Close Menu
    What's Hot

    How to Keep the Air Inside Safe From Wildfire Smoke

    Careless Drafting Destroyed the U.S.-Iran Memorandum

    7.3-Magnitude Earthquake in Central America Sets Off Tsunami Threat

    Facebook X (Twitter) Instagram
    Trending
    • How to Keep the Air Inside Safe From Wildfire Smoke
    • Careless Drafting Destroyed the U.S.-Iran Memorandum
    • 7.3-Magnitude Earthquake in Central America Sets Off Tsunami Threat
    • Cuban Dissident Is Missing A Week After Prison Release
    • E.U. Proposes Changes to Emissions Trading System
    • Lyft’s CEO Says, ‘We’re the Good Uber’
    • Parents in Uganda Demand Answers After Bus Crash Kills 21 Children
    • Fake Coding Tests Deliver OtterCookie-Aligned Malware Hidden in SVG Flag Images
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Fake Coding Tests Deliver OtterCookie-Aligned Malware Hidden in SVG Flag Images

    adminBy adminJuly 17, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Fake Coding Tests Deliver OtterCookie-Aligned Malware Hidden in SVG Flag Images
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Ravie LakshmananJul 17, 2026Social Engineering / Malware

    Fake Coding Tests Deliver OtterCookie-Aligned Malware Hidden in SVG Flag Images

    North Korean threat actors linked to the Contagious Interview campaign have been observed employing steganography in SVG image files to conceal malicious payloads as part of a campaign using fake job postings and coding challenges.

    “Any user who ran the project ended up with a four-stage payload aligned with OTTERCOOKIE: a browser credential and crypto wallet stealer, a file stealer, a Socket.IO-based remote access trojan (RAT), and a clipboard stealer,” Elastic Security Labs said in a report shared with The Hacker News.

    The findings once again highlight the continued targeting of software developers by state-sponsored hackers aligned with the Democratic People’s Republic of Korea (DPRK) with an aim to steal sensitive data and plunder cryptocurrency wallets. The activity is being tracked under the moniker REF9403.

    The cybersecurity arm of the Dutch enterprise search and observability platform said it discovered the campaign after the threat actors targeted members of its community Slack workspace with social engineering lures for purported job offers, highlighting a new initial access avenue not previously documented in attacks associated with Contagious Interview, a sophisticated social engineering operation ongoing since at least December 2022.

    The messages, posted by a user named Maxwell on the #jobs Slack channel in late May 2026, sought an experienced developer to help with upgrading their e-commerce platform to a “modern, scalable architecture using Next.js (v14), NestJS, PostgreSQL, and Auth.js” along with Stripe integration.

    Cybersecurity

    Those who expressed interest in the opportunity were moved into direct messages that instructed them to complete a coding assessment as part of the job offer, a standard ploy observed in Contagious Interview campaigns. The assignment involved executing a trojanized repository containing malware designed to exfiltrate valuable data and configuring a Socket.IO backdoor.

    Specifically, the repositories distributed as part of the scheme incorporate fully functional code but also embed malicious code in the form of SVG images to sidestep detection.

    “While these legitimate-looking projects run perfectly fine, the malicious code is triggered silently behind-the-scenes,” Elastic said. “The payloads are split into base64 fragments inside HTML comments across every SVG flag image inside an assets directory. These files appear to be normal images of country flags (AE.svg, AF.svg), but each file contains an injected comment block with Base64-encoded data.”

    The payload is then assembled together by a JavaScript file (“serverValidation.js”) present in the repository. The attack chain is engineered such that the malware is executed on each server boot. Elastic said the main payload shares overlap with OtterCookie, a cross-platform malware that first emerged in September 2024.

    OtterCookie “evolved from a basic tool for executing remote commands and searching for crypto keys into a modular program capable of broader data theft with a capability to check for VM environments, install communication clients like socket.io for C2, exfiltrate information, executes arbitrary shell commands, load other modules to collect specific intended data and reports results,” Microsoft noted back in March.

    Cybersecurity

    The malware incorporates four distinct modules that allow it to harvest data from web browsers and cryptocurrency wallets, collect files matching a specific list of extensions, facilitate persistent remote control using a Socket.IO-based trojan that can execute shell commands, capture clipboard content, and drop Windows executables.

    Among the files gathered by OtterCookie include artificial intelligence (AI) coding tooling extensions such as .claude, .cursor, .gemini, .windsurf, .pearai, and .llama, suggesting the threat actor is actively refining its arsenal to hoover as much information as possible.

    It’s worth noting that the malware also exhibits some functional overlaps with a data stealer and trojan distributed via bogus npm packages masquerading as Rollup polyfill tooling, suggesting the threat actors are pursuing multiple vectors for propagation.

    “This campaign reinforces that developers remain a prime target, where the compromise of a single individual can provide the initial access needed to enable far-reaching supply chain attacks against downstream organizations,” Elastic said. “The success of these operations underscores how compromising an individual developer can provide a path to much broader organizational impact.”

    Coding Deliver fake Flag Hidden images Malware OtterCookieAligned SVG Tests
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleKalshi hands over Trump’s teleprompter operator to the feds. Here’s why
    Next Article Parents in Uganda Demand Answers After Bus Crash Kills 21 Children
    admin
    • Website

    Related Posts

    The Race to Field Military Autonomy Is On, Can Trusted Information Infrastructure Keep Pace?

    July 17, 2026

    E.U. Orders Google to Open Android Mic, Camera and Screen to Rival AI Assistants

    July 17, 2026

    Zoom Patches Critical Windows Flaw That Could Enable Account Takeover

    July 17, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    How to Keep the Air Inside Safe From Wildfire Smoke

    Careless Drafting Destroyed the U.S.-Iran Memorandum

    7.3-Magnitude Earthquake in Central America Sets Off Tsunami Threat

    Cuban Dissident Is Missing A Week After Prison Release

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by