← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.850
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
North Korea's Contagious Interview campaign has added worm-like propagation through poisoned developer repositories, including malicious versions of Next.js projects and Nx plugins, reducing the need for spear-phishing or direct operator contact to initiate infection. Any developer who clones or installs a compromised package can receive a remote access trojan, exposing their workstation, credentials, and connected systems. Organizations with software development pipelines face elevated supply chain risk: a single infected dependency can compromise build environments, source code, and downstream products.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
Lazarus Group, DPRK (Contagious Interview)
TTP Sophistication
HIGH
10 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Developer repositories and software pipelines; confirmed platforms include Next.js and Nx ecosystems; broader open-source repository platforms not fully confirmed in available sources
Are You Exposed?
⚠
Your industry is targeted by Lazarus Group, DPRK (Contagious Interview) → Heightened risk
⚠
You use products/services from Developer repositories and software pipelines; confirmed platforms include Next.js and Nx ecosystems; broader open-source repository platforms not fully confirmed in available sources → Assess exposure
⚠
10 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
A compromised developer workstation gives attackers access to source code, internal credentials, and build pipelines, creating a path to tamper with software before it reaches customers or production systems. If malicious code reaches a released product, the organization faces potential regulatory scrutiny, customer notification obligations, and reputational damage disproportionate to the initial point of compromise. The supply chain vector means a single developer's infected environment can propagate risk across the entire software delivery organization.
You Are Affected If
Your developers work with Next.js projects or Nx monorepo plugins and clone repositories from public sources without integrity verification
Your organization does not enforce a private, allowlisted npm registry or equivalent package proxy for development environments
Developer workstations have access to production credentials, CI/CD secrets, or cloud access keys that are not scoped or rotated
Your CI/CD pipelines execute npm install or similar package resolution steps without lockfile enforcement or signature verification
Your software supply chain risk management program does not include monitoring for malicious open-source packages in active use
Board Talking Points
North Korean state-sponsored attackers are hiding malware inside widely used developer tools, infecting engineers' computers the moment they download what appears to be a legitimate software package.
Development teams using Next.js or Nx frameworks should audit their package environments this week and rotate any credentials accessible from affected systems.
Organizations that do not act risk attackers gaining persistent access to source code and build pipelines, which could enable product tampering or broader network compromise.
Technical Analysis
The Contagious Interview campaign, attributed to Lazarus Group (DPRK), has expanded from spear-phishing job lures to supply chain compromise via malicious open-source packages.
Poisoned Next.js repositories and malicious Nx plugin versions deliver remote access trojans (RATs) to developers who clone or install affected packages.
Microsoft's security blog (February 24, 2026) documented C2 infrastructure tied to this developer-targeting activity.
The attack reduces the social engineering prerequisite: passive repository interaction is sufficient for infection. Relevant CWEs: CWE-494 (Download of Code Without Integrity Check), CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), CWE-506 (Embedded Malicious Code). MITRE ATT&CK techniques include T1195.001 and T1195.002 (Supply Chain Compromise), T1219 (Remote Access Software), T1071 (Application Layer Protocol), T1059 /T1059.007 (Command and Scripting Interpreter), T1080 (Taint Shared Content), T1204.002 (Malicious File execution), T1566.003 (Spearphishing via Service), and T1588.001 (Obtain Capabilities: Malware). No CVE has been assigned. Specific malicious package versions and associated file hashes have not been confirmed in available sources; check the Microsoft security blog and npm/registry advisories for updated IOC lists. Editorial assessment: source quality is moderate; treat specific package-version claims as requiring independent validation.
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate immediately to senior leadership, legal counsel, and relevant regulatory authorities if forensic analysis confirms the Contagious Interview RAT executed on any workstation with access to production credentials, customer PII, PHI, payment data, or code that was subsequently promoted to production — DPRK attribution and potential data exfiltration may trigger breach notification obligations under GDPR, HIPAA, or state breach notification laws; additionally escalate if CI/CD secrets were confirmed compromised, as downstream customer or partner systems may be at risk.
1
Step 1: Containment — Audit all Next.js and Nx packages installed or cloned in the past 90 days. Cross-reference package-lock.json and yarn.lock files against your authorized software inventory to identify packages pulled from unofficial forks or unverified registry namespaces. Isolate developer workstations that cloned suspect repositories pending investigation. (Cite: CIS 2.1 — Establish and Maintain a Software Inventory / CIS 2.3 — Address Unauthorized Software / CIS 1.1 — Establish and Maintain Detailed Enterprise Asset Inventory)
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy
NIST IR-4 (Incident Handling)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST CM-8 (System Component Inventory) — implied; enumerate installed packages as system components
CIS 2.1 (Establish and Maintain a Software Inventory)
CIS 2.3 (Address Unauthorized Software)
CIS 1.2 (Address Unauthorized Assets)
Compensating Control
Run `npm ls --all --json > npm_tree_$(hostname).json` and `cat package-lock.json | jq '.packages | keys[]' | grep -v 'node_modules/@' | sort > pinned_deps.txt` on each developer workstation to dump the full resolved dependency tree. Compare resolved registry URLs in package-lock.json against the expected registry (e.g., registry.npmjs.org); any entry referencing a GitHub fork URL, a scoped namespace not belonging to your org, or an unfamiliar private registry host is a candidate for triage. Use `git log --all --oneline --graph` in cloned repos to check for anomalous commit authors or unsigned tags injected by the Contagious Interview operator. Network-isolate flagged workstations at the switch port or via OS firewall (`netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound` on Windows; `ufw default deny outgoing && ufw default deny incoming` on Linux) before proceeding.
Preserve Evidence
Before isolating: capture a full memory image using WinPmem (Windows) or LiME kernel module (Linux) to preserve any in-memory RAT implant injected by the malicious Next.js or Nx postinstall hook. Snapshot the npm global cache directory (`%APPDATA%\npm-cache` on Windows; `~/.npm` on Linux/macOS) and the project `node_modules` directory verbatim — do not run `npm cache clean` yet. Preserve `package-lock.json` and `yarn.lock` with cryptographic hashes (`sha256sum package-lock.json`) before any remediation alters them. Document all resolved package versions and their registry source URLs as they exist at time of isolation, since the Contagious Interview worm propagates by substituting legitimate-looking package names in dependency trees.
2
Step 2: Detection — Review EDR process creation and network connection telemetry on developer workstations for unexpected outbound connections to unfamiliar C2 domains or IPs. Query AU-2 event logs for scripting interpreters (node, python, bash, powershell) spawned from package install hooks (npm postinstall, nx plugin lifecycle scripts). Monitor AU-6 audit records for credential access patterns following package installation events. Retrieve current C2 domains, IPs, and file hashes directly from Microsoft's February 24, 2026 security blog before running threat hunts — confirmed IOC values were not available in sources used for this article. (Cite: NIST AU-2 — Event Logging / NIST AU-6 — Audit Record Review, Analysis, and Reporting / NIST AU-3 — Content Of Audit Records / CIS 8.2 — Collect Audit Logs / D3-SFA — System File Analysis / D3-LAM — Local Account Monitoring)
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis
NIST SI-4 (System Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-12 (Audit Record Generation)
NIST IR-5 (Incident Monitoring)
CIS 8.2 (Collect Audit Logs)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Deploy Sysmon with a config tuned to log process creation (Event ID 1), network connections (Event ID 3), and DNS queries (Event ID 22) on developer workstations. Write a PowerShell query to identify Node.js spawning child shells: `Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' | Where-Object {$_.Id -eq 1 -and $_.Message -match 'node.exe' -and $_.Message -match 'cmd.exe|powershell|bash|python'}`. On Linux/macOS, use `auditd` with a rule targeting `execve` calls where the parent process is `node` or `npm`: `auditctl -a always,exit -F arch=b64 -S execve -F ppid=$(pgrep -x npm) -k contagious_interview`. For network detection without a SIEM, run `ss -tunap` or `netstat -anb` immediately post-install and capture output; cross-reference outbound IPs against CISA and Microsoft-published Contagious Interview C2 indicators using a free tool like `grep -Ff c2_iocs.txt netstat_output.txt`. MITRE ATT&CK T1059.007 (JavaScript) and T1195.001 (Compromise Software Dependencies and Development Tools) are the primary technique references for this campaign's execution chain.
Preserve Evidence
Collect Sysmon Event ID 1 (Process Creation) logs filtering for `node.exe`, `npm.exe`, `npx.exe`, or `nx` as parent processes with child processes including `cmd.exe`, `powershell.exe`, `bash`, `sh`, or `python` — these represent postinstall script abuse specific to this campaign's RAT delivery mechanism. Capture Sysmon Event ID 3 (Network Connection) and Event ID 22 (DNS Query) logs generated within 60 seconds of any `npm install` or `nx` command execution to identify the initial C2 beacon. On Linux/macOS, collect `~/.bash_history`, `~/.zsh_history`, and shell session logs showing npm/yarn/nx invocations. Retrieve browser-stored credentials, SSH agent forwarding state (`ssh-add -l`), and any `.env` files, AWS credential files (`~/.aws/credentials`), and GitHub token stores (`~/.config/gh/hosts.yml`) accessible from the workstation at time of infection, since the Contagious Interview RAT specifically targets developer credential stores.
3
Step 3: Eradication — Remove confirmed malicious packages and purge associated caches (npm cache clean, clear node_modules). Per D3-CRO, rotate all credentials accessible from affected developer workstations: tokens, SSH keys, cloud access keys, and repository secrets. Revoke and regenerate all CI/CD pipeline secrets on systems where compromised packages executed. Apply AC-6 least privilege review to confirm no excessive permissions were granted to processes spawned during malicious package execution. (Cite: NIST AC-6 — Least Privilege / NIST AC-2 — Account Management / D3-CRO — Credential Rotation / D3-CH — Credential Hardening / CIS 5.1 — Establish and Maintain an Inventory of Accounts)
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication
NIST IR-4 (Incident Handling)
NIST SI-2 (Flaw Remediation)
NIST SI-3 (Malicious Code Protection)
NIST AC-2 (Account Management) — credential rotation and revocation
CIS 5.1 (Establish and Maintain an Inventory of Accounts)
CIS 5.2 (Use Unique Passwords)
CIS 6.2 (Establish an Access Revoking Process)
Compensating Control
After forensic preservation is complete, run `npm cache clean --force` and delete `node_modules` recursively (`rm -rf node_modules`). Revoke GitHub personal access tokens via GitHub Settings > Developer Settings > Personal Access Tokens and force-expire all active sessions. Rotate AWS IAM keys using `aws iam delete-access-key` and `aws iam create-access-key` for any IAM user whose credentials were stored on the affected workstation. Revoke SSH keys by removing the compromised public key from all authorized_keys files on remote hosts (`grep -r 'COMPROMISED_KEY_FINGERPRINT' ~/.ssh/authorized_keys /etc/ssh/authorized_keys`). For CI/CD secrets (GitHub Actions, GitLab CI, Jenkins), rotate all secrets stored as environment variables or repository secrets and audit pipeline run logs for any jobs triggered by or on the compromised workstation during the exposure window. Use `git log --author` and pipeline audit logs to identify any commits or pipeline runs that may have exfiltrated secrets during the RAT's active dwell time.
Preserve Evidence
Before purging caches, copy the npm cache directory (`~/.npm/_cacache`) and collect file hashes of all installed package tarballs to enable offline malware analysis and YARA scanning for known Contagious Interview RAT components. Capture a list of all SSH keys, API tokens, and OAuth tokens present on the system at time of eradication (output of `ssh-add -l`, `cat ~/.ssh/id_*`, environment variable dumps) to establish the full scope of credential exposure. Document CI/CD pipeline secret names (not values) that were accessible to any process running under the compromised npm/nx lifecycle — check GitHub Actions secrets, `.env` files committed to the repo, and CI runner environment variables — since the Contagious Interview campaign specifically targets pipeline credentials to achieve downstream supply chain compromise.
4
Step 4: Recovery — Rebuild affected developer environments from clean baselines rather than restoring snapshots taken after potential infection. Verify build artifact integrity before promoting any code from affected systems to staging or production. Apply D3-FMBV file magic byte verification on build outputs where feasible. Monitor for reinfection attempts via the same package namespaces for at least 30 days post-remediation using AU-6 ongoing review processes. Ensure AU-11 audit record retention covers the full post-remediation monitoring window. (Cite: NIST AU-6 — Audit Record Review, Analysis, and Reporting / NIST AU-11 — Audit Record Retention / CIS 7.2 — Establish and Maintain a Remediation Process / D3-FMBV — File Magic Byte Verification / D3-SICA — System Init Config Analysis)
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST SI-2 (Flaw Remediation)
NIST CP-9 (System Backup) — referenced negatively; snapshot restoration is contraindicated here
NIST IR-4 (Incident Handling)
CIS 7.3 (Perform Automated Operating System Patch Management)
CIS 7.4 (Perform Automated Application Patch Management)
CIS 2.2 (Ensure Authorized Software is Currently Supported)
Compensating Control
Provision fresh developer workstations or VM images from a known-good golden image predating the 90-day exposure window; do not restore from VM snapshots taken after the earliest possible infection date. Before reinstalling Next.js or Nx toolchains on rebuilt systems, pin all packages to verified versions using exact version specifiers in package.json (`"next": "14.2.5"` not `"^14.2.5"`) and validate package integrity using `npm audit signatures` (requires npm 8.x+) or verify SHA-512 hashes in lockfiles manually. For build artifact verification, generate SLSA provenance attestations or at minimum compute and store SHA-256 hashes of all build outputs (`find ./dist -type f -exec sha256sum {} \; > build_manifest.txt`) and compare against artifacts promoted before the incident. Monitor npm registry for new publications under the same namespaces used in the Contagious Interview campaign using `npm view <package-name> time --json` to detect new malicious versions published post-remediation.
Preserve Evidence
Retain forensic copies of all build artifacts produced on affected systems during the exposure window — these must be analyzed before any code reaches staging or production, as the Contagious Interview RAT could have modified source files or injected backdoors into compiled outputs. Collect git diff outputs comparing pre-infection and post-infection commits on repositories cloned to affected workstations to identify any source code tampering. Preserve network flow logs or DNS query logs from the 30-day monitoring window post-remediation to detect reinfection attempts or ongoing C2 communication from previously undetected implants on systems not yet identified as compromised.
5
Step 5: Post-Incident — Enforce package integrity verification: require signed packages, lockfile pinning, and private registry mirroring. Block execution of postinstall scripts from unapproved packages. Enforce allowlist-based registry policies aligned with CIS 2.2 (authorized supported software only) and CIS 2.3 (address unauthorized software). Apply AC-20 controls governing use of external systems and third-party repositories. Enable D3-EBWSAM endpoint-based web server access mediation to restrict developer endpoints from reaching unapproved external registries. Require MFA on all repository and pipeline service accounts per CIS 6.5. Note: NIST SP 800-161 (supply chain risk management) is the appropriate framework for broader supply chain controls; it is outside this KB's loaded control set and should be consulted separately for SR-family controls not available here. (Cite: NIST AC-20 — Use Of External Systems / NIST AC-6 — Least Privilege / CIS 2.2 — Ensure Authorized Software is Currently Supported / CIS 2.3 — Address Unauthorized Software / CIS 6.5 — Require MFA for Administrative Access / D3-EBWSAM — Endpoint-based Web Server Access Mediation / D3-UAP — User Account Permissions)
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST SI-2 (Flaw Remediation)
NIST IR-4 (Incident Handling)
NIST IR-8 (Incident Response Plan)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 7.2 (Establish and Maintain a Remediation Process)
CIS 2.1 (Establish and Maintain a Software Inventory)
CIS 2.3 (Address Unauthorized Software)
Compensating Control
Configure npm to block postinstall script execution by default using `.npmrc` with `ignore-scripts=true`; document approved exceptions and re-enable selectively per package. Mirror approved Next.js and Nx packages to a private Verdaccio registry instance (free, self-hosted) and set `registry=http://your-verdaccio-host` in all developer `.npmrc` files to prevent direct pulls from npm public registry or GitHub-hosted forks. Write a Sigma rule targeting npm postinstall script abuse (parent: npm/node, child: scripting interpreter) and a YARA rule matching known Contagious Interview RAT string patterns for ongoing endpoint scanning with ClamAV. Document lessons learned in a formal post-incident report referencing NIST 800-61r3 §4 requirements, and share anonymized IOCs with sector ISAC partners per NIST IR-6 (Incident Reporting) obligations. Map control gaps to NIST SP 800-161r1 (C-SCRM) practices, specifically C-SCRM Level 2 controls around software bill of materials (SBOM) and supplier verification applicable to open-source dependency chains exploited by this campaign.
Preserve Evidence
Compile a final artifact package for lessons-learned review including: the original malicious package versions and their resolved registry sources from lockfiles, Sysmon/auditd logs showing the full postinstall execution chain, network logs showing C2 beacon timing relative to npm install events, and the complete list of credentials confirmed or suspected as exposed. Retain this package per NIST AU-11 (Audit Record Retention) for a minimum period consistent with your records retention policy, as DPRK-attributed campaigns have regulatory notification implications if developer workstations processed any customer PII or regulated data. Document the specific Next.js and Nx package namespaces exploited by Contagious Interview to update your private registry allowlist and prevent future ingestion of the same malicious namespace variants.
Recovery Guidance
Rebuild all affected developer environments from pre-incident golden images; do not reuse any virtual machine snapshot, container image, or development environment provisioned after the earliest possible infection date within the 90-day audit window. Before returning any developer workstation to production use, verify that all CI/CD pipeline secrets, cloud IAM keys, SSH keys, and repository tokens have been rotated and that no artifacts produced on compromised systems have been promoted to staging or production without integrity verification. Maintain enhanced monitoring of npm registry activity for the specific package namespaces weaponized in this campaign — including typosquat variants — for a minimum of 30 days post-remediation, and retain network flow logs for at least 90 days to support retrospective analysis if new Contagious Interview infrastructure indicators are published by Microsoft or CISA.
Key Forensic Artifacts
npm postinstall execution chain logs: Sysmon Event ID 1 (Process Creation) entries where ParentImage matches node.exe or npm.exe and ChildImage matches cmd.exe, powershell.exe, bash, sh, or python — this is the primary execution path for RAT delivery via malicious Next.js or Nx postinstall lifecycle scripts in this campaign
Lockfile tampering evidence: diff of package-lock.json or yarn.lock against the project's git-committed version, specifically looking for resolved URLs pointing to GitHub forks or non-registry.npmjs.org hosts for next, nx, @nx/*, or related packages — the Contagious Interview worm propagates by substituting these entries
npm cache tarballs: contents of ~/.npm/_cacache or %APPDATA%/npm-cache containing the malicious package tarballs downloaded during the compromised install, preservable before npm cache clean and scannable with YARA rules for known Contagious Interview RAT strings or BeaverTail/InvisibleFerret malware family signatures associated with this DPRK campaign
Credential store access artifacts: filesystem access timestamps on ~/.aws/credentials, ~/.ssh/id_rsa, ~/.config/gh/hosts.yml, .env files, and browser-stored credential databases (Chrome Login Data, Firefox logins.json) showing access by node.exe or child processes spawned from npm lifecycle hooks during the suspected infection window
Outbound DNS and network connection logs: Sysmon Event ID 22 (DNS Query) and Event ID 3 (Network Connection) entries generated by node.exe or its child processes within 60 seconds of npm install or nx plugin execution, used to identify the initial C2 beacon domain and IP associated with the Contagious Interview campaign infrastructure
Detection Guidance
Primary behavioral indicators for this campaign center on T1195.001/T1195.002 (supply chain compromise via repository poisoning) and T1059/T1059.007 (scripting interpreter execution from package install hooks). Detection should be built on the following KB-grounded log sources and controls.
AU-2 (Event Logging): Configure logging to capture process creation events on developer endpoints, specifically scripting interpreters (node, python, bash, powershell) spawned as child processes of npm, git, or nx operations. Log outbound network connections initiated by these processes.
AU-3 (Content Of Audit Records): Ensure each logged event captures process name, parent process, user account, timestamp (per AU-8), source/destination IP and domain, and command-line arguments. Incomplete records impede correlation.
AU-6 (Audit Record Review, Analysis, and Reporting): Review developer endpoint logs for the following behavioral patterns:
scripting interpreter processes spawning outbound connections to non-internal, non-approved external addresses within minutes of npm install, git clone, or nx plugin operations; unexpected scheduled task or persistence mechanism creation on developer endpoints following package operations; access to credential stores (SSH key directories, environment variable files, browser credential stores) by node or interpreter processes. Correlate timing of package install events against network telemetry.
AU-13 (Monitoring For Information Disclosure): Monitor open-source repository feeds and community threat intelligence sources for newly reported malicious Next.js or Nx package variants. This campaign uses worm-like propagation, meaning new poisoned packages may appear after initial disclosure.
CIS 8.2 (Collect Audit Logs): Confirm audit logging is enabled across all developer workstations and CI/CD pipeline runners. Gaps in coverage on developer endpoints are a known blind spot for supply chain attacks.
D3-SFA (System File Analysis): Monitor developer endpoint system files and executables for modification following package installation events. RAT deployment via postinstall hooks may modify startup scripts, shell profiles (.bashrc, .zshrc), or scheduled task configurations.
D3-SICA (System Init Config Analysis): Analyze system process startup configurations on affected or suspect developer endpoints. Persistent RAT components may install themselves via init scripts or service configurations created during malicious package execution.
D3-LAM (Local Account Monitoring): Monitor local accounts on developer workstations for privilege escalation or new account creation following package install events, consistent with T1080 (taint shared content) and post-exploitation activity.
D3-EBWSAM (Endpoint-based Web Server Access Mediation): Enforce endpoint-level controls restricting outbound connections from developer workstations to approved registries only. Alert on connections to non-allowlisted external hosts initiated by package managers or interpreter processes.
IOC note: Specific C2 domains, IP addresses, and file hashes for this campaign are documented in Microsoft's February 24, 2026 security blog. Confirmed IOC values were not available in sources used for this article. Retrieve current indicators directly from that source before executing threat hunts or writing detection rules.
Indicators of Compromise (1)
Export as
Splunk SPL
KQL
Elastic
Copy All (1)
1 url
Type Value Enrichment Context Conf.
🔗 URL
https://www.microsoft.com/en-us/security/blog/2026/02/24/c2-developer-targeting-campaign/
VT
US
Microsoft security blog documenting C2 infrastructure tied to malicious Next.js repository campaign — retrieve current IOC list from this source directly
HIGH
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (1)
Malicious URLs hosted on legitimate platforms. The domain is safe — the specific URL path is the indicator.
KQL Query Preview
Read-only — detection query only
// Threat: DPRK’s Contagious Interview Campaign Adds Worm-Like Repository Propagation
// Specific malicious URLs on shared platforms
let suspicious_urls = dynamic(["https://www.microsoft.com/en-us/security/blog/2026/02/24/c2-developer-targeting-campaign/"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (suspicious_urls)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (4)
Sentinel rule: Unusual C2 communication patterns
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe")
| summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where Connections > 50
| sort by Connections desc
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Suspicious file execution from downloads
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FolderPath has_any ("\\Downloads\\", "\\Temp\\", "\\AppData\\Local\\Temp\\")
| where FileName endswith_any (".exe", ".scr", ".bat", ".ps1", ".vbs", ".js", ".hta", ".msi")
| where InitiatingProcessFileName in~ ("explorer.exe", "outlook.exe", "chrome.exe", "msedge.exe")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, AccountName
| sort by Timestamp desc
No actionable IOCs for CrowdStrike import (benign/contextual indicators excluded).
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1195.001
T1588.001
T1195.002
T1219
T1071
T1566.003
+4
CM-7
SA-9
SR-3
SI-7
CA-7
SC-7
+4
MITRE ATT&CK Mapping
T1195.001
Compromise Software Dependencies and Development Tools
initial-access
T1195.002
Compromise Software Supply Chain
initial-access
T1219
Remote Access Tools
command-and-control
T1071
Application Layer Protocol
command-and-control
T1566.003
Spearphishing via Service
initial-access
T1059
Command and Scripting Interpreter
execution
T1080
Taint Shared Content
lateral-movement
Guidance Disclaimer
