Executive Summary
PurpleBravo represents a sophisticated North Korean state-backed threat actor whose operations align with the "Contagious Interview" campaign initially identified in November 2023. The group systematically targets software engineers and developers—particularly those operating within software development and cryptocurrency sectors—through elaborate social engineering schemes involving fraudulent recruiter personas, malicious coding assessments, and deceptive ClickFix techniques. Throughout 2025, investigative efforts have connected numerous fake LinkedIn profiles to PurpleBravo infrastructure through weaponized GitHub repositories and fabricated company fronts. The adversary's technical arsenal features BeaverTail, a JavaScript-based information stealer and loader, alongside cross-platform remote access trojans PyLangGhost and GolangGhost, both engineered specifically to exfiltrate browser credentials and cryptocurrency wallet data.
Leveraging Recorded Future® Network Intelligence capabilities, Insikt Group identified 3,136 distinct IP addresses—predominantly clustered across South Asian and North American regions—associated with probable PurpleBravo targeting activity spanning August 2024 through September 2025. Analysis revealed twenty potential victim organizations distributed across artificial intelligence, cryptocurrency, financial services, IT services, marketing, and software development sectors in Europe, South Asia, the Middle East, and Central America. Evidence suggests that in multiple instances, job-seeking candidates executed malicious payloads on employer-owned equipment, thereby extending organizational risk far beyond the initially targeted individual. Insikt Group's telemetry indicates PurpleBravo operators manage command-and-control infrastructure through Astrill VPN connections and IP address ranges originating from China, with BeaverTail and GolangGhost C2 servers distributed across seventeen separate hosting providers.
While Insikt Group maintains a clear distinction between PurpleBravo (Contagious Interview) and PurpleDelta (North Korean IT workers), research has uncovered significant operational intersections. These include a suspected PurpleBravo operator exhibiting behavioral patterns characteristic of North Korean IT worker activity, Russian IP addresses tied to North Korean IT workers establishing communications with PurpleBravo C2 infrastructure, and administrative traffic originating from identical Astrill VPN IP addresses previously associated with PurpleDelta operations.
PurpleBravo constitutes an underestimated threat vector to the IT software supply chain ecosystem. Given that numerous targets operate within IT services and staff-augmentation sectors serving extensive public client portfolios, successful compromises carry the potential for cascading downstream impact affecting their customer base. This campaign represents a critical software supply-chain vulnerability for organizations relying on outsourced development resources, especially within geographic regions where PurpleBravo concentrates its fraudulent recruitment operations.
Key Findings
- PurpleBravo orchestrates sophisticated social engineering campaigns leveraging fabricated personas, shell organizations, and counterfeit websites to deliver malware to unsuspecting software development professionals. Victims frequently utilize corporate-issued devices during these interactions, inadvertently exposing their employers to security breaches.
- The threat actor deploys a diverse malware ecosystem comprising both proprietary and open-source tools throughout its operations, including BeaverTail, InvisibleFerret, GolangGhost, and PylangGhost.
- Through Recorded Future Network Intelligence analysis, Insikt Group mapped 3,136 unique IP addresses connected to suspected PurpleBravo targeting efforts and identified twenty potential victim organizations spanning AI, cryptocurrency, financial services, IT services, marketing, and software development verticals.
- Insikt Group has documented several operational convergence points between PurpleBravo and PurpleDelta, Recorded Future's classification for North Korean IT workers, suggesting certain individuals may participate in both campaigns simultaneously.
- PurpleBravo's concentrated targeting of IT and software development sectors throughout South Asia introduces a significant and underappreciated supply-chain vulnerability for organizations dependent on contracted or outsourced IT services.