Real Blood on the Wire: How a Fake Coding Interview Exposed Lazarus Credential Theft

The Day It Became Access: How Fake Interviews Turn Developer Trust Into Attack Surface

A fake interview does not become dangerous only when malware runs. In Episode 8 of The Fake Interview, we step back from the repository, the workstation, and the Google Mirror to look at the behavioral layer that made the campaign work: cooperation. The recruiter message, the plausible company, the broken call, the shared repository, the real browser, the login prompt, the screen share — none of these has to look malicious by itself. Together, they move a developer from suspicion into trust. This episode asks when the compromise really begins, why developer identity is an access path, and why suspicious interviews should never touch the same environment where real credentials, source-control sessions, cloud consoles, wallets, and work accounts already live. No victim data, credentials, live endpoints, reusable access steps, or operational exploit details are included.

The Google Mirror: Browser Trust as the Attack Surface

Last episode, The Fake Interview followed OtterCookie inside the developer workstation. Episode 7 moves one step outward. The Google Mirror is about a different layer of the same operation: not the repository, not the payload, not the screenshot loop, but the trusted identity path around the machine. The investigation found infrastructure positioned to proxy Google services, with behavior specific enough to separate it from ordinary command-and-control infrastructure and from a generic phishing page. This episode is careful about what the evidence does and does not support. It does not claim Google was compromised. It does not claim a certificate authority was compromised. It does not claim the delivery path into the mirror was confirmed. What it does show is more precise: the campaign had infrastructure for the identity layer around developer compromise. A Google account is not one account. For a developer, it can be mail, calendar, documents, OAuth, password recovery, browser sync, shared drives, cloud access, source-control recovery, and the map of where work goes next. The repository asked the developer to run code. OtterCookie waited for the developer to keep working. The mirror waited for the developer to trust the browser. This was The Fake Interview.

OtterCookie: The Malware That Watched the Developer

Every five seconds, OtterCookie took another look at the workstation. Episode 06 of The Fake Interview examines OtterCookie, a second-stage malware family associated with DPRK-linked Contagious Interview activity. Where earlier stages helped explain how fake technical interviews moved developers from conversation to code execution, OtterCookie shows what the operation wanted after the code was already running. This episode focuses on the real target: the developer workstation. Not an empty sandbox. Not a clean analysis VM. The real machine, with browser history, terminal residue, clipboard activity, authenticated sessions, wallets, cloud consoles, source-control access, and work still in motion. OtterCookie matters because it moved the compromise from static theft toward live observation. A credential dump captures one moment. A watcher can wait for the work to happen. In this episode: OtterCookie’s role in the broader fake-interview pipeline Why screenshots and keyboard capture mean something different on real workstations Why clean sandboxes can miss the operational value of the implant How wallet targeting changes the personal stakes for Web3 developers Why “use a VM” is right, but incomplete Why the developer became the perimeter This episode avoids live indicators, exploit walkthroughs, victim records, and reusable operational detail. The goal is to explain the campaign safely: what changed, why it mattered, and what developers and defenders should understand. The real workstation was the target. The Fake Interview is a narrative technical podcast from Red Asgard about DPRK-linked fake interview campaigns targeting developers.

the FTP Server: How One Boring Label Hid a Second Layer of the Campaign

Episode 05 focuses on how infrastructure can be misclassified during an active investigation. The server discussed here was initially understood through its FTP exfiltration role. Later evidence tied the same host to additional campaign-linked services, including OtterCookie-related collection behavior.

Eleven Hours: Inside the Lazarus Operator’s Disk After the Fake Interview Campaign

A live adversary server. Two password changes. Eleven hours. Episode 04 follows the forensic window where researchers preserved a contested Windows machine used in a Lazarus-attributed fake-interview campaign, uncovering the operator workbench behind the lures: campaign archives, fake-company material, targeting pipelines, wallet artifacts, browser traces, and signs of AI-assisted workflow.