A technical analysis by Recorded Future’s Insikt Group reported that operators linked to the North Korean cluster PurpleBravo targeted 3,136 individual IP addresses and claimed 20 potential victim companies across Europe, South Asia, the Middle East and Central America between August 2024 and September 2025.
KEY FACTS
- Incident North Korean-linked PurpleBravo targeted IT and software supply chains
- Scale 3,136 individual IP addresses identified as likely targets
- Victims 20 potential companies in 10 countries including India, Belgium and the U.A.E.
- Timeline Activity observed from August 2024 to September 2025
The report links PurpleBravo to supply-chain intrusion techniques that include social engineering through job-seeking personas and delivery of malicious code on candidate devices. In several cases candidates reportedly executed code on corporate machines, creating exposure beyond individual systems.
PurpleBravo is associated with multiple malware families and tooling. The activity group operated distinct command and control infrastructures for a JavaScript infostealer and loader known as BeaverTail and a Go-based backdoor referred to as GolangGhost. The report says the C2 servers were hosted across 17 providers and administered through Astrill VPN from IP ranges in China.
The disclosure notes overlaps with separate North Korean IT worker campaigns and that some tactics, infrastructure and VPN administration are shared across clusters. The report highlights that organizations outsourcing development or using external coding assessments face acute supply-chain risk when candidates use company devices for assessments.
WHY IT MATTERS
The activity shows how trusted development workflows and hiring interactions can be abused to gain broader access to corporate networks. Companies that rely on external developers or use company devices for candidate assessments should review controls to limit execution of untrusted code and reduce supply-chain exposure.