North Korean Hackers Use Steganography in Fake Coding Tests to Deliver OtterCookie Malware
North Korean state-sponsored actors are employing steganography within SVG image files to hide malware, delivered through social engineering lures disguised as job offers and coding challenges.

North Korean threat actors, linked to the ongoing Contagious Interview campaign, have adopted a novel technique involving steganography within Scalable Vector Graphics (SVG) image files to conceal malicious payloads. This sophisticated social engineering operation, targeting software developers, uses fake job postings and coding challenges as an initial access vector. The campaign, tracked as REF9403, aims to exfiltrate sensitive data and cryptocurrency assets.
The latest findings from Elastic Security Labs reveal that the threat actors are actively recruiting developers by posing as legitimate recruiters on platforms like Slack. In late May 2026, a user named Maxwell initiated contact on a community Slack workspace's #jobs channel, offering a role to upgrade an e-commerce platform. Those who expressed interest were moved to direct messages and presented with a coding assessment, a common tactic in Contagious Interview campaigns.
This assessment involved executing a trojanized code repository. While the repositories contained fully functional code for the purported task, they also embedded malicious code hidden within SVG image files. These images, appearing as normal country flags (e.g., AE.svg, AF.svg), contained injected HTML comments with Base64-encoded fragments of the malware payload. This steganographic approach is designed to evade detection by security software.
A JavaScript file named "serverValidation.js" within the repository is responsible for assembling these fragmented payloads. Once executed, the malware is engineered to run automatically on each server boot, ensuring persistence. The assembled payload exhibits significant overlap with OtterCookie, a cross-platform malware first identified in September 2024.
OtterCookie has evolved from a basic remote command execution and crypto key-seeking tool into a modular program capable of extensive data theft. Microsoft previously noted its capabilities include checking for virtual machine environments, installing communication clients like Socket.IO for command and control (C2), exfiltrating information, executing arbitrary shell commands, and loading additional modules for targeted data collection.
The specific four-stage payload observed in this campaign includes modules for stealing browser credentials and cryptocurrency wallets, a general file stealer, a Socket.IO-based remote access trojan (RAT) for persistent control, and a clipboard stealer. Notably, the file exfiltration module targets specific file extensions, including those associated with AI coding tools like .claude, .cursor, and .llama, indicating a focused effort to gather intelligence relevant to software development.
This campaign underscores the persistent targeting of software developers by state-sponsored actors. The compromise of a single developer can serve as an entry point for more extensive supply chain attacks, impacting downstream organizations. The use of steganography and social engineering highlights the evolving tactics employed by threat actors to bypass security measures and achieve their objectives.