← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Beyond the Backdoor: How Contagious Interview Is Surgically Tampering with MetaMask Wallets.
The Contagious Interview campaign, linked to North Korean threat actors, is currently targeting IT professionals in the cryptocurrency, Web3, and AI sectors, with the intent to steal financial information and sensitive data. This threat employs a two-stage attack that starts with a JavaScript payload, confirming successful infection by sending a beacon to the attackers' command-and-control (C2) servers, and retrieving additional scripts. These secondary payloads include a Python-based malware named InvisibleFerret and two JavaScript files: one to create a remote-access backdoor and another to identify and exfiltrate sensitive files from the victim's system.
MITRE ATT&CK & Malware Families
Indicators of Compromise (15 / 37 total)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| URL | http://145.59.1.45:1244 | — | 2026-02-19 | |
| URL | http://145.59.1.45:1244/mmz/[extension_id]_[campaign | — | 2026-02-19 | |
| URL | http://145.59.1.45:1244/mmz/nkbihfbeogaeaoehlefnkodbefgpgknn_ZU1RIOk9 | — | 2026-02-19 | |
| URL | http://147.124.202.163:1243 | — | 2026-02-19 | |
| URL | http://202.163.147.124:1248 | — | 2026-02-19 | |
| URL | http://45.43.11.200:1244 | — | 2026-02-19 | |
| URL | http://45.43.11.248:1244 | — | 2026-02-19 | |
| URL | http://66.235.168.238:1244 | — | 2026-02-19 | |
| URL | http://66.235.168.238:1244/t | — | 2026-02-19 | |
| URL | http://66.235.28.238:1249 | — | 2026-02-19 | |
| URL | http://66.235.28.238:1249/hm | — | 2026-02-19 | |
| URL | http://67.203.7.205:1244 | — | 2026-02-19 | |
| URL | http://67.203.7.205:1244/j/[campaign | — | 2026-02-19 | |
| URL | http://67.203.7.205:1244/p | — | 2026-02-19 | |
| URL | http://this.store?._state?.KeyringController?.vault | — | 2026-02-19 |