BotBeat
...
← Back

> ▌

ElasticElastic
RESEARCHElastic2026-07-17

Elastic Uncovers North Korean Campaign Using Steganography to Steal Developer Credentials

Key Takeaways

  • ▸North Korean-aligned hackers deployed a new campaign (REF9403) hiding malware in SVG images using steganography to target developers
  • ▸Multiple trojanized repositories containing four-stage payloads had zero detections from all major antivirus vendors at discovery
  • ▸The attack chain combines social engineering (fake job offers) with technical sophistication (steganography, modular payloads) to compromise developer systems
Source:
Hacker Newshttps://www.elastic.co/security-labs/contagious-interview-malware-svg-steganography↗

Summary

Elastic Security Labs has discovered a new campaign by North Korean-aligned hackers, tracked as REF9403 and aligned with the Contagious Interview group, that targets developers with fake job postings and coding challenges. The attackers hide malware inside SVG image files using steganography techniques, then distribute trojanized code repositories that appear to be legitimate e-commerce projects. When developers execute these projects as part of fake job interview tests, they unknowingly download a four-stage payload that steals browser credentials, cryptocurrency wallets, files, and enables remote access to their systems.

Elastic discovered the campaign after observing suspicious activity targeting members of their community Slack workspace with a fake job posting in May 2026. The investigation revealed multiple trojanized repositories with names like 'next-ecommerce-private-main.zip' and 'shopping-platform-main.zip' that have zero detections from all major antivirus vendors. The malware shares technical and behavioral similarities with OTTERCOOKIE, a known credential and wallet stealer associated with North Korean threat actors.

The campaign demonstrates how developers remain a high-value target for nation-state threat actors, as compromising a single developer can provide the initial access needed to launch supply chain attacks against downstream organizations. The use of steganography to hide malware within benign SVG images represents an evolution in evasion techniques, successfully evading security vendor detection at the time of discovery.

  • Stolen credentials, cryptocurrency wallets, and remote access capabilities can enable supply chain attacks against organizations that hire targeted developers

Editorial Opinion

This campaign underscores a critical vulnerability in the software development supply chain: threat actors increasingly target individual developers as entry points to corporate networks. The fact that multiple malware samples evaded all antivirus vendors highlights the limitations of signature-based detection for sophisticated attacks. Organizations must implement behavioral monitoring, secure development practices, and developer security awareness training to defend against this evolving threat vector.

CybersecurityGovernment & DefensePrivacy & DataJobs & Workforce Impact

More from Elastic

ElasticElastic
RESEARCH

Elastic's Agentic SOC Slashes Alert Triage Time from 30 Minutes to Under 3 Minutes

2026-07-07
ElasticElastic
INDUSTRY REPORT

Financial Services Must Prioritize Data Readiness as Agentic AI Adoption Accelerates

2026-05-14
ElasticElastic
INDUSTRY REPORT

Small Language Models Emerge as Solution for AI in Constrained Public Sector Environments

2026-04-16

Comments

Suggested

MetaMeta
RESEARCH

Researcher Demonstrates Easy Backdoor Installation in Open-Weight AI Models

2026-07-17
China Manned Space Agency (CMSA)China Manned Space Agency (CMSA)
INDUSTRY REPORT

Xi Pitches China as Global AI Leader as Trump Escalates US-China Tech Rivalry

2026-07-17
EdgeeEdgee
UPDATE

Edgee Launches On-Premise AI Gateway for Data-Sensitive Organizations

2026-07-17
← Back to news
© 2026 BotBeat
AboutPrivacy PolicyTerms of ServiceContact Us