Metadata
- Alignment: North Korea (DPRK) (crowdstrike.com)
- Primary activity: Fraudulent employment and recruiter-style lures leading to malware delivery (crowdstrike.com)
- Exploitation status: Observed social engineering and supply-chain style tradecraft (no single CVE-driven pattern required) (Unit 42)
- Confidence level: Moderate (vendor naming overlaps; activity is real, but some telemetry is tracked under different clusters by different vendors) (Recorded Future)
Executive Summary
FAMOUS CHOLLIMA is a DPRK-aligned activity cluster that multiple vendors associate with job-themed social engineering, developer targeting, and monetisation that can include cryptocurrency theft and credential collection. (crowdstrike.com)
CrowdStrike describes it as an adversary focused on illicitly obtaining freelance or full-time work to funnel salaries to North Korea, and ties it to malware families including BeaverTail and InvisibleFerret. (crowdstrike.com)
Separately, Unit 42, Datadog, Recorded Future, and Talos document an ecosystem of “Contagious Interview” style campaigns that lure developers into running code or installing trojanised dependencies, delivering BeaverTail, InvisibleFerret, OtterCookie, and later-stage RATs. (Unit 42)
For defenders, the highest-value control points are hiring workflows (identity verification and device custody), developer endpoint protections (dependency controls and execution guardrails), and monitoring for recruiter-lure artefacts (GitHub repos, npm packages, “coding task” scripts, and remote access tooling). (Microsoft)
Naming and tracking notes
CrowdStrike position: FAMOUS CHOLLIMA (formerly “BadClone”) is active since at least 2018 and is associated with a broad set of community identifiers including PurpleBravo, Contagious Interview, UNC5342, and Tenacious Pungsan. (crowdstrike.com)
Other vendor views: Recorded Future tracks PurpleBravo as overlapping “Contagious Interview”, and distinguishes it from DPRK remote IT worker operations (PurpleDelta) while noting intersections. (Recorded Future)
Remote IT-worker naming: Microsoft tracks remote IT-worker activity as “Jasper Sleet” (formerly Storm-0287) and notes additional clusters such as Storm-1877 using similar employment-fraud tactics. (Microsoft)
Practical takeaway: treat “FAMOUS CHOLLIMA” as an umbrella label you will see applied to both (1) developer-lure malware delivery and (2) fraudulent employment infiltration, depending on the vendor. (crowdstrike.com)
Objectives and victimology
Primary objectives (observed)
- Revenue generation via fraudulent employment (salary laundering and sanctions evasion) (crowdstrike.com)
- Credential and cryptocurrency theft via developer-targeted malware and lures (MITRE ATT&CK)
Targeting profile
- Individuals: software developers and technical job seekers, especially those linked to cryptocurrency and blockchain work (MITRE ATT&CK)
- Organisations at risk: firms hiring remote IT talent, plus organisations outsourcing development in South Asia (supply-chain and access risk) (Recorded Future)
Tradecraft summary
Initial access patterns
- Recruiter impersonation via third-party platforms (job sites, professional networking) consistent with phishing via services (MITRE ATT&CK T1566.003). (Unit 42)
- “Interview task” execution where the victim is persuaded to run code locally, aligning with user execution (T1204.002). (Unit 42)
- Dependency and developer-toolchain abuse, including malicious npm packages, aligning with supply chain compromise of dependencies (T1195.001). (Datadog Security Labs)
Payloads and tooling (publicly reported)
- BeaverTail: JavaScript-based downloader/infostealer used in Contagious Interview activity. (Unit 42)
- InvisibleFerret: backdoor delivered by BeaverTail in Unit 42 reporting. (Unit 42)
- OtterCookie: described by Talos and Silent Push as used alongside BeaverTail, with Talos noting functionality convergence and a module for keylogging/screenshotting (relevant to T1056.001 Keylogging). (Cisco Talos Blog)
- GolangGhost and PylangGhost: Talos reports a Go RAT (“GolangGhost”) and a Python variant (“PylangGhost”). (Cisco Talos Blog)
- EtherHiding delivery: Google Threat Intelligence Group observed UNC5342 using “EtherHiding” to deliver malware and facilitate crypto theft (notable because it uses blockchain-linked delivery infrastructure). (Google Cloud)
Remote IT-worker infiltration
Law enforcement and Microsoft reporting show DPRK-linked schemes that place operatives into remote IT roles using fraudulent identities, facilitators, and “laptop farms” to appear domestically located. (Microsoft)
This tradecraft can create privileged internal access without an overt “intrusion” phase, changing how defenders should think about initial access and insider-style risk. (Microsoft)
MITRE ATT&CK mapping (selected)
| Tactic | Technique | Observed behaviour |
|---|---|---|
| Initial Access | Phishing via service (T1566.003) (MITRE ATT&CK) | Recruiter-style outreach through job platforms and social channels. (Unit 42) |
| Execution | User execution: Malicious file (T1204.002) (MITRE ATT&CK) | Victims run “interview tasks” or scripts locally. (Unit 42) |
| Initial Access | Supply chain compromise: Dependencies/dev tools (T1195.001) (MITRE ATT&CK) | Malicious npm packages used to seed BeaverTail. (Datadog Security Labs) |
| Execution | Command and scripting interpreter: JavaScript (T1059.007) (MITRE ATT&CK) | JavaScript-based payloads and modules. (Datadog Security Labs) |
| Execution | Command and scripting interpreter: Python (T1059.006) (MITRE ATT&CK) | Python RAT variants (PylangGhost). (Cisco Talos Blog) |
| Command and Control | Ingress tool transfer (T1105) (MITRE ATT&CK) | Downloaders pull later-stage implants and modules. (Unit 42) |
| Credential Access / Collection | Keylogging (T1056.001) (MITRE ATT&CK) | Talos-reported OtterCookie module adds keylogging/screenshot capability. (Cisco Talos Blog) |
| Command and Control | Remote access tools (T1219) (MITRE ATT&CK) | Remote-access tooling is a recurring element in remote IT-worker operations. (Microsoft) |
Indicators of Compromise (public reporting)
Only indicators explicitly published by reputable sources are included. These may be inactive, sinkholed, or repurposed.
| Type | Value | Context / Notes | Source | Confidence |
|---|---|---|---|---|
| Domain | blocknovas[.]com | Reported “front company” infrastructure used in job lures | Silent Push | Moderate (Silent Push) |
| Domain | angeloper[.]com | Reported front company used in job lures | Silent Push | Moderate (Silent Push) |
| Domain | softglide[.]co | Reported front company used in job lures | Silent Push | Moderate (Silent Push) |
| Package (npm) | passports-js | Malicious npm package containing BeaverTail | Datadog Security Labs | High (Datadog Security Labs) |
| Package (npm) | bcrypts-js | Malicious npm package containing BeaverTail | Datadog Security Labs | High (Datadog Security Labs) |
| Package (npm) | blockscan-api | Malicious npm package containing BeaverTail | Datadog Security Labs | High (Datadog Security Labs) |
| IP:Port | 95.164.17[.]24:1224 | Example C2 noted in Unit 42 reporting of a victim-run sample | Unit 42 | Moderate (Unit 42) |
Detection and response guidance
High-signal detections (practitioner-focused)
- Developer endpoint telemetry: alert on package installation or execution tied to newly created “interview task” repos, and on suspicious Node/Python execution chains (for example,
nodespawning downloaders or unusual network beacons shortly after an npm install). This is directly relevant to the malicious-dependency pattern described by Datadog and Unit 42. (Datadog Security Labs) - Hiring pipeline controls: Microsoft recommends monitoring identity anomalies and sign-in risk patterns consistent with employment fraud (for example, impossible travel between western locations and China/Russia), and treating remote worker onboarding as a security event. (Microsoft)
- Remote access tooling governance: enforce allow-lists for remote support tools and investigate unexpected installations or usage on developer laptops, aligned with ATT&CK T1219. (MITRE ATT&CK)
Incident response collection points
- Preserve “interview task” artefacts: cloned repositories, downloaded archives, shell history, npm/yarn logs, and Python virtual environment directories. Unit 42 specifically documents cases where victims intentionally executed the code in isolated environments, which is useful for recreating execution traces safely. (Unit 42)
- If employment fraud is suspected: validate device custody, review remote-access sessions, correlate payroll/HR records to IAM logs, and follow FBI guidance on DPRK IT-worker threats. (Federal Bureau of Investigation)
Mitigation recommendations
- Harden developer build and dependency workflows
- Require dependency pinning, integrity checks, and private registries for high-risk ecosystems where feasible, addressing the dependency compromise pattern (T1195.001). (Datadog Security Labs)
- Treat recruiting outreach as an attack surface
- Security awareness for engineers and recruiters on job-themed lures, and enforce “do not run code for interviews on production devices” policy. (Unit 42)
- Reduce exposure from remote hiring
- Adopt the due diligence controls and red flags in US Treasury guidance on DPRK IT workers, and align HR, legal, and security processes (sanctions risk plus cyber risk). (OFAC)
- Prepare for “inside access” scenarios
- Assume a malicious hire can provide persistence through legitimate credentials and tools. Focus on least privilege, strong device attestation, and continuous access evaluation. (Microsoft)
Further reading
- CrowdStrike’s definition and community identifiers for FAMOUS CHOLLIMA (crowdstrike.com)
- MITRE ATT&CK group entry for Contagious Interview (G1052) (MITRE ATT&CK)
- Unit 42 deep dive on Contagious Interview and updated BeaverTail/InvisibleFerret variants (Unit 42)
- Datadog analysis of malicious npm packages attributed to “Tenacious Pungsan” (Datadog Security Labs)
- Cisco Talos reporting on OtterCookie evolution and PylangGhost (Cisco Talos Blog)
- Microsoft guidance on DPRK remote IT worker operations (Jasper Sleet) (Microsoft)
- US DOJ and FBI updates on “laptop farm” and DPRK IT worker schemes (Department of Justice)