The DFIR Report team operates on a simple premise: real-world incidents teach better than sanitized simulations. In their briefing, Angelo Violetti and Alessandro Di Carlo deconstruct two distinct intrusions based on actual telemetry and artifacts. Rather than discussing abstract theory, they map the exact behaviors, timelines, and operational missteps of threat actors during live campaigns.

The first case, Contagious Interview, examines a North Korean campaign targeting cryptocurrency developers via fake recruiting pitches on LinkedIn and X. Once a target agrees to a coding test, they clone a decoy GitHub repository. Running NPM install triggers a base64-encoded developer API key hidden in a server configuration file, downloading a disguised payload. This initiates the Otter Cookie backdoor, which performs host enumeration and contacts a misconfigured WebSocket command-and-control server. From there, the attackers rapidly deploy a Python runtime, a keylogger, the Invisible Ferret remote access trojan, and the Tsunami toolkit for macOS and Windows persistence. The entire kill chain, from initial infection to full machine compromise, took under 51 minutes.

The second intrusion analyzes a Gootloader infection triggered by search engine optimization poisoning. An employee searching for a common law marriage template clicked a sponsored link and downloaded a malicious zip archive. The payload's behavior adapted to the extraction tool, delivering a raw JavaScript file via WinZip but masking it as a text file if extracted with 7-Zip. The attackers moved aggressively: within 20 minutes of the initial foothold, they executed Kerberoasting to target high-privilege service accounts, and within 45 minutes, they achieved lateral movement.

To maintain external access, the Gootloader operators deployed Sopper and Mubecon, custom DLLs designed to tunnel SOCKS5 traffic through the compromised network. However, network forensics revealed an operational flaw: when tunneling RDP sessions through these proxies, Windows event logs recorded the original command-and-control hostname rather than the internal proxy, providing a highly specific indicator of compromise. Recognizing their footprint, the attackers executed an automated cleanup script four hours later. Using the wevtutil native binary, they wiped application, system, and security event logs, deleted RDP bitmap caches, cleared registry history, and removed their tunneling DLLs to stall forensic investigation.

• North Korean threat actors bypass standard code-review suspicion by hiding base64-encoded malicious payloads within the developer API keys of server configuration files in decoy GitHub repositories.
• Targeting cryptocurrency developers with the Otter Cookie backdoor and Invisible Ferret RAT allows attackers to achieve full endpoint compromise and deploy Tsunami persistence in under 51 minutes.
• Gootloader payloads adapt their delivery mechanisms based on the victim's software, executing as standard JavaScript through WinZip while masquerading as text files when extracted via 7-Zip.
• Threat actors prioritize rapid escalation, moving from an initial SEO-poisoned search result to active Kerberoasting and lateral movement in exactly 45 minutes.
• Tunneling RDP sessions through SOCKS5 proxy utilities like Sopper inadvertently leaks the external command-and-control server's hostname directly into internal Windows event logs.
• Adversaries consistently execute aggressive anti-forensic measures, using native binaries like wevtutil to wipe event logs, RDP registry history, and bitmap caches before terminating their sessions.