The Fake Interview

Eleven Hours: Inside the Lazarus Operator’s Disk After the Fake Interview Campaign

A live adversary server. Two password changes. Eleven hours. Episode 04 follows the forensic window where researchers preserved a contested Windows machine used in a Lazarus-attributed fake-interview campaign, uncovering the operator workbench behind the lures: campaign archives, fake-company material, targeting pipelines, wallet artifacts, browser traces, and signs of AI-assisted workflow.

The Factory: How a Lazarus-Attributed Credential Pipeline Collected Its Own Operators

Episode 3 focuses on the operator side of the campaign: - why the collection pipeline did not distinguish between targets and operators; - how operator workstations appeared in material collected by the campaign; - how those workstations exposed social-engineering workflow, persona infrastructure, testing behavior, provisioning activity, and command structure; - why OtterCookie should be understood as a post-access occupation tool; - what defenders can learn from the factory model without needing access to sensitive data.

Trailer: The Fake Interview

A fake coding interview. A malicious repository. A real developer workstation. The Fake Interview is a Red Asgard narrative investigation into a DPRK-linked, Lazarus-attributed campaign targeting developers, Web3 engineers, and freelance technologists through job offers, coding tests, and trust. Start with Episode 1: Real Blood on the Wire.

The Repository That Called Home: Lazarus, Fake Interviews, and Malicious Code

Episode 2 of The Fake Interview follows the first repository: a fake software project delivered through a job interview that behaved like real work until the moment it called home. We examine how a malicious coding test abused normal developer behavior: opening a project, trusting a workspace, installing dependencies, running local code, and debugging what looked like a broken app. This episode covers: - DPRK-linked fake interview activity - malicious GitHub / contractor repositories - VSCode and Cursor workspace trust abuse - run-on-folder-open execution - Function.constructor abuse in JavaScript - Vercel-hosted stage-one infrastructure - payload delivery and command-and-control routing - why developer machines are high-value targets Companion notes: https://podcast.redasgard.com/pages/companion-technical-notes-episode-02-the-repository-that-called-home

Real Blood on the Wire: How a Fake Coding Interview Exposed Lazarus Credential Theft

In this episode of The Fake Interview, we investigate how a fake coding interview became a credential theft operation targeting software developers, Web3 engineers, and cryptocurrency workers. Topics covered: - Lazarus / DPRK-linked Contagious Interview activity - malicious coding tests - developer workstation compromise - credential theft - malware infrastructure - threat intelligence lessons for security teams Companion notes: https://podcast.redasgard.com/pages/companion-technical-notes-episode-1-real-blood-on-the-wire