North Korea-Linked Hackers Use Steganography in SVG Files to Target Developers
North Korean threat actors linked to the Contagious Interview campaign have been observed employing steganography in SVG image files to conceal malicious payloads. This campaign uses fake job postings and coding challenges to target software developers, according to a report by Elastic Security Labs.
The attack involves a four-stage payload associated with the OTTERCOOKIE malware, which includes:
- A browser credential and crypto wallet stealer.
- A file stealer.
- A Socket.IO-based remote access trojan (RAT).
- A clipboard stealer.
The campaign, tracked under the moniker REF9403, aims to steal sensitive data and plunder cryptocurrency wallets. It highlights the ongoing efforts of state-sponsored hackers aligned with the Democratic People's Republic of Korea (DPRK) to compromise high-value targets.
Targeting Developers via Fake Job Postings
Elastic Security Labs discovered the campaign after threat actors targeted members of its community Slack workspace. The attackers used social engineering lures, posing as a user named Maxwell on the #jobs Slack channel in late May 2026. The fake job posting sought an experienced developer to upgrade an e-commerce platform using technologies like Next.js (v14), NestJS, PostgreSQL, Auth.js, and Stripe.
Developers who expressed interest were directed to complete a coding assessment involving a trojanized repository. This repository contained malware disguised within fully functional code but embedded with malicious payloads in SVG image files. The SVG files, which appeared as normal country flag images, contained Base64-encoded data hidden in HTML comments.
Steganography and Malware Delivery
The malicious payload was assembled by a JavaScript file named serverValidation.js, which executed the malware on each server boot. The attack chain shared overlaps with OtterCookie, a cross-platform malware that first emerged in September 2024. OtterCookie has evolved into a modular program capable of:
- Executing remote commands.
- Searching for crypto keys.
- Stealing data from browsers and cryptocurrency wallets.
- Collecting files with specific extensions.
- Installing communication clients like Socket.IO for command and control (C2).
The malware also targets AI coding tooling extensions, such as .claude, .cursor, .gemini, .windsurf, .pearai, and .llama, indicating the threat actors' focus on gathering as much information as possible.
Broader Implications
Elastic emphasized that developers remain a prime target for such attacks, as compromising a single individual can lead to far-reaching supply chain attacks against downstream organizations. The success of these operations underscores the potential for significant organizational impact stemming from the compromise of an individual developer.
This campaign reinforces the growing threat posed by state-sponsored hackers using sophisticated techniques to infiltrate high-value targets in the technology sector.