NICKEL ALLEY strategy: Fake it ‘til you make it

Counter Threat Unit™ (CTU) researchers continue to investigate trends in Contagious Interview campaign activity conducted by NICKEL ALLEY, a threat group operating on behalf of the North Korean government. The group notoriously targets professionals in the technology sector by advertising fake job opportunities, deceiving prospective candidates through a fake job interview process, and ultimately delivering malware. 

In targeted attacks, NICKEL ALLEY often creates a fake LinkedIn company page to build credibility and maintains a coordinating GitHub account for malware delivery. In some instances, the threat actors have used the popular ‘ClickFix’ tactic to deliver malware via fake job skills assessment tasks. Additionally, the group has conducted opportunistic attacks by compromising npm package repositories and establishing typosquatted npm packages. Figure 1 highlights NICKEL ALLEY’s three areas of focus. 

Figure 1: NICKEL ALLEY victimology

ClickFix leads to PyLangGhost RAT

Since at least mid-2025, NICKEL ALLEY has used ClickFix to deliver PyLangGhost RAT. The success of this tactic coupled with the frequent cycling through staging domains indicates that the malware remained effective for the group throughout 2025. In multiple attacks throughout late 2025, the threat actor instructed a job candidate to perform fake interview tasks in an attacker-controlled web interface. The ClickFix tactic was implemented when the website presented an error informing the victim that they must run a command locally to fix the issue (see Figure 2). Instead of fixing an issue, the command initiates a series of actions that eventually lead to PyLangGhost RAT.

Figure 2: Partially truncated VBScript code example from an infection

When executed, the command retrieves an archive file from an attacker-controlled domain and writes it to the %TEMP% directory. It then decompresses the archive via the PowerShell Expand-Archive cmdlet. Finally, it uses the wscript command to execute a VBScript file that initiates the infection chain. The filename of the archive written to disk typically contains “fix” or “patch” (e.g., fixed.zip, patchesWin.zip). The VBScript filename is typically short (e.g., update.vbs, start.vbs).

The VBScript file uses the tar command to decompress an archive (Lib.zip) that contains benign library and support files. It then uses the Run method of WScript.Shell to execute a command via cmd.exe: cmd /c csshost.exe nvidia.py (see Figure 3). 

Figure 3: Partially truncated VBScript code example from an infection

The csshost.exe file is a renamed copy of the legitimate python.exe binary. The executable runs a Python file (nvidia.py) that initiates the PyLangGhost RAT infection chain. The filenames have varied slightly with each infection, but the naming themes remain consistent. The binary is renamed to a Windows system filename, and the Python filename often imitates an associated driver file.

The Python file is one of several Python modules that compose the overall PyLangGhost RAT code. The malware supports file exfiltration, arbitrary command execution, and system profiling. It also gathers browser credentials and cookies. The malware specifically targets Chrome cryptocurrency wallet browser extension data, emphasizing NICKEL ALLEY’s continued financial motivations.

PyLangGhost RAT was preceded by a GoLang-based version known as GoLangGhost RAT. Samples of GoLangGhost RAT were first observed in the wild around February 2025. PyLangGhost RAT samples were discovered by May, revealing that the GoLangGhost code was roughly ported over to the Python language. 

The malware staging domain observed in one of the attacks (talentacq[.]pro) was created on September 23 and was observed in an active campaign less than two weeks later. The domain name mimics a legitimate talent recruitment organization. The attacker-controlled domain served a custom 404 error page that contained a misspelled word (“opps”) and unusual phrasing (“Your assessment link might be invalid or expired”), which aligns with previous fake job social engineering activity (see Figure 4). 

Figure 4: Screenshot of custom 404 page hosted on malware staging domain

The custom 404 page may be a decoy, as this domain delivered malware via a curl command. If a victim visits the domain in a web browser to verify it before executing the curl command specified in the ClickFix attack, the error suggests that there is simply a problem with the attacker-provided “assessment link”. The victim may not suspect a malicious domain. In a separate observed attack, the publicshare[.]org domain was both registered and used in a campaign on the same day in August. 

Code repositories used to infect developers’ systems

In October, Sophos analysts observed a targeted attack where the threat actors convinced a victim to download (clone) the content of a GitHub repository and execute the code locally using the “npm install” and “npm start” commands. The GitHub account (astrasbytesyncs) masquerades as a software development company specializing in full stack web development and blockchain solutions (see Figure 5). The account contains links to an “official” company website (hxxps://astrabytesyncs[.]com) and the purported LinkedIn company page. 

