North Korean PurpleBravo Campaign Targeted 3,136 IP Addresses via Fake Job Interviews
Summary:
PurpleBravo, a North Korean state-sponsored threat group, poses an acute and often overlooked risk to the global IT software supply chain, specifically targeting software developers in the cryptocurrency, financial services, and IT/software development sectors. First identified in November 2023 and maintaining a high operational tempo through September 2025, the group overlaps with the "Contagious Interview" campaign (also tracked as CL-STA-0240, Famous Chollima, and Tenacious Pungsan). Their primary objective appears to be financial gain through cryptocurrency theft and credential harvesting, utilizing a sophisticated network of fictitious personas and organizations to distribute malware. The risk extends beyond individual developers to their employers, as candidates frequently execute malicious code on corporate devices, creating significant downstream exposure. Recorded Future’s Insikt Group identified over 3,000 IP addresses linked to targets concentrated in South Asia and North America, with specific victim organizations observed across Europe, the Middle East, and Central America.
Security Officer Comments:
PurpleBravo’s campaign is characterized by advanced social engineering tactics, utilizing fake recruiter outreach on LinkedIn and "ClickFix" prompts to lure victims into interview coding tests that deploy malicious payloads. The group employs a diverse technical toolset including BeaverTail (a JavaScript infostealer/loader) and multi-platform remote access trojans (RATs) such as InvisibleFerret, PyLangGhost, and GolangGhost. These tools are optimized for cross-platform operations (Windows, macOS, Linux) to exfiltrate browser credentials, cryptocurrency wallet data, and system information via custom TCP and HTTP command-and-control (C2) channels. The technical threat vector often involves malicious GitHub repositories containing obfuscated JavaScript (e.g., Base64 encoded with XOR ciphers) or Python scripts that execute system reconnaissance and establish persistence. A notable trend is the operational overlap with "PurpleDelta" (North Korean IT workers), suggesting shared infrastructure and personnel. The adversary profile indicates a highly adaptive group that leverages legitimate tools like AnyDesk and standard protocols to blend in, hosting C2 servers across seventeen distinct providers and utilizing Astrill VPN for administration.
Suggested Corrections:
https://thehackernews.com/2026/01/north-korean-purplebravo-campaign.html
https://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain
PurpleBravo, a North Korean state-sponsored threat group, poses an acute and often overlooked risk to the global IT software supply chain, specifically targeting software developers in the cryptocurrency, financial services, and IT/software development sectors. First identified in November 2023 and maintaining a high operational tempo through September 2025, the group overlaps with the "Contagious Interview" campaign (also tracked as CL-STA-0240, Famous Chollima, and Tenacious Pungsan). Their primary objective appears to be financial gain through cryptocurrency theft and credential harvesting, utilizing a sophisticated network of fictitious personas and organizations to distribute malware. The risk extends beyond individual developers to their employers, as candidates frequently execute malicious code on corporate devices, creating significant downstream exposure. Recorded Future’s Insikt Group identified over 3,000 IP addresses linked to targets concentrated in South Asia and North America, with specific victim organizations observed across Europe, the Middle East, and Central America.
Security Officer Comments:
PurpleBravo’s campaign is characterized by advanced social engineering tactics, utilizing fake recruiter outreach on LinkedIn and "ClickFix" prompts to lure victims into interview coding tests that deploy malicious payloads. The group employs a diverse technical toolset including BeaverTail (a JavaScript infostealer/loader) and multi-platform remote access trojans (RATs) such as InvisibleFerret, PyLangGhost, and GolangGhost. These tools are optimized for cross-platform operations (Windows, macOS, Linux) to exfiltrate browser credentials, cryptocurrency wallet data, and system information via custom TCP and HTTP command-and-control (C2) channels. The technical threat vector often involves malicious GitHub repositories containing obfuscated JavaScript (e.g., Base64 encoded with XOR ciphers) or Python scripts that execute system reconnaissance and establish persistence. A notable trend is the operational overlap with "PurpleDelta" (North Korean IT workers), suggesting shared infrastructure and personnel. The adversary profile indicates a highly adaptive group that leverages legitimate tools like AnyDesk and standard protocols to blend in, hosting C2 servers across seventeen distinct providers and utilizing Astrill VPN for administration.
Suggested Corrections:
- Establish Supply Chain Controls (NIST CSF: ID.SC / MITRE ATT&CK: Pre-Compromise):
- Restrict npm install and go get commands to allowlisted registries and mirror caches that implement malware scanning.
- Require SLSA (Supply-chain Levels for Software Artifacts) provenance attestations for third-party code in critical repositories.
- Enhance Network Defenses (NIST CSF: PR.PT / MITRE ATT&CK: Command and Control):
- Block direct-to-IP HTTP/S traffic to non-standard ports (specifically ports 1224 and 1244) often used for PurpleBravo C2 operations.
- Blocklist IP addresses associated with PurpleBravo C2 servers and monitor for traffic to known malicious infrastructure.
- Implement Endpoint Protection (NIST CSF: PR.DS / MITRE ATT&CK: Execution):
- Build detection rules for Go binaries containing embedded HackBrowserData artifacts or processes accessing multiple browser profiles within short timeframes (e.g., less than 60 seconds).
- Hunt for Base64 decode and XOR loops within JavaScript files in developer environments and flag repositories introducing such code.
- Require contractors and developers to use company-managed, EDR-enrolled devices or secure Virtual Desktop Infrastructure (VDI); strictly forbid BYOD policies for these roles.
- Conduct User Training (NIST CSF: PR.AT / MITRE ATT&CK: Initial Access):
- Provide security awareness training focused on social engineering themes used by PurpleBravo, such as fake recruiter outreach and "ClickFix" prompts.
- Establish clear reporting routes for employees to flag suspicious external job offers or potential malware infections.
https://thehackernews.com/2026/01/north-korean-purplebravo-campaign.html
https://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain