Executive Summary
PurpleBravo represents a sophisticated North Korean state-backed threat actor whose operations align with the "Contagious Interview" campaign initially identified in November 2023. The group systematically targets software engineers and developers—particularly those operating within software development and cryptocurrency sectors—through elaborate social engineering schemes involving fraudulent recruiter personas, malicious coding assessments, and deceptive ClickFix techniques. Throughout 2025, investigative efforts have connected numerous fake LinkedIn profiles to PurpleBravo infrastructure through weaponized GitHub repositories and fabricated company fronts. The adversary's arsenal features BeaverTail, a JavaScript-based information stealer and loader, alongside cross-platform remote access trojans PyLangGhost and GolangGhost, both engineered specifically to exfiltrate browser credentials and cryptocurrency wallet data.
Leveraging Recorded Future® Network Intelligence capabilities, Insikt Group traced 3,136 distinct IP addresses—predominantly clustered across South Asian and North American regions—associated with probable PurpleBravo targeting activity spanning August 2024 through September 2025. Analysis revealed twenty organizations potentially compromised across diverse sectors including artificial intelligence, cryptocurrency, financial services, IT consulting, marketing, and software development, with geographic distribution spanning Europe, South Asia, the Middle East, and Central America. Evidence suggests that in multiple instances, job candidates executed malicious payloads on employer-issued hardware, thereby extending the attack surface beyond individual victims to encompass entire organizational networks. Insikt Group's telemetry indicates PurpleBravo operators manage command-and-control infrastructure through Astrill VPN services and Chinese IP address ranges, while BeaverTail and GolangGhost C2 servers maintain presence across seventeen separate hosting providers.
While Insikt Group maintains a clear operational distinction between PurpleBravo (Contagious Interview) and PurpleDelta (North Korean IT workers), research has uncovered significant tactical overlaps. These intersections include a suspected PurpleBravo operative exhibiting behavioral patterns characteristic of North Korean IT worker operations, Russian IP addresses tied to North Korean IT workers establishing connections with PurpleBravo C2 infrastructure, and administrative traffic originating from identical Astrill VPN IP addresses previously associated with PurpleDelta campaigns.
PurpleBravo constitutes an underestimated threat vector to the IT software supply chain ecosystem. Given that numerous targets operate within IT services and staff augmentation sectors serving extensive client portfolios, successful compromises carry significant downstream propagation risk to their customer base. This campaign represents a critical software supply-chain vulnerability for organizations relying on outsourced development resources, especially within geographic markets where PurpleBravo concentrates its fictitious recruitment operations.
Key Findings
- PurpleBravo orchestrates sophisticated social engineering campaigns leveraging fabricated professional identities, shell companies, and counterfeit corporate websites to deliver malware to unsuspecting software development professionals. Victims frequently execute malicious code on corporate-issued equipment, inadvertently exposing their employers to security breaches.
- The threat actor deploys a diverse malware ecosystem combining proprietary and open-source tooling, including BeaverTail, InvisibleFerret, GolangGhost, and PylangGhost, demonstrating technical versatility across multiple platforms.
- Through Recorded Future Network Intelligence analysis, Insikt Group mapped 3,136 unique IP addresses connected to suspected PurpleBravo targeting operations and identified twenty organizations potentially victimized across AI, cryptocurrency, financial services, IT consulting, marketing, and software development verticals.
- Insikt Group has documented several operational convergence points between PurpleBravo and PurpleDelta, Recorded Future's tracking designation for North Korean IT worker schemes, suggesting potential dual-role participation by certain operatives across both campaigns.
- PurpleBravo's concentrated targeting of IT services and software development sectors throughout South Asia introduces a significant and underappreciated supply-chain security risk for organizations dependent on contracted or outsourced IT development capabilities.