Figure 5: Astra Byte Sync GitHub account

The website home page is generic and advertises “tech talent” and managed service solutions (see Figure 6).  The website page title suggests that the site was built using a generic template, as it still contains the text “IT solutions & Corporate template”. The LinkedIn page referenced on the GitHub account lists a different domain (astra[.]com) as the company website. Analysis revealed that astra[.]com belongs to a legitimate aerospace company. The inclusion of different domains on the fake LinkedIn company page and the GitHub account highlights the threat actors’ inconsistency and lack of attention to detail. 

Figure 6: Screenshot of Astra Byte Sync website

A June 2025 X post warned of a campaign involving targeted emails promoting job opportunities at the fake Astra Byte Sync company. However, the threat actors had not built the website at the time the emails were sent, so the site simply displayed the hosting provider’s default page. The associated GitHub repository used to deliver malware in this campaign claims to be a Web3 crypto game platform (see Figure 7). The theme of these lures aligns with North Korean threat actors targeting of Web3 developers throughout 2025 with the goal of cryptocurrency theft. 

Figure 7: Malicious repository disguised as fake crypto game

The repository (web3-social-platform) contained a file named index.js that handled the network connection to the malware staging server. A variable named AUTH_API_KEY, stored in a file named .env, contains a Base64-encoded URL that points to the malware staging server. The code in index.js implements the Node.js fetch API to send an HTTP request to that URL and retrieve BeaverTail malware (see Figure 8). Throughout late 2025, the threat actors preferred the Vercel cloud platform provider. The platform advertises support for front-end and server-side web development. The threat actors have capitalized on this platform-as-a-service provider because it allows them to host multiple payloads, and they can choose which payload to deliver based on the specific victim and system configuration. The retrieved payload is then executed locally via the eval() method. 

Figure 8: HTTP GET request to retrieve BeaverTail

NICKEL ALLEY has used this approach to lure unsuspecting developers into infecting their own systems with malware since 2024. The attacker-owned GitHub repositories often contain simple, obfuscated code for downloading BeaverTail or OtterCookie malware. 

In late 2025, NICKEL ALLEY established code repositories containing Visual Studio Code (VS Code) “tasks”. Located in the .vscode/tasks.json configuration file, VS Code tasks are a legitimate feature typically used to assist with automating build scripts or quick code testing and debugging. However, the threat actors have used them to execute curl or wget commands for retrieving malware based on the victim’s operating system. The task is set to run when the configuration file’s parent folder (.vscode) is opened in the VS Code application. This run behavior is configured via the runOptions:runOn property. As the code snippet in Figure 9 shows, the threat actors have relied on Vercel for payload hosting in these attacks as well. 

Figure 9: VS Code tasks.json configuration file used by NICKEL ALLEY (truncated for brevity)

The GitHub commit history for NICKEL ALLEY code bases often reflects that the malware staging URL has been removed in one of the code commits. This approach allows the threat actors to conceal infrastructure and malicious commands when the repository is not actively in use. Additionally, it emphasizes that the threat actors only need to change a few lines of code to route payload retrieval to a different malware staging server.

NICKEL ALLEY updates its network infrastructure to align with its social engineering lures and to evade detections. The group generally targets tech workers who are open to freelance or other job opportunities, and it continued to deploy PyLangGhost malware via the ClickFix tactic into late 2025.  The threat actors often convince victims to execute the malware on their corporate systems, thus exposing organizations to this threat. Given the popularity of the ClickFix tactic in a variety of cybercriminal and state-sponsored campaigns, all organizations should monitor command execution resulting from browser clipboard data. Additionally, defenders should look for suspicious commands involving a combination of curl, PowerShell, and launching of executables from the %TEMP% directory.  

While these attacks appear to have a central goal of cryptocurrency theft, the threat group has demonstrated its intention to use initial access for further supply chain compromise or corporate espionage. Persistent requests for targets to execute code on their corporate systems rather than a personal laptop reinforce this intent. Additionally, the threat group has strategically selected follow-on payloads based on profiling victims’ system. Software developers, especially those in the finance and technology industries, are at elevated risk due to NICKEL ALLEY’s targeting profile. Organizations should monitor command execution and network traffic that spawns from Node.js processes, as it may indicate malware retrieval. As a general security practice, organizations should encourage employees to report suspicious unsolicited social media or email-based recruitment contact.

Detections and threat indicators

SophosLabs has developed the following detections for this threat:

• Troj/PySteal-AW
• Troj/PyAgent-AS
• Troj/PyAgent-AU
• Troj/Pysteal-AY
• Troj/PyAgent-AP

The threat indicators in Table 1 can be used to detect activity related to this threat. Note that IP addresses can be reallocated. The domains, URLs, and IP addresses may contain malicious content, so consider the risks before opening them in a browser.

Table 1: Indicators for this threat