ThreatProphet

“The branches diverged; the payload did not.” Executive Summary This report analyzes two GitHub repositories discovered through follow-on hunting after ThreatProphet’s investigation of the Interexy-branded Gamifly lure: hxxps://github[.]com/LimitBreak-Solutions/AjunaVerse hxxps://github[.]com/AlchemyGlobal/AlchemyMVP The repositories were not directly delivered to the investigator during a recruitment interaction. They were identified by pivoting on Git commits, repository structure, poker-game artifacts, VS Code execution patterns, and malware-loader code preserved in the Gamifly lineage. Both were acquired as forensic Git mirrors on June 9, 2026. ...

“The game stayed the same; only the organization name, gate, and dealer address changed.” Executive Summary This report analyzes an Interexy-branded fake developer recruitment operation that delivered a GitHub repository named Gamifly during a remote interview workflow. The engagement began with a LinkedIn job offer, moved to Calendly for interview scheduling, and culminated in a repository link shared during the call. A subsequent GitHub search identified a second repository under a slightly different organization name: ...

“What was given as work concealed its blade in the hidden hooks.” Executive Summary This report analyzes a PawCommerce-themed developer-task lure delivered during a fake recruitment workflow. The initial contact occurred through LinkedIn, where a recruiter persona using the display name Nathaniel Nicdao asked whether the target would be open to a brief conversation and requested a CV or resume. The LinkedIn profile was later unavailable. A subsequent Google Calendar invitation used the persona Mark Harris <mark.harris.workspace@gmail[.]com>, and the development task was delivered through a OneDrive share displaying the account name Mimori Okamoto. The OneDrive page hosted a ZIP file named pawCommerce.zip. ...

“The dev branch was a threshold; crossing it woke the hook.” Executive Summary This report analyzes a recruitment-themed malware delivery attempt that abused a developer review workflow. A LinkedIn recruiter persona using the name Bill Johnson, CTS sent the target a LimeWire file-sharing URL for an archive named AI-Powered_RWA_Finance_Platform.zip: hxxps://limewire[.]com/d/Fw4jF#TNRRfGHC7h The lure framed the work as a review of an abandoned AI-powered real-world-asset finance platform. The actor claimed prior developers were poor at Git and pointed the reviewer at a repository snapshot where the master branch was incomplete. The repository README then instructed the reviewer to run: ...

“They called it a haven; the rebase was the altar, and the hook was the knife.” Executive Summary This report analyzes a Kryptic Haven-branded recruitment lure that began with a LinkedIn message from a recruiter persona named Tatiana Zadorozhnia. The report treats Kryptic Haven as lure branding and low-assurance recruitment infrastructure; it does not establish whether any legitimate company, brand owner, or third-party profile was actor-created, compromised, impersonated, or otherwise misused. The message directed the target to a 24-hour hiring-process link at: ...

The chain was not in the hook this time; it was hidden behind the contract. Executive Summary This report analyzes a recruitment-themed developer task delivered through a Bitbucket repository operating under the name estokkyam.The target was contacted through LinkedIn with a job offer and was given a Google Doc containing task instructions and a Bitbucket repository link. The repository presented as a plausible React/Node.js blockchain application named YAMTOKEN. The malicious behavior was not implemented through Git hooks or VS Code workspace tasks. Instead, the execution chain was hidden in the backend server path. Running the project through the normal npm workflow starts the backend with node server. The backend loads the authentication route, which loads authentication middleware, which imports server/config/getContract.js. That module contains a function named callHashedContract(), and the auth middleware invokes it during module initialization. ...

“The contract promised trust; the hooks carried the knife.” Executive Summary The case began with a recruitment-themed approach using MansaTrade-branded identity material. After the victim was contacted through LinkedIn about a purported job opportunity and asked to provide a CV and email address, a recruiter persona calling himself Enrique used that address to deliver a purported smart-contract developer task as a ZIP attachment. The follow-on email was displayed as coming from Recruiter of MansaTrade <recruiter@mansatrade[.]org>. Header analysis shows that the message passed SPF and DMARC at Google and was authenticated through Hostinger/MailChannels infrastructure for recruiter@mansatrade[.]org; DKIM was neutral because the body hash did not verify. This means the message should not be treated as simple display-name spoofing. It does not establish whether the mailbox or domain was actor-created, compromised, legitimately operated by the brand, or otherwise misused. ...

The face was changed, yet the hand was known. Executive Summary A threat actor impersonating DLabs Hungary conducted a targeted recruitment campaign against a developer, using a purported CTO/team lead opportunity to deliver a malicious GitHub repository. The legitimate DLabs Hungary company is not assessed to be involved in this activity; the name was used as social-engineering cover by the threat actor. The repository was shared during a live interview call, with access granted long enough for the target to clone it. The repository contained VS Code workspace tasks configured with runOn: folderOpen, meaning the tasks could run when the folder was opened in a trusted workspace and automatic task execution was allowed. ...

“This was not a new work, but an old hand returning by familiar paths.” Executive Summary A threat actor operating a LinkedIn recruiter persona, assessed with low-to-medium confidence as DPRK-linked and consistent with Contagious Interview / TraderTraitor-style activity, targeted developers through a multi-stage social engineering lure. The initial LinkedIn message delivered a Google Drive-hosted project overview / job description PDF and a Calendly scheduling link. The malicious GitHub repository, Dravion-Core hosted under the organisation Intraverse-Dev-Tech-Hub, was subsequently shared during the follow-on call rather than in the initial message. The repository deploys two independent execution routes that deliver the same payload via separate C2 infrastructure, in a structure near-identical to TP-2026-004 (BetPoker). ...

“The work was divided in three: one to steal, one to search, and one to command.” Executive Summary A threat actor operating under the Bitbucket handle blocwryte targeted developers via a LinkedIn recruitment lure that redirected victims to a fabricated skill-test repository: bitbucket[.]org/blocwryte/challenge. The project presented as a plausible backend Node.js application. Concealed within its middleware layer was a two-stage remote code execution primitive that fetched and executed a heavily obfuscated JavaScript payload from the npoint[.]io free JSON storage service — a staging host documented in prior Contagious Interview reporting — and passed the result directly into a dynamic execution sink named executeHandler. The naming was deliberate misdirection: executeHandler sounds like a routing utility, and the JSON key carrying the payload was named cookie, lending the appearance of ordinary session management to what was in fact a remote code execution call. ...