← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Beyond the Backdoor: How Contagious Interview Is Surgically Tampering with MetaMask Wallets.
WHITE PetrP.73 2026-02-19 Modified: 2026-03-21
37
IOCs
MEDIUM VOLUME
The Contagious Interview campaign, linked to North Korean threat actors, is currently targeting IT professionals in the cryptocurrency, Web3, and AI sectors, with the intent to steal financial information and sensitive data. This threat employs a two-stage attack that starts with a JavaScript payload, confirming successful infection by sending a beacon to the attackers' command-and-control (C2) servers, and retrieving additional scripts. These secondary payloads include a Python-based malware named InvisibleFerret and two JavaScript files: one to create a remote-access backdoor and another to identify and exfiltrate sensitive files from the victim's system.
javascriptc2 serverchromeinvisibleferretmetamask walletmetamaskjavascript filejsonhmacbeavertailpythonconfigseedpathlocalservicecode
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
InvisibleFerret
Indicators of Compromise (37)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 134102aa60f0a97a78a6299b35c30e69 2026-02-19
FileHash-MD5 1b39dfc0ef262baba95b58e3b8d81c8e 2026-02-19
FileHash-MD5 211d0fad75d20a032803e7cc0d277e09 2026-02-19
FileHash-MD5 3013d942ee75ee982f66d7d1021a759d 2026-02-19
FileHash-MD5 427bb906b72388381ed3d1ef22f0b3ad 2026-02-19
FileHash-MD5 6244da9940f50b9f51e3d85766cb1226 2026-02-19
FileHash-MD5 687b235572f3b35c0eb5c6c742862db4 2026-02-19
FileHash-MD5 6d3f1aeed4feca39cb5d53f59bf6d9a5 2026-02-19
FileHash-MD5 6da79a0ddb7c4923f834ba723f8aea6f 2026-02-19
FileHash-MD5 800ffb10a79370991c5c918f572fe192 2026-02-19
FileHash-MD5 8e6db10b5acc15c2cc54592e3dd49bf7 2026-02-19
FileHash-MD5 900b95205e414e04eacd0ba5dc4868a5 2026-02-19
FileHash-MD5 998cc427b2be37bd9dbb109bd1843366 2026-02-19
FileHash-MD5 b18101a943a149cb1cbb3cac3b4f9f6c 2026-02-19
FileHash-MD5 d423bf6b18662aed88ddd69c72b4e116 2026-02-19
FileHash-MD5 d80a29cefae892d26567b14ba9ba21c6 2026-02-19
FileHash-MD5 ddec84f075036f4afee55e708987b05a 2026-02-19
FileHash-MD5 f55560735ae028745cf6c90488b07bd7 2026-02-19
FileHash-SHA1 3606f2a1a44a4c85cde75e52c288a2a779be4acf SHA1 of 1b39dfc0ef262baba95b58e3b8d81c8e 2026-02-19
FileHash-SHA256 ba5c684d5d611af8d2ec318b66861465122a6fa2494c1ef343769e14a8b144f3 SHA256 of 1b39dfc0ef262baba95b58e3b8d81c8e 2026-02-19
URL http://145.59.1.45:1244 2026-02-19
URL http://145.59.1.45:1244/mmz/[extension_id]_[campaign 2026-02-19
URL http://145.59.1.45:1244/mmz/nkbihfbeogaeaoehlefnkodbefgpgknn_ZU1RIOk9 2026-02-19
URL http://147.124.202.163:1243 2026-02-19
URL http://202.163.147.124:1248 2026-02-19
URL http://45.43.11.200:1244 2026-02-19
URL http://45.43.11.248:1244 2026-02-19
URL http://66.235.168.238:1244 2026-02-19
URL http://66.235.168.238:1244/t 2026-02-19
URL http://66.235.28.238:1249 2026-02-19
URL http://66.235.28.238:1249/hm 2026-02-19
URL http://67.203.7.205:1244 2026-02-19
URL http://67.203.7.205:1244/j/[campaign 2026-02-19
URL http://67.203.7.205:1244/p 2026-02-19
URL http://this.store?._state?.KeyringController?.vault 2026-02-19
domain this.report 2026-02-19
domain this.store 2026-02-19
References (1)
↗ https://sp4rk.medium.com/beyond-the-backdoor-how-contagious-interview-is-surgically-tampering-with-metamask-wallets-0314ae901d85