Contagious Interview (UNC4736)
A North Korea-linked campaign that poses as recruiters/contractors to trick developers and crypto workers into running malware (e.g. BeaverTail, InvisibleFerret, INLETDRIFT). Tracked as UNC4736 / AppleJeus / Citrine Sleet; linked to the Radiant Capital theft.
Also known as: Contagious Interview, Wagemole, UNC4736, AppleJeus, Citrine Sleet, Gleaming Pisces
On attribution: This North Korea-linked campaign is tracked under several overlapping names by different vendors; attributions are those of the cited firms (Unit 42, Mandiant).
Overview
"Contagious Interview" is a North Korea-linked social-engineering campaign in which operators pose as prospective employers, recruiters, or former contractors to lure software developers and crypto-industry workers into downloading and running malware during fake interviews or "coding tests." It is tracked under names including UNC4736, AppleJeus, Citrine Sleet, Gleaming Pisces, and (as the related fraudulent job-seeker side) Wagemole. Unit 42 attributes it with moderate-to-high confidence to a DPRK state-sponsored actor; Unit 42 says the campaign dates back to at least December 2022. [1]
Tactics and malware
Operators approach targets via LinkedIn, job boards, Telegram, freelance marketplaces, or open-source communities, then send a "coding assignment," npm package, or video-call app that installs malware. Associated families include the BeaverTail downloader/infostealer, the InvisibleFerret Python backdoor, OtterCookie, and the macOS backdoor INLETDRIFT. Operators have also stood up fake "front companies" to add legitimacy. [1]
Impact
Mandiant attributed the October 2024 Radiant Capital theft (~$50 million) to UNC4736, which used a Telegram message impersonating a former contractor to plant malware on developers' machines and ultimately forge multisig approvals. The same fake-recruiter pattern underpins numerous targeted thefts, insider-access cases, and the parallel DPRK "IT worker" infiltration problem. [1][2]
Bracketed numbers refer to the numbered sources listed below.
Linked scams & cases
- Radiant Capital hackAttributed actorProjectsA cross-chain lending protocol drained of about $50M on October 16, 2024. Mandiant attributed it to a North Korea-linked actor (UNC4736 / AppleJeus) that used a fake-contractor Telegram lure to plant macOS malware on developers' machines and forge multisig approvals.
- @xcartermurphy (X impersonation account)RelatedSocial accountsAn X (Twitter) account described in a public post as an impersonator tied to a malware-focused social-engineering operation. Per the post, the account displayed (then removed) a well-known VC firm's tag in its bio, and a target was sent a malware-laden 'WeChat' installer plus an install command hosted on a now-scrubbed domain.
Sources (2)
- Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors — Unit 42 (Palo Alto Networks)
- Radiant Capital Incident Update (Mandiant attribution to UNC4736) — Radiant Capital
See also
- Angel DrainerOrganizations & groupsA wallet-drainer-as-a-service operation (≈85/15 affiliate/developer split) specialized in EVM chains. Most notably, Angel Drainer malware was used in the December 2023 Ledger Connect Kit supply-chain attack, which drained roughly $500K–$600K from DeFi users in a few hours.
- Monkey DrainerOrganizations & groupsAn early, prolific wallet-drainer-as-a-service crew (active into early 2023) that focused on high-value NFTs and is estimated to have facilitated roughly $13–16.5M in theft before announcing it was 'shutting down' and pointing affiliates to rival drainers.
- Phemex hackExchanges & platforms
This page was last updated on Jun 8, 2026. View revision history.