Skip to main content
Emerging ThreatsMalware & Ransomware

North Korean Hackers Exploit Coding Tests with Steganography-Laced Malware

A coding test setup in a brightly-lit computer lab with a laptop and blank screen.

"Any user who ran the project ended up with a four-stage payload aligned with OTTERCOOKIE: a browser credential and crypto wallet stealer, a file stealer, a Socket.IO-based remote access trojan (RAT), and a clipboard stealer," Elastic Security Labs said in a report shared with The Hacker News.

Contagious Interview, REF9403, and a DPRK link

Elastic Security Labs attributed the activity to threat actors linked to the Contagious Interview campaign and described the activity as being tracked under the moniker REF9403. The firm said the campaign again shows the continued targeting of software developers by state-sponsored hackers aligned with the Democratic People's Republic of Korea (DPRK), with goals to steal sensitive data and plunder cryptocurrency wallets.

Slack lures and a trojanized coding challenge

The campaign began with social engineering inside a community Slack workspace run by the company whose security arm published the analysis. Messages posted by a user named "Maxwell" in the #jobs channel in late May 2026 sought an experienced developer for a Next.js (v14), NestJS, PostgreSQL and Auth.js project with Stripe integration. Interested individuals were moved into direct messages and instructed to complete a coding assessment — a familiar ploy in Contagious Interview operations, Elastic said.

The assignment directed targets to clone and run a repository that appears to be a legitimate project. Elastic noted the repositories "incorporate fully functional code" but also embed malicious content designed to exfiltrate data and configure a Socket.IO backdoor; the malicious elements run silently behind the scenes while the legitimate project functions normally.

Steganography inside SVG flag images

Elastic described a novel evasion technique: payload fragments were hidden in Base64 inside HTML comments distributed across every SVG flag image in an assets directory. Files with ordinary names such as AE.svg and AF.svg — ordinary flag images at a glance — contained injected comment blocks with Base64-encoded data. A JavaScript file named "serverValidation.js" assembled the fragments into the full payload, and the chain was engineered to execute the malware on each server boot.

OtterCookie-aligned, four-module payload

When assembled and executed, the payload delivered four distinct modules Elastic said align with OTTERCOOKIE. The modules include a browser credential and cryptocurrency wallet stealer, a file stealer that collects files matching specific extensions, a Socket.IO-based remote access trojan capable of executing shell commands, and a clipboard stealer that can drop Windows executables.

Elastic further observed that the malware collects files used by developers and AI tooling, naming extensions such as .claude, .cursor, .gemini, .windsurf, .pearai, and .llama among the harvested artifacts. The firm also pointed to functional overlap between the malware and a data stealer and trojan distributed via bogus npm packages masquerading as Rollup polyfill tooling, indicating the actor is pursuing multiple vectors for propagation.

The report ties this activity to a longer evolution of the OtterCookie family. The source cites earlier reporting that OtterCookie first emerged in September 2024 and, according to Microsoft in March, evolved from a basic remote-command tool into a modular program able to check for virtual-machine environments, install communication clients like socket.io for command-and-control, exfiltrate information, execute arbitrary shell commands, and load additional modules to collect specific data and report results.

Why developers and downstream organizations matter

Elastic emphasized a strategic point: developers remain prime targets because the compromise of a single individual can provide the initial access needed for supply chain-style intrusions. "This campaign reinforces that developers remain a prime target, where the compromise of a single individual can provide the initial access needed to enable far-reaching supply chain attacks against downstream organizations," the company said.

What this means for technologists, procurement leaders, and developers

  • Technologists and security teams: The use of SVG steganography and a JavaScript assembler (serverValidation.js) demonstrates an operational preference for blending benign functionality with hidden payloads. Teams will need to treat developer-supplied repositories as potential attack vectors and scrutinize asset files and scripts that run on boot.
  • Affected enterprises and procurement leaders: Social engineering via trusted community channels — in this case a vendor-run Slack workspace — shows how recruiting and contractor workflows can be weaponized. Elastic's finding that fully functional projects can conceal backdoors underscores the risk to downstream organizations that rely on developer-supplied code.
  • Developers and end users: The campaign targeted individuals with a realistic job offer and an ordinary coding assessment. The presence of credential and crypto-wallet stealers, file exfiltration modules, and a remote access trojan means a single compromised developer environment can expose both personal assets and organizational secrets, including AI tooling artifacts named in Elastic's report.

Elastic Security Labs' findings add a specific example to a broader pattern: threat actors are combining social engineering, multi-stage payloads, and creative file-level hiding techniques to reach their aims. In this instance, the entry vector was a seemingly routine recruiting exchange; the payload was assembled from innocuous-looking images; and the outcome was a modular toolkit aligned with OtterCookie that targets credentials, wallets, files, clipboard contents and provides persistent remote control. How many other developer-facing channels will be weaponized in the same way remains the practical question raised by these concrete details.

Read the original story on The Hacker News