Back to Intelligence

Contagious Interview Campaign: North Korean Threat Actors Use SVG Steganography to Deliver OTTERCOOKIE Malware

SA
Security Arsenal Team
July 17, 2026
10 min read

Introduction

Security teams must be on high alert for a sophisticated social engineering campaign dubbed "Contagious Interview" being orchestrated by North Korean threat actors. The campaign leverages fraudulent job postings and coding challenges to deliver a four-stage malware known as OTTERCOOKIE, which is designed to steal browser credentials, cryptocurrency wallets, and sensitive files from victim systems.

What makes this campaign particularly dangerous is the attackers' use of steganography techniques within SVG image files to conceal malicious code. This approach bypasses many traditional security controls, as SVG files are commonly used in legitimate development projects and are often permitted through security filters.

Given the rise of remote work and the continued growth of technical hiring, this threat targets a vulnerability that many organizations overlook: the recruitment process itself. Security leaders need to implement targeted defenses against this campaign immediately.

Technical Analysis

Threat Overview

The Contagious Interview campaign begins with fake job postings on popular recruitment platforms, targeting technical roles such as software developers. When applicants express interest, they receive coding challenges that include SVG image files. These files contain hidden malicious code deployed through steganography techniques.

The OTTERCOOKIE malware deployed in this campaign operates in four distinct stages:

  1. Initial execution: The malicious SVG files contain code that executes when opened or processed
  2. Browser credential harvesting: Collects stored credentials from popular web browsers
  3. Cryptocurrency wallet targeting: Specifically targets crypto wallet credentials and assets
  4. File exfiltration: Identifies and steals sensitive files from the victim's system

Attack Chain

  1. Initial Vector: Targets respond to fraudulent job postings
  2. Delivery: Victims receive "coding challenges" containing SVG files with embedded malicious code
  3. Execution: Malicious payload executes when SVG files are opened
  4. Payload Deployment: Four-stage OTTERCOOKIE malware is deployed
  5. Data Theft: Credentials, wallet data, and files are harvested
  6. Exfiltration: Stolen data is transmitted to attacker-controlled infrastructure

Affected Platforms

  • Operating Systems: Primarily Windows-based systems
  • Targeted Applications: Web browsers (Chrome, Edge, Firefox, etc.), cryptocurrency wallet applications
  • Delivery Mechanism: SVG image files processed by common development tools and image viewers

Exploitation Status

This threat represents an active, ongoing campaign with confirmed exploitation in the wild. The steganographic technique used in SVG files is not based on a specific vulnerability but rather an abuse of legitimate functionality, making detection particularly challenging for traditional security controls.

Detection & Response

SIGMA Rules

YAML
---
title: Suspicious SVG File with Embedded Script Content
id: a3f5e8c2-7b4d-4e9f-a1c3-8d7b6a5e4f2g
status: experimental
description: Detects SVG files containing potentially malicious script content typical of OTTERCOOKIE delivery
references:
  - https://attack.mitre.org/techniques/T1027/
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.defense_evasion
  - attack.t1027.003
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|contains: '.svg'
  filter_legit:
    TargetFilename|contains:
      - 'Program Files'
      - 'Program Files (x86)'
  condition: selection and not filter_legit
falsepositives:
  - Legitimate SVG files used in development
level: medium
---
title: Potential Credential Theft via PowerShell
id: b8c4f9d3-8a5e-4f2b-b3d4-9e7c6a5f4d3e
status: experimental
description: Detects PowerShell commands consistent with browser credential harvesting by OTTERCOOKIE malware
references:
  - https://attack.mitre.org/techniques/T1055/
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.credential_access
  - attack.t1055.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'Get-Content'
      - 'Local State'
      - 'Login Data'
  condition: selection
falsepositives:
  - Legitimate administrative tasks
level: high
---
title: Suspicious Process Chain Involving SVG Files
id: c9d5e0f4-9b6f-5g3c-c4e5-0f8d7b6a5f4e
status: experimental
description: Detects suspicious process chains potentially related to OTTERCOOKIE malware execution from SVG files
references:
  - https://attack.mitre.org/techniques/T1204/
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.execution
  - attack.t1204.002
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    Image|endswith:
      - '\msedge.exe'
      - '\chrome.exe'
      - '\firefox.exe'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\wscript.exe'
    CommandLine|contains: '.svg'
  condition: selection_parent and selection_child
falsepositives:
  - Legitimate development work with SVG files
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious SVG file activity related to OTTERCOOKIE delivery
DeviceFileEvents
| where Timestamp > ago(7d) 
| where FileName endswith ".svg" 
| where not InitiatingProcessFolderPath has @"Program Files" 
| where not InitiatingProcessFolderPath has @"Program Files (x86)"
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName, InitiatingProcessCommandLine
| order by Timestamp desc

// Hunt for credential theft behavior consistent with OTTERCOOKIE
DeviceProcessEvents
| where Timestamp > ago(7d) 
| where FileName =~ "powershell.exe" 
| where ProcessCommandLine has any("Local State", "Login Data", "Web Data", "cookies")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, AccountName
| order by Timestamp desc

// Hunt for network connections to suspicious domains after SVG file access
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessCommandLine has ".svg" or InitiatingProcessFileName has @"rundll32.exe"
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for suspicious SVG files in recent downloads
SELECT FullPath, Size, Mtime, Atime, Btime
FROM glob(globs="*/Downloads/*.svg")
WHERE Mtime > now() - 7d

-- Hunt for browser credential theft processes
SELECT Pid, Name, Exe, CommandLine, Username
FROM pslist()
WHERE CommandLine =~ "Local State" OR CommandLine =~ "Login Data" OR CommandLine =~ "Web Data"

-- Hunt for network connections to suspicious domains associated with OTTERCOOKIE
SELECT RemoteAddress, RemotePort, State, Pid, Family
FROM netstat()
WHERE RemoteAddress NOT IN ("127.0.0.1", "::1")
   AND Pid IN (SELECT Pid FROM pslist() WHERE Name =~ "powershell" OR Name =~ "cmd" OR Name =~ "wscript")

-- Search for registry modifications related to persistence
SELECT Key, LastModified, Value
FROM registry_globs(globs="**/Software/Microsoft/Windows/CurrentVersion/Run/**")
WHERE Value =~ "script" AND LastModified > now() - 7d

Remediation Script (PowerShell)

PowerShell
# PowerShell script to scan for and quarantine suspicious SVG files
# This script should be run with administrative privileges

# Define the scan paths (User profiles are the primary target)
$scanPaths = @(
    "$env:USERPROFILE\Downloads",
    "$env:USERPROFILE\Desktop",
    "$env:USERPROFILE\Documents"
)

# Define suspicious patterns that might indicate SVG steganography
$suspiciousPatterns = @(
    "data:text/javascript",
    "<script",
    "javascript:",
    "vbscript:",
    "eval(",
    "document.write",
    "base64",
    "window.location"
)

# Function to scan for suspicious SVG files
function Scan-SVGFiles {
    param([string[]]$paths)
    
    $suspiciousFiles = @()
    
    foreach ($path in $paths) {
        if (Test-Path -Path $path) {
            Write-Host "Scanning path: $path" -ForegroundColor Cyan
            
            # Get all SVG files modified in the last 30 days
            $svgFiles = Get-ChildItem -Path $path -Filter "*.svg" -Recurse -ErrorAction SilentlyContinue | 
                        Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-30) }
            
            foreach ($file in $svgFiles) {
                $fileContent = Get-Content -Path $file.FullName -Raw -ErrorAction SilentlyContinue
                
                if ($fileContent) {
                    foreach ($pattern in $suspiciousPatterns) {
                        if ($fileContent -like "*$pattern*") {
                            $suspiciousFiles += [PSCustomObject]@{
                                Path = $file.FullName
                                Size = $file.Length
                                LastModified = $file.LastWriteTime
                                SuspiciousPattern = $pattern
                            }
                            break
                        }
                    }
                }
            }
        }
    }
    
    return $suspiciousFiles
}

# Function to quarantine suspicious files
function Quarantine-Files {
    param([array]$files)
    
    if ($files.Count -eq 0) {
        Write-Host "No suspicious files found." -ForegroundColor Green
        return
    }
    
    # Create quarantine directory if it doesn't exist
    $quarantinePath = "C:\SecurityArsenal\Quarantine"
    if (-not (Test-Path -Path $quarantinePath)) {
        New-Item -ItemType Directory -Path $quarantinePath -Force | Out-Null
        Write-Host "Created quarantine directory at $quarantinePath" -ForegroundColor Yellow
    }
    
    # Move files to quarantine
    foreach ($file in $files) {
        try {
            $fileName = Split-Path -Path $file.Path -Leaf
            $quarantineFile = Join-Path -Path $quarantinePath -ChildPath "$($fileName).quarantine"
            
            if (-not (Test-Path -Path $quarantineFile)) {
                Move-Item -Path $file.Path -Destination $quarantineFile -Force
                Write-Host "Quarantined file: $($file.Path)" -ForegroundColor Yellow
                
                # Log the action
                $logEntry = "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') - Quarantined file: $($file.Path) (Pattern: $($file.SuspiciousPattern))"
                Add-Content -Path "$quarantinePath\QuarantineLog.txt" -Value $logEntry
            }
        }
        catch {
            Write-Host "Error quarantining file $($file.Path): $($_.Exception.Message)" -ForegroundColor Red
        }
    }
}

# Execute the scan and quarantine
Write-Host "Starting SVG file scan for OTTERCOOKIE indicators..." -ForegroundColor Cyan
$suspiciousFiles = Scan-SVGFiles -paths $scanPaths

if ($suspiciousFiles.Count -gt 0) {
    Write-Host "Found $($suspiciousFiles.Count) suspicious SVG files." -ForegroundColor Yellow
    $suspiciousFiles | Format-Table -AutoSize
    
    $response = Read-Host "Do you want to quarantine these files? (Y/N)"
    if ($response -eq 'Y' -or $response -eq 'y') {
        Quarantine-Files -files $suspiciousFiles
    }
} else {
    Write-Host "No suspicious SVG files found." -ForegroundColor Green
}

# Check for recent browser credential access attempts
Write-Host "Checking for recent browser credential access attempts..." -ForegroundColor Cyan
$recentEvents = Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4663
    StartTime = (Get-Date).AddDays(-7)
} -ErrorAction SilentlyContinue | 
Where-Object { $_.Message -match "(Login Data|Local State|Web Data|cookies)" } | 
Select-Object TimeCreated, Id, Message

if ($recentEvents) {
    Write-Host "Found recent file access events that may indicate credential theft:" -ForegroundColor Yellow
    $recentEvents | Format-List -Property TimeCreated, Id, Message
} else {
    Write-Host "No suspicious browser credential access events found." -ForegroundColor Green
}

Write-Host "Scan complete." -ForegroundColor Cyan

Remediation

Immediate Response Actions

  1. Isolate affected systems: If the OTTERCOOKIE malware has been identified, immediately isolate affected systems from the network to prevent further data exfiltration.

  2. Conduct credential audit: Review all browser-stored credentials and crypto wallet credentials on systems that may have processed SVG files from unknown sources. Compromised credentials should be changed immediately.

  3. Scan for SVG files: Implement detection scripts like the one provided above to identify SVG files containing suspicious JavaScript or other code patterns.

  4. Review recruitment processes: Inform HR and recruitment teams about this threat and establish procedures for verifying the authenticity of technical assessments and coding challenges.

Long-Term Defensive Measures

  1. Implement content filtering: Configure email and web security gateways to scan SVG files for embedded JavaScript or other suspicious content before allowing them to reach end users.

  2. Restrict SVG execution: Consider implementing application control policies to restrict which applications can execute SVG files.

  3. Browser security hardening:

    • Disable or restrict browser extensions for users who don't require them
    • Implement browser isolation solutions for high-risk users
    • Regularly clear browser credentials and avoid storing sensitive passwords in browsers
  4. Security awareness training:

    • Train technical staff about the risks associated with unsolicited coding challenges
    • Educate HR professionals about this social engineering vector
    • Establish verification procedures for all incoming job application materials
  5. Endpoint detection improvements:

    • Deploy EDR solutions with behavioral analysis capabilities to detect OTTERCOOKIE-like activities
    • Configure monitoring for suspicious processes accessing browser credential stores
    • Implement network monitoring to detect connections to known malicious infrastructure
  6. Crypto wallet protections:

    • Use hardware wallets for storing significant cryptocurrency assets
    • Avoid keeping large crypto holdings in browser-based wallets
    • Implement multi-factor authentication for all crypto wallet access

Hunting Guidance

Security teams should proactively hunt for signs of OTTERCOOKIE malware activity:

  1. Search for recently created or modified SVG files in user directories
  2. Review process execution logs for unusual patterns involving file access to browser credential stores
  3. Monitor network connections to suspicious domains that may be receiving exfiltrated data
  4. Look for registry modifications consistent with malware persistence mechanisms

Incident Response Considerations

If OTTERCOOKIE malware is confirmed in your environment:

  1. Assume all browser credentials on affected systems are compromised
  2. Assume any cryptocurrency wallets accessed from affected systems are compromised
  3. Conduct a thorough forensic investigation to determine the scope of data exfiltration
  4. Review all recruitment and hiring processes that may have been targeted
  5. Notify individuals whose credentials or data may have been compromised

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionottercookie-malwaresvg-steganographycontagious-interviewnorth-korean-threatcredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.