ThreatProphet

The face was changed, yet the hand was known. Executive Summary A threat actor operating under the identity DLabs Hungary conducted a targeted recruitment campaign against a developer, using a fabricated CTO/team lead opportunity to deliver a malicious GitHub repository. The repository was shared during a live interview call - access was granted just long enough for the target to clone it - and the malware activated automatically the moment the folder was opened in Visual Studio Code. ...

“This was not a new work, but an old hand returning by familiar paths.” Executive Summary A threat actor operating a LinkedIn recruiter persona, assessed with low-to-medium confidence as DPRK-linked and consistent with Contagious Interview / TraderTraitor-style activity, targeted developers through a multi-stage social engineering lure. The initial LinkedIn message delivered a Google Drive-hosted project overview / job description PDF and a Calendly scheduling link. The malicious GitHub repository, Dravion-Core hosted under the organisation Intraverse-Dev-Tech-Hub, was subsequently shared during the follow-on call rather than in the initial message. The repository deploys two independent execution routes that deliver the same payload via separate C2 infrastructure, in a structure near-identical to TP-2026-004 (BetPoker). ...

“The work was divided in three: one to steal, one to search, and one to command.” Executive Summary A threat actor operating under the Bitbucket handle blocwryte targeted developers via a LinkedIn recruitment lure that redirected victims to a fabricated skill-test repository: bitbucket.org/blocwryte/challenge. The project presented as a plausible backend Node.js application. Concealed within its middleware layer was a two-stage remote code execution primitive that fetched and executed a heavily obfuscated JavaScript payload from the npoint.io free JSON storage service — a staging host documented in prior Contagious Interview reporting — and passed the result directly into a dynamic execution sink named executeHandler. The naming was deliberate misdirection: executeHandler sounds like a routing utility, and the JSON key carrying the payload was named cookie, lending the appearance of ordinary session management to what was in fact a remote code execution call. ...

“The rite began with promise and ended in defilement.” Executive Summary A threat actor operating a fake recruiter persona on LinkedIn targeted developers with a bogus technical assignment. The lure repository (mocorex) was hosted on Bitbucket under the fabricated organisation fortegroup-org, impersonating a legitimate DeFi company. The project presented as a standard React/Vite web application, complete with plausible component structure and a commit history spanning multiple apparent contributors. Concealed within it was a heavily horizontally-indented loader, public/vite.cookie.js, designed to evade casual code review by pushing malicious content off-screen in any standard file viewer. ...

“The table is set like an altar, and whoso sits there is counted among the damned.” Executive Summary A threat actor operating under GitHub organisation LimitBreakOrgs - a deliberate typosquat of Limit Break Inc., a legitimate NFT/Web3 gaming company - is conducting an active fake developer interview campaign using a repository named bet_ver_1, publicly described as “BetPoker”, a purported Web3 poker and sports betting platform. The repository targets blockchain developers through the same fake technical assessment vector documented in TP-2026-001 and TP-2026-002, and was active at the time of this analysis. ...

“The blueprints were genuine. The building was not.” Executive Summary A threat actor operating a fake recruiter persona on LinkedIn approached the researcher with a Technical Manager role at a fabricated DeFi company, offering $25,000 USD per month and directing the target to a Calendly booking page operated under the handle devs_empire. The actor shared a Bitbucket repository - lmng2026 - as the basis of a technical interview, presenting a polished, fully-designed DeFi platform called Lumanagi to establish credibility. The repository contained two independent execution triggers. Neither required the researcher to run the application. ...

“He came as a messenger with gifts, and the birds grew fat.” Executive Summary A threat actor operating a fake recruiter persona on LinkedIn approached developers with a CTO-level opportunity at a fabricated Japanese e-commerce company. After establishing credibility through a polished project brief, the actor shared a GitHub repository named Japanese-Royal as part of a technical interview, directing the target to review and run the codebase. The repository contained a multi-stage implant with four independent execution triggers, any one of which was sufficient to compromise the victim. ...

“The snare is laid in secret; the prey walks toward it of his own will.” Executive Summary A threat actor, operating a fake recruiter persona on LinkedIn, targeted developers by asking them to complete a “technical assessment” that required cloning and running a malicious GitHub repository named Tech-Core. The repository contained a multi-stage malware implant designed to execute silently on open in Visual Studio Code, or when common npm commands are run. ...