North Korean PurpleBravo Campaign Targeted 3,136 IPs via Fake Job Interviews

North Korean PurpleBravo Campaign Targeted 3,136 IPs via Fake Job Interviews

The North Korean threat actor known as PurpleBravo (also tracked under numerous aliases) targeted 3,136 IP addresses and 20 organizations between August 2024 and September 2025. The campaign leverages deceptive job interviews and malicious Visual Studio Code projects to deliver malware like BeaverTail and GolangGhost.

Why This Matters

Ideal security models assume internal systems are trustworthy, but this campaign demonstrates a successful breach via compromised employee devices. The potential scale of compromise is significant; candidates executing malicious code on corporate networks can expose entire organizations, with potential data leakage and supply chain risks costing millions in remediation and reputational damage.

Key Insights

• 3,136 IP addresses targeted: Recorded Future identified this number of IPs as potential targets between August 2024 and September 2025.
• VS Code as an attack vector: Attackers utilize malicious Microsoft Visual Studio Code projects to distribute backdoors, exploiting trusted developer workflows.
• Overlapping campaigns: PurpleBravo shares infrastructure and tactics with the Wagemole campaign, blurring the lines between cyber espionage and financially motivated attacks.

Practical Applications

• Use Case: AI and cryptocurrency companies are prime targets due to their valuable intellectual property and financial assets.
• Pitfall: Relying solely on perimeter security; the campaign bypasses traditional defenses by compromising internal devices through social engineering.

References:

• https://thehackernews.com/2026/01/north-korean-purplebravo-campaign.html