Elastic Uncovers North Korean Campaign Using Steganography to Steal Developer Credentials
Key Takeaways
- ▸North Korean-aligned hackers deployed a new campaign (REF9403) hiding malware in SVG images using steganography to target developers
- ▸Multiple trojanized repositories containing four-stage payloads had zero detections from all major antivirus vendors at discovery
- ▸The attack chain combines social engineering (fake job offers) with technical sophistication (steganography, modular payloads) to compromise developer systems
Summary
Elastic Security Labs has discovered a new campaign by North Korean-aligned hackers, tracked as REF9403 and aligned with the Contagious Interview group, that targets developers with fake job postings and coding challenges. The attackers hide malware inside SVG image files using steganography techniques, then distribute trojanized code repositories that appear to be legitimate e-commerce projects. When developers execute these projects as part of fake job interview tests, they unknowingly download a four-stage payload that steals browser credentials, cryptocurrency wallets, files, and enables remote access to their systems.
Elastic discovered the campaign after observing suspicious activity targeting members of their community Slack workspace with a fake job posting in May 2026. The investigation revealed multiple trojanized repositories with names like 'next-ecommerce-private-main.zip' and 'shopping-platform-main.zip' that have zero detections from all major antivirus vendors. The malware shares technical and behavioral similarities with OTTERCOOKIE, a known credential and wallet stealer associated with North Korean threat actors.
The campaign demonstrates how developers remain a high-value target for nation-state threat actors, as compromising a single developer can provide the initial access needed to launch supply chain attacks against downstream organizations. The use of steganography to hide malware within benign SVG images represents an evolution in evasion techniques, successfully evading security vendor detection at the time of discovery.
- Stolen credentials, cryptocurrency wallets, and remote access capabilities can enable supply chain attacks against organizations that hire targeted developers
Editorial Opinion
This campaign underscores a critical vulnerability in the software development supply chain: threat actors increasingly target individual developers as entry points to corporate networks. The fact that multiple malware samples evaded all antivirus vendors highlights the limitations of signature-based detection for sophisticated attacks. Organizations must implement behavioral monitoring, secure development practices, and developer security awareness training to defend against this evolving threat vector.



