PANews reported on January 22 that, according to Cryptopolitan, a new study by security firm Recorded Future revealed that the North Korean-affiliated hacking group PurpleBravo launched a cyber espionage campaign targeting over 3,100 IP addresses of companies in the fields of artificial intelligence, cryptocurrency, and financial services through fake job interviews. The group impersonated recruiters or developers, using technical interviews as a pretext to trick targets into executing malicious code. The attackers claimed to be from crypto or technology companies, asking job seekers to review code, clone repositories, or complete programming tasks. Security researchers have identified 20 victim organizations from South Asia, North America, and other regions.

The group used multiple aliases and disguised themselves using a fake Odessa, Ukraine identity. The attack employed remote access trojans such as PylangGhost and GolangGhost, which automatically stole browser credentials and cookies. The hackers also hosted their malware servers through a malicious GitHub repository, Astrill VPN, and 17 service providers. Furthermore, the investigation found related Telegram channels selling LinkedIn and Upwork accounts, and the attackers also interacted with the cryptocurrency exchange MEXC Exchange.