North Korean Hackers Target 3,136 IP Addresses in PurpleBravo Campaign
North Korean hackers have targeted 3,136 IP addresses in a campaign known as PurpleBravo, using fake job interviews to gain access to sensitive information.
The North Korean PurpleBravo campaign has targeted 3,136 IP addresses, primarily concentrated around South Asia and North America, using fake job interviews to gain access to sensitive information. The campaign, which was first documented in late 2023, has been linked to 20 potential victim organizations spanning various sectors, including artificial intelligence, cryptocurrency, financial services, IT services, marketing, and software development.
What Happened
The PurpleBravo campaign was uncovered by Recorded Future's Insikt Group, which has been tracking the North Korean threat activity cluster. The campaign is also known as CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, Void Dokkaebi, and WaterPlum. The 3,136 individual IP addresses were targeted by the adversary from August 2024 to September 2025, with the 20 victim companies based in various countries, including Belgium, Bulgaria, Costa Rica, India, Italy, the Netherlands, Pakistan, Romania, the United Arab Emirates, and Vietnam.
Technical Details
The PurpleBravo campaign uses malicious Microsoft Visual Studio Code (VS Code) projects as an attack vector to distribute a backdoor, allowing the attackers to gain access to sensitive information. The campaign has also been observed managing two distinct sets of command-and-control (C2) servers for BeaverTail, a JavaScript infostealer and loader, and a Go-based backdoor known as GolangGhost. The C2 servers are hosted across 17 different providers and are administered via Astrill VPN and from IP ranges in China.
Impact and Risk
The PurpleBravo campaign poses a significant risk to the targeted organizations, as it allows the attackers to gain access to sensitive information and potentially compromise the security of the organizations' systems. The campaign also highlights the vulnerability of the IT software supply chain to infiltration from North Korean adversaries. The fact that candidates who are approached by PurpleBravo with fictitious job offers have been found to take the coding assessment on company-issued devices, effectively compromising their employers in the process, further emphasizes the need for organizations to be vigilant and take steps to protect themselves from such threats.
Mitigation Steps
To protect themselves from the PurpleBravo campaign, organizations should be cautious when dealing with job applicants and ensure that all necessary security measures are in place to prevent unauthorized access to sensitive information. This includes implementing robust security protocols, such as multi-factor authentication and encryption, and ensuring that all employees are aware of the potential risks and take necessary precautions when interacting with unknown individuals or entities. Additionally, organizations should consider implementing a supply-chain risk management program to identify and mitigate potential risks associated with their suppliers and partners.
Frequently Asked Questions
The PurpleBravo campaign is a North Korean hacking campaign that uses fake job interviews to gain access to sensitive information.
The PurpleBravo campaign has targeted 3,136 IP addresses, primarily concentrated around South Asia and North America.
The PurpleBravo campaign has targeted various sectors, including artificial intelligence, cryptocurrency, financial services, IT services, marketing, and software development.
Comments
Want to join the discussion?
Create an account to unlock exclusive member content, save your favorite articles, and join our community of IT professionals.
New here? Create a free account to get started.