[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f_aZAqIlr9Frb7SHUCIt389urw8kS1wnfpaVQOAzTvCs":3},{"article":4,"iocs":53},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"4ee400cb-f772-4ef9-a042-bcbec48059eb","Fake Coding Tests Deliver OtterCookie-Aligned Malware Hidden in SVG Flag Images","fake-coding-tests-deliver-ottercookie-aligned-malware-hidden-in-svg-flag-images-7dc987","North Korean threat actors linked to the Contagious Interview campaign have been observed employing steganography in SVG image files to conceal malicious payloads as part of a campaign using fake job postings and coding challenges. \"Any user who ran the project ended up with a four-stage payload aligned with OTTERCOOKIE: a browser credential and crypto wallet stealer, a file stealer, a","North Korean threat actors linked to the Contagious Interview campaign are using steganography to hide malicious payloads within SVG flag images embedded in fake job postings and coding challenges. The four-stage payload delivers OtterCookie malware capable of stealing browser credentials, cryptocurrency wallets, files, and facilitating remote access. The campaign specifically targets software developers and highlights a new initial access vector through Slack job channel postings.","North Korean actors use steganography in SVG images within fake coding tests to deliver OtterCookie malware.","Fake Coding Tests Deliver OtterCookie-Aligned Malware Hidden in SVG Flag Images Ravie LakshmananJul 17, 2026Social Engineering \u002F Malware North Korean threat actors linked to the Contagious Interview campaign have been observed employing steganography in SVG image files to conceal malicious payloads as part of a campaign using fake job postings and coding challenges. \"Any user who ran the project ended up with a four-stage payload aligned with OTTERCOOKIE: a browser credential and crypto wallet stealer, a file stealer, a Socket.IO-based remote access trojan (RAT), and a clipboard stealer,\" Elastic Security Labs said in a report shared with The Hacker News. The findings once again highlight the continued targeting of software developers by state-sponsored hackers aligned with the Democratic People's Republic of Korea (DPRK) with an aim to steal sensitive data and plunder cryptocurrency wallets. The activity is being tracked under the moniker REF9403. The cybersecurity arm of the Dutch enterprise search and observability platform said it discovered the campaign after the threat actors targeted members of its community Slack workspace with social engineering lures for purported job offers, highlighting a new initial access avenue not previously documented in attacks associated with Contagious Interview, a sophisticated social engineering operation ongoing since at least December 2022. The messages, posted by a user named Maxwell on the #jobs Slack channel in late May 2026, sought an experienced developer to help with upgrading their e-commerce platform to a \"modern, scalable architecture using Next.js (v14), NestJS, PostgreSQL, and Auth.js\" along with Stripe integration. Those who expressed interest in the opportunity were moved into direct messages that instructed them to complete a coding assessment as part of the job offer, a standard ploy observed in Contagious Interview campaigns. The assignment involved executing a trojanized repository containing malware designed to exfiltrate valuable data and configuring a Socket.IO backdoor. Specifically, the repositories distributed as part of the scheme incorporate fully functional code but also embed malicious code in the form of SVG images to sidestep detection. \"While these legitimate-looking projects run perfectly fine, the malicious code is triggered silently behind-the-scenes,\" Elastic said. \"The payloads are split into base64 fragments inside HTML comments across every SVG flag image inside an assets directory. These files appear to be normal images of country flags (AE.svg, AF.svg), but each file contains an injected comment block with Base64-encoded data.\" The payload is then assembled together by a JavaScript file (\"serverValidation.js\") present in the repository. The attack chain is engineered such that the malware is executed on each server boot. Elastic said the main payload shares overlap with OtterCookie, a cross-platform malware that first emerged in September 2024. OtterCookie \"evolved from a basic tool for executing remote commands and searching for crypto keys into a modular program capable of broader data theft with a capability to check for VM environments, install communication clients like socket.io for C2, exfiltrate information, executes arbitrary shell commands, load other modules to collect specific intended data and reports results,\" Microsoft noted back in March. The malware incorporates four distinct modules that allow it to harvest data from web browsers and cryptocurrency wallets, collect files matching a specific list of extensions, facilitate persistent remote control using a Socket.IO-based trojan that can execute shell commands, capture clipboard content, and drop Windows executables. Among the files gathered by OtterCookie include artificial intelligence (AI) coding tooling extensions such as .claude, .cursor, .gemini, .windsurf, .pearai, and .llama, suggesting the threat actor is actively refining its arsenal to hoover as much information as possible. It's worth noting that the malware also exhibits some functional overlaps with a data stealer and trojan distributed via bogus npm packages masquerading as Rollup polyfill tooling, suggesting the threat actors are pursuing multiple vectors for propagation. \"This campaign reinforces that developers remain a prime target, where the compromise of a single individual can provide the initial access needed to enable far-reaching supply chain attacks against downstream organizations,\" Elastic said. \"The success of these operations underscores how compromising an individual developer can provide a path to much broader organizational impact.\" Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Credential Theft, cryptocurrency, Developer Security, Malware, Nation-State, North Korea, Remote Access Trojan, Social Engineering, Steganography, Supply Chain Security ⚡ Top Stories This Week 16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service 15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It Meta's New AI Image Tool Lets Others Use Your Public Instagram Photos in AI Images ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP\u002F3 Servers Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices New \"Bad Epoll\" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices European Parliament Member Investigating Spyware Was Hacked With Pegasus ⭐ Featured Resources What 200+ Security Teams Reveal About Using IP Intelligence in 2026 Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets Get Gartner’s Guide to AI Agent Supervision and Runtime Controls","https:\u002F\u002Fthehackernews.com\u002F2026\u002F07\u002Fnorth-korea-linked-hackers-hide.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEizZ8fzXjkeMlk_f1TKWczz8e4GHbNGTRPmaXHDPi86v4Ep0BqvGpKpOtpP_mtnHihu7kbII2nMxqQnQbjAhQkv6lkemsoIlzzS925QJKqkU5tgFHTxtSuRBllSUeZ3gpkJa51TAcggrQanY873B173p_hA-ow4sgftGDp4UgD3Torp7KswNuBp93-YOre5\u002Fs1600\u002Fnorthkorean-hacker.jpg","2026-07-17T13:48:56+00:00","2026-07-17T16:00:25.512503+00:00",9,[18,21,24,27,29],{"name":19,"type":20},"North Korean threat actors \u002F DPRK-aligned","threat_actor",{"name":22,"type":23},"Contagious Interview","campaign",{"name":25,"type":26},"Elastic Security Labs","vendor",{"name":28,"type":26},"Microsoft",{"name":30,"type":31},"Socket.IO","technology","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":32,"icon":34,"name":35,"slug":36},null,"Malware","malware",[38,43,48],{"category":39},{"id":40,"icon":34,"name":41,"slug":42},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":44},{"id":45,"icon":34,"name":46,"slug":47},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":49},{"id":50,"icon":34,"name":51,"slug":52},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[54,57],{"type":36,"value":55,"context":56},"OtterCookie","Cross-platform malware module for credential and crypto wallet theft, file stealing, RAT, clipboard capture",{"type":36,"value":58,"context":59},"Socket.IO-based RAT","Remote access trojan component enabling shell command execution and persistent control"]