NICKEL ALLEY Strategy: Fake It ’Til You Make It

    Tuesday, March 24, 2026 In: Threat Research Print

    Date: 03/24/2026

    Severity: High

    Summary

    Researchers are tracking ongoing Contagious Interview campaign activity by NICKEL ALLEY, a North Korea–linked threat group. The group targets tech professionals using fake job postings and deceptive interview processes. Victims are tricked into downloading malware during these staged recruitment steps. Attackers often create fake LinkedIn pages and use GitHub accounts to appear legitimate and distribute malware. They also exploit tactics like ClickFix and compromise or mimic npm packages to carry out broader attacks.

    Indicators of Compromise (IOC) List

    Domains\URLs : 

    https://github.com/astrasbytesyncs/web3-social-platform

    astrabytesyncs.com

    astrabytesync.com

    https://rgg-vercel.vercel.app/api/data

    https://ake-test.vercel.app/api/data

    https://astrahub.vercel.app/api/data

    https://rgg-test.vercel.app/api/data

    https://astraluck-vercel.vercel.app/api/dat

    talentacq.pro

    publicshare.org

    https://vscode-ext-git.vercel.app

    https://github.com/mishalepo/test-project

    chainlink-api-v3.com

    IP Address : 

    95.169.180.140

    144.172.93.88

    Hash : 

    52f173a760db5d68e52ba1f1ac51c023

    2151d4d7dc8d6dca7242928a17ea3fb14f58ccef

    5e307ef3aa9f20d963382700173530cdc455c1523631bbe22ede3710a2a30373

    e9b9d86a22f9795d42632650a78d57df 

    de05ecc9f0136246d0160923108026660eee06e6 

    1b42fc77155bd78b098e0b72440dd72d6154312569e6ba46f1e5dc94b31c6b42

    a55629dc112ee133ac8dba80549cb0c7

    0f010280ee2a91a57b0edf8f18c0091ce741d4e7

    5ee13db6a646a9de00bbeec6030677e412bfeecdca226b1ff035e07927970ce0

    1d652e7ab71621c7245bfbf84bacdc3e

    ac26ecf52002d87f3ba89f9e1b0742eed9e75e3d 

    58c1e49c67e5b7bcf10d30e370685d10c2fa263f24b8d099a97005c7a35f1346

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://rgg-vercel.vercel.app/api/data" or url like "https://rgg-vercel.vercel.app/api/data" or siteurl like "https://rgg-vercel.vercel.app/api/data" or domainname like "astrabytesyncs.com" or url like "astrabytesyncs.com" or siteurl like "astrabytesyncs.com" or domainname like "publicshare.org" or url like "publicshare.org" or siteurl like "publicshare.org" or domainname like "chainlink-api-v3.com" or url like "chainlink-api-v3.com" or siteurl like "chainlink-api-v3.com" or domainname like "https://vscode-ext-git.vercel.app" or url like "https://vscode-ext-git.vercel.app" or siteurl like "https://vscode-ext-git.vercel.app" or domainname like "astrabytesync.com" or url like "astrabytesync.com" or siteurl like "astrabytesync.com" or domainname like "https://ake-test.vercel.app/api/data" or url like "https://ake-test.vercel.app/api/data" or siteurl like "https://ake-test.vercel.app/api/data" or domainname like "https://astrahub.vercel.app/api/data" or url like "https://astrahub.vercel.app/api/data" or siteurl like "https://astrahub.vercel.app/api/data" or domainname like "https://rgg-test.vercel.app/api/data" or url like "https://rgg-test.vercel.app/api/data" or siteurl like "https://rgg-test.vercel.app/api/data" or domainname like "https://astraluck-vercel.vercel.app/api