{ "type": "Domain", "indicator": "skillcheck.pro", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/skillcheck.pro", "alexa": "http://www.alexa.com/siteinfo/skillcheck.pro", "indicator": "skillcheck.pro", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4126810592, "indicator": "skillcheck.pro", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "68b9d266a57b122998115dc6", "name": "Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms", "description": "North Korean threat actors associated with the Contagious Interview campaign cluster are actively monitoring cyber threat intelligence platforms to detect infrastructure exposure and scout for new assets. They operate in coordinated teams, likely using Slack for real-time collaboration, and leverage multiple intelligence sources including Validin, VirusTotal, and Maltrail. Despite being aware of their infrastructure's detectability, they make only limited changes to reduce detection risk, focusing instead on rapidly deploying new infrastructure to sustain operations. The actors' effectiveness is evident in their engagement of over 230 victims between January and March 2025, primarily targeting individuals in the cryptocurrency industry. Their activities involve sophisticated social engineering tactics, including the ClickFix technique, to trick targets into executing malware.", "modified": "2025-10-04T17:00:59.344000", "created": "2025-09-04T17:54:46.837000", "tags": [ "cyber espionage", "social engineering", "north korea", "job seeker targeting", "clickfix", "lazarus", "infrastructure monitoring", "cryptocurrency", "contagiousdrop" ], "references": [ "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops" ], "public": 1, "adversary": "Contagious Interview", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 44164, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 116, "FileHash-SHA1": 99, "FileHash-SHA256": 246, "CVE": 1, "domain": 2140, "hostname": 1231 }, "indicator_count": 3833, "is_author": false, "is_subscribing": null, "subscriber_count": 386548, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c0049e28f7142d555c1551", "name": "North Korean Hackers Weaponize Threat Intel Platforms to Evade Detection", "description": "", "modified": "2025-10-09T10:09:48.382000", "created": "2025-09-09T10:42:36.810000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Abinsiby12345", "id": "358730", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 22, "hostname": 4 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c0049f10d7ab090dbee3ec", "name": "North Korean Hackers Weaponize Threat Intel Platforms to Evade Detection", "description": "", "modified": "2025-10-09T10:09:48.382000", "created": "2025-09-09T10:42:27.673000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Abinsiby12345", "id": "358730", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 22, "hostname": 4 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bfb56d825c461ffb132a56", "name": "Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms | SentinelOne", "description": "A joint investigation by SentinelLABS, Validin, and other partner organizations has identified North Korean threat actors involved in the Contagious Interview campaign, which exposed the infrastructure of a suspected APT umbrella cluster.", "modified": "2025-10-09T05:00:02.677000", "created": "2025-09-09T05:04:45.043000", "tags": [ "validin", "march", "sentinellabs", "virustotal", "ip address", "contagiousdrop", "clickfix", "maltrail", "lazarus", "validin use", "april", "june", "date", "team", "robinhood", "scarcruft", "contagious interview", "talentcheck" ], "references": [ "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "TalentCheck", "display_name": "TalentCheck", "target": null }, { "id": "Contagious Interview", "display_name": "Contagious Interview", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [ "Cryptocurrency", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 2, "domain": 26, "email": 7, "hostname": 5 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bad3a85f93a776986fe921", "name": "North Korean \u201cContagious Interview\u201d Operators Abuse Threat Intel Platforms", "description": "A sophisticated cyber campaign by the Lazarus Group has been uncovered exploiting Cyber Threat Intelligence (CTI) platforms to monitor their own exposure, scout for new infrastructure and refine operations.", "modified": "2025-10-05T12:01:39.399000", "created": "2025-09-05T12:12:24.851000", "tags": [], "references": [ "September 05th, 2025 - CryptoGen Cyber Threat Intelligence Advisory #8093 - North Korean \u201cContagious Interview\u201d Operators Abuse Threat Intel Platforms.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 2, "domain": 26, "hostname": 5 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bad3a96ef242b5d59a7daa", "name": "North Korean \u201cContagious Interview\u201d Operators Abuse Threat Intel Platforms", "description": "A sophisticated cyber campaign by the Lazarus Group has been uncovered exploiting Cyber Threat Intelligence (CTI) platforms to monitor their own exposure, scout for new infrastructure and refine operations.", "modified": "2025-10-05T12:01:39.399000", "created": "2025-09-05T12:12:25.243000", "tags": [], "references": [ "September 05th, 2025 - CryptoGen Cyber Threat Intelligence Advisory #8093 - North Korean \u201cContagious Interview\u201d Operators Abuse Threat Intel Platforms.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 2, "domain": 26, "hostname": 5 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bab66cf6f03b10dcad248d", "name": "Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms | SentinelOne", "description": "A joint investigation by SentinelLABS, Validin, and other partner organizations has identified North Korean threat actors involved in the Contagious Interview campaign, which targeted 230 targets between March 2025 and June 2025.", "modified": "2025-10-05T09:04:24.572000", "created": "2025-09-05T10:07:40.607000", "tags": [ "validin", "march", "sentinellabs", "virustotal", "ip address", "contagiousdrop", "clickfix", "maltrail", "lazarus", "validin use", "april", "june", "date", "team", "robinhood", "scarcruft", "contagious interview", "talentcheck" ], "references": [ "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "TalentCheck", "display_name": "TalentCheck", "target": null }, { "id": "Contagious Interview", "display_name": "Contagious Interview", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [ "Cryptocurrency", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 2, "domain": 26, "email": 7, "hostname": 5 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ba52bf307b14f1d7ab0b9d", "name": "IOC - Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms", "description": "In collaboration with the internet intelligence platform Validin, SentinelLABS has been tracking activity on the platform which we attribute with high confidence to North Korean threat actors involved in the Contagious Interview campaign cluster. This activity, which took place between March and June 2025, involved the threat actors examining cyber threat intelligence (CTI) information related to their infrastructure. Our unique visibility has provided valuable insights into their operational practices, internal coordination, infrastructure management and deployment, and victimology.", "modified": "2025-10-05T03:00:41.284000", "created": "2025-09-05T03:02:23.298000", "tags": [ "validin", "operators", "value note", "addresses", "ip addresses", "validin account", "domains", "sha1 hashes" ], "references": [ "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 24, "email": 7, "hostname": 5 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops", "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/", "September 05th, 2025 - CryptoGen Cyber Threat Intelligence Advisory #8093 - North Korean \u201cContagious Interview\u201d Operators Abuse Threat Intel Platforms.pdf" ], "related": { "alienvault": { "adversary": [ "Contagious Interview" ], "malware_families": [], "industries": [ "Finance", "Technology" ] }, "other": { "adversary": [ "Lazarus" ], "malware_families": [ "Talentcheck", "Clickfix", "Contagious interview" ], "industries": [ "Finance", "Cryptocurrency" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "68b9d266a57b122998115dc6", "name": "Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms", "description": "North Korean threat actors associated with the Contagious Interview campaign cluster are actively monitoring cyber threat intelligence platforms to detect infrastructure exposure and scout for new assets. They operate in coordinated teams, likely using Slack for real-time collaboration, and leverage multiple intelligence sources including Validin, VirusTotal, and Maltrail. Despite being aware of their infrastructure's detectability, they make only limited changes to reduce detection risk, focusing instead on rapidly deploying new infrastructure to sustain operations. The actors' effectiveness is evident in their engagement of over 230 victims between January and March 2025, primarily targeting individuals in the cryptocurrency industry. Their activities involve sophisticated social engineering tactics, including the ClickFix technique, to trick targets into executing malware.", "modified": "2025-10-04T17:00:59.344000", "created": "2025-09-04T17:54:46.837000", "tags": [ "cyber espionage", "social engineering", "north korea", "job seeker targeting", "clickfix", "lazarus", "infrastructure monitoring", "cryptocurrency", "contagiousdrop" ], "references": [ "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops" ], "public": 1, "adversary": "Contagious Interview", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 44164, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 116, "FileHash-SHA1": 99, "FileHash-SHA256": 246, "CVE": 1, "domain": 2140, "hostname": 1231 }, "indicator_count": 3833, "is_author": false, "is_subscribing": null, "subscriber_count": 386548, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c0049e28f7142d555c1551", "name": "North Korean Hackers Weaponize Threat Intel Platforms to Evade Detection", "description": "", "modified": "2025-10-09T10:09:48.382000", "created": "2025-09-09T10:42:36.810000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Abinsiby12345", "id": "358730", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 22, "hostname": 4 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c0049f10d7ab090dbee3ec", "name": "North Korean Hackers Weaponize Threat Intel Platforms to Evade Detection", "description": "", "modified": "2025-10-09T10:09:48.382000", "created": "2025-09-09T10:42:27.673000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Abinsiby12345", "id": "358730", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 22, "hostname": 4 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bfb56d825c461ffb132a56", "name": "Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms | SentinelOne", "description": "A joint investigation by SentinelLABS, Validin, and other partner organizations has identified North Korean threat actors involved in the Contagious Interview campaign, which exposed the infrastructure of a suspected APT umbrella cluster.", "modified": "2025-10-09T05:00:02.677000", "created": "2025-09-09T05:04:45.043000", "tags": [ "validin", "march", "sentinellabs", "virustotal", "ip address", "contagiousdrop", "clickfix", "maltrail", "lazarus", "validin use", "april", "june", "date", "team", "robinhood", "scarcruft", "contagious interview", "talentcheck" ], "references": [ "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "TalentCheck", "display_name": "TalentCheck", "target": null }, { "id": "Contagious Interview", "display_name": "Contagious Interview", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [ "Cryptocurrency", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 2, "domain": 26, "email": 7, "hostname": 5 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bad3a85f93a776986fe921", "name": "North Korean \u201cContagious Interview\u201d Operators Abuse Threat Intel Platforms", "description": "A sophisticated cyber campaign by the Lazarus Group has been uncovered exploiting Cyber Threat Intelligence (CTI) platforms to monitor their own exposure, scout for new infrastructure and refine operations.", "modified": "2025-10-05T12:01:39.399000", "created": "2025-09-05T12:12:24.851000", "tags": [], "references": [ "September 05th, 2025 - CryptoGen Cyber Threat Intelligence Advisory #8093 - North Korean \u201cContagious Interview\u201d Operators Abuse Threat Intel Platforms.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 2, "domain": 26, "hostname": 5 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bad3a96ef242b5d59a7daa", "name": "North Korean \u201cContagious Interview\u201d Operators Abuse Threat Intel Platforms", "description": "A sophisticated cyber campaign by the Lazarus Group has been uncovered exploiting Cyber Threat Intelligence (CTI) platforms to monitor their own exposure, scout for new infrastructure and refine operations.", "modified": "2025-10-05T12:01:39.399000", "created": "2025-09-05T12:12:25.243000", "tags": [], "references": [ "September 05th, 2025 - CryptoGen Cyber Threat Intelligence Advisory #8093 - North Korean \u201cContagious Interview\u201d Operators Abuse Threat Intel Platforms.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 2, "domain": 26, "hostname": 5 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bab66cf6f03b10dcad248d", "name": "Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms | SentinelOne", "description": "A joint investigation by SentinelLABS, Validin, and other partner organizations has identified North Korean threat actors involved in the Contagious Interview campaign, which targeted 230 targets between March 2025 and June 2025.", "modified": "2025-10-05T09:04:24.572000", "created": "2025-09-05T10:07:40.607000", "tags": [ "validin", "march", "sentinellabs", "virustotal", "ip address", "contagiousdrop", "clickfix", "maltrail", "lazarus", "validin use", "april", "june", "date", "team", "robinhood", "scarcruft", "contagious interview", "talentcheck" ], "references": [ "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "TalentCheck", "display_name": "TalentCheck", "target": null }, { "id": "Contagious Interview", "display_name": "Contagious Interview", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [ "Cryptocurrency", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 2, "domain": 26, "email": 7, "hostname": 5 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ba52bf307b14f1d7ab0b9d", "name": "IOC - Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms", "description": "In collaboration with the internet intelligence platform Validin, SentinelLABS has been tracking activity on the platform which we attribute with high confidence to North Korean threat actors involved in the Contagious Interview campaign cluster. This activity, which took place between March and June 2025, involved the threat actors examining cyber threat intelligence (CTI) information related to their infrastructure. Our unique visibility has provided valuable insights into their operational practices, internal coordination, infrastructure management and deployment, and victimology.", "modified": "2025-10-05T03:00:41.284000", "created": "2025-09-05T03:02:23.298000", "tags": [ "validin", "operators", "value note", "addresses", "ip addresses", "validin account", "domains", "sha1 hashes" ], "references": [ "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 24, "email": 7, "hostname": 5 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "skillcheck.pro", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "skillcheck.pro", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780246646.825019 }