state programmes, and the United Nations has repeatedly documented the flow.
What should developers do right now?
Treat every unsolicited coding test as suspect until proven otherwise.
If a recruiter you have never met asks you to run code on your personal or work machine, that is the moment to slow down. Run unknown projects inside a virtual machine or a disposable container, never on your daily driver. Keep cryptocurrency wallets on a separate device, ideally a hardware wallet. If you have already run something that felt off, rotate your passwords, revoke your browser sessions, and move any crypto holdings to a fresh wallet from a clean machine.
Companies hiring engineers should also warn candidates that legitimate technical interviews do not require running arbitrary code locally. Sandboxed platforms exist for a reason.
The SVG trick is new. The lure is not. And it keeps working because the pitch, a well-paid job, is one very few developers want to ignore.



