North Korean Hackers Hide OtterCookie Malware in SVG Flag Images via Fake Coding Tests
Threat actors linked to North Korea's Contagious Interview campaign have weaponized steganography inside SVG image files to deliver a four-stage malware payload aligned with OtterCookie, Elastic Security Labs reports. The campaign, tracked as REF9403, began when a user named "Maxwell" posted a lure on the #jobs channel of Elastic's community Slack workspace in late May 2026, advertising a developer role to upgrade an e-commerce platform using Next.js v14, NestJS, PostgreSQL, Auth.js, and Stripe. Targets who expressed interest were moved into direct messages and instructed to complete a coding assessment, a social engineering pattern consistent with DPRK operations ongoing since at least December 2022.
The trojanized repositories distributed to victims contained fully functional code, but embedded malicious logic inside seemingly innocuous country flag images (AE.svg, AF.svg, etc.) stored in an assets directory. Each SVG file contains an injected HTML comment block with base64-encoded fragments of the payload, which are then reassembled by a JavaScript file called serverValidation.js. The attack chain is engineered to execute the malware on every server boot, silently exfiltrating data while the legitimate project runs without visible issues. A Socket.IO-based backdoor is also configured during the assessment, giving operators persistent remote access.
Once deployed, the OtterCookie-aligned malware unfolds in four stages: a browser credential and crypto wallet stealer, a file stealer, the Socket.IO RAT, and a clipboard stealer. OtterCookie itself first surfaced in September 2024 as a cross-platform JavaScript tool for executing remote commands and hunting crypto keys, and has since evolved into a modular framework. Developers handling cryptocurrency assets should verify their exposure by running a credential audit through a password checker and confirming no data has been inadvertently leaked via a email breach checker.
The findings underscore how state-sponsored operators are increasingly blending legitimate open-source projects with steganographic payloads to bypass static analysis and endpoint detection. Organizations recruiting developers on public Slack workspaces, GitHub, or LinkedIn should treat unsolicited coding challenges with heightened skepticism and require all assessment repositories to undergo sandboxed review before execution. To assess whether corporate traffic is being routed through anonymizing infrastructure that could mask attacker C2 communications, security teams can also run a VPN/proxy detector against known indicators.