INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Nickel Alley strategy: Fake it 'til you make

| 2026-03-23 11:57 CRITICAL HIGH
JSON
Executive Summary AI-generated
The threat group, NICKEL ALLEY, continues to evolve its tactics and techniques by targeting professionals in the technology sector with fake job opportunities. Their malware, known as PyLangGhost RAT, uses Python files to initiate infection chains, compromising systems and exfiltrating sensitive data. The attackers' ability to adapt and evade detection is a testament to their sophistication, making them a significant threat to organizations worldwide.
Technical Mitigations AI-generated
* Implement secure coding practices: Ensure that code is reviewed and validated for security vulnerabilities before deployment. Use static analysis tools to identify potential issues, such as buffer overflows or SQL injection. * Use secure communication protocols: When communicating with NICKEL ALLEY, use encrypted channels (e.g., SSL/TLS) to protect data in transit. Avoid using public Wi-Fi networks or unsecured HTTP connections for sensitive communications. * Monitor and block suspicious activity: Continuously monitor network traffic and system logs for signs of NICKEL ALLEY activity. Implement blocking rules to prevent malware delivery, such as blocking known domains or IP addresses associated with the threat group. * Keep software up-to-date: Ensure that all systems and applications are running the latest security patches and updates. Regularly scan for vulnerabilities and apply fixes promptly after discovery. * Use a web application firewall (WAF): Install a WAF to protect against common web attacks, such as SQL injection or cross-site scripting (XSS). This can help prevent NICKEL ALLEY from launching successful attacks on your system.
Technical Observables
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence distributed on:
Incident Link
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Contagious InterviewContagious Interview BeaverTailBeaverTail
Target & Sectors
DPRK DPRK mediamedia governmentgovernment financefinance aerospaceaerospace technologytechnology
Incident Timeline
February 2025
Threat actors used the publicshare[.]org domain to register and exploit a GitHub repository.
organisation publicshare[.]org
In a separate observed attack, the publicshare[.]org domain was both registered and used in a campaign on the same day in August.
organisation GitHub
Code repositories used to infect developers’ systems In October, Sophos analysts observed a targeted attack where the threat actors convinced a victim to download (clone) the content of a GitHub repository and execute the code locally using the “npm install” and “npm start” commands .
organisation Astra Byte Sync GitHub
Figure 5: Astra Byte Sync GitHub account The website home page is generic and advertises “tech talent” and managed service solutions (see Figure 6).
late 2025
NICKEL ALLEY used Visual Studio Code tasks to infect job candidates' devices via the ClickFix tactic.
infrastructure Visual Studio Code
In late 2025, NICKEL ALLEY established code repositories containing Visual Studio Code (VS Code) “tasks”.
infrastructure Vs Code
In late 2025, NICKEL ALLEY established code repositories containing Visual Studio Code (VS Code) “tasks”.
at least mid-2025
ClickFix delivered PyLangGhost RAT to NICKEL ALLEY via mid-2025.
organisation ClickFix
Figure 1 : NICKEL ALLEY victimology ClickFix leads to PyLangGhost RAT Since at least mid-2025, NICKEL ALLEY has used ClickFix to deliver PyLangGhost RAT.
June 2025
VS Code tasks are a legitimate feature used to assist with automating build scripts or quick code testing and debugging.
organisation Astra Byte Sync
Figure 6: Screenshot of Astra Byte Sync website A June 2025 X post warned of a campaign involving targeted emails promoting job opportunities at the fake Astra Byte Sync company.
organisation OtterCookie
The attacker-owned GitHub repositories often contain simple, obfuscated code for downloading BeaverTail or OtterCookie malware.
infrastructure Vs Code
Located in the .vscode/tasks.json configuration file, VS Code tasks are a legitimate feature typically used to assist with automating build scripts or quick code testing and debugging.
The task is set to run when the configuration file’s parent folder (.vscode) is opened in the VS Code application.
Figure 9: VS Code tasks.json configuration file used by NICKEL ALLEY (truncated for brevity)
organisation .vscode
Located in the .vscode/tasks.json configuration file, VS Code tasks are a legitimate feature typically used to assist with automating build scripts or quick code testing and debugging.
organisation runOptions
This run behavior is configured via the runOptions:runOn property.
organisation SophosLabs
Detections and threat indicators SophosLabs has developed the following detections for this threat: Troj/PySteal-AW Troj/PyAgent-AS Troj/PyAgent-AU Troj/Pysteal-AY Troj/PyAgent-AP The threat indicators in Table 1 can be used to detect activity related to this threat.
organisation Troj/PySteal-AW
Detections and threat indicators SophosLabs has developed the following detections for this threat: Troj/PySteal-AW Troj/PyAgent-AS Troj/PyAgent-AU Troj/Pysteal-AY Troj/PyAgent-AP The threat indicators in Table 1 can be used to detect activity related to this threat.
organisation IP
Note that IP addresses can be reallocated.
2026-03-23
The malware uses the Expand-Archive cmdlet to decompress an archive via PowerShell.
threat_actor Contagious Interview
Counter Threat Unit™ (CTU) researchers continue to investigate trends in Contagious Interview campaign activity conducted by NICKEL ALLEY , a threat group operating on behalf of the North Korean government.
organisation Lib.zip
The VBScript file uses the tar command to decompress an archive (Lib.zip) that contains benign library and support files.
organisation Shell
Shell to execute a command via cmd.exe: cmd /c csshost.exe nvidia.py (see Figure 3).
infrastructure Windows
The binary is renamed to a Windows system filename, and the Python filename often imitates an associated driver file.
organisation LinkedIn
In targeted attacks, NICKEL ALLEY often creates a fake LinkedIn company page to build credibility and maintains a coordinating GitHub account for malware delivery.
organisation Expand-Archive
It then decompresses the archive via the PowerShell Expand-Archive cmdlet.
organisation VBScript
Finally, it uses the wscript command to execute a VBScript file that initiates the infection chain.
organisation WScript
It then uses the Run method of WScript.
organisation GoLang
PyLangGhost RAT was preceded by a GoLang-based version known as GoLangGhost RAT.
September 23
The malware staging domain talentacq[.]pro was created on September 23 and observed in an active campaign less than two weeks later.
Tactical Metrics
Metrics
infrastructure
​Windows
Affected Product
The binary is renamed to a Windows system filename, and the Python filename often imitates an associated driver file.
Metrics
infrastructure
​Visual Studio Code
Affected Product
In late 2025, NICKEL ALLEY established code repositories containing Visual Studio Code (VS Code) “tasks”.
Metrics
infrastructure
​Vs Code
Affected Product
In late 2025, NICKEL ALLEY established code repositories containing Visual Studio Code (VS Code) “tasks”.
Located in the .vscode/tasks.json configuration file, VS Code tasks are a legitimate feature typically used to assist with automating build scripts or quick code testing and debugging.
The task is set to run when the configuration file’s parent folder (.vscode) is opened in the VS Code application.
Figure 9: VS Code tasks.json configuration file used by NICKEL ALLEY (truncated for brevity)
Intelligence Sources
Sophos News 2026-03-23
Sophos News 2026-03-23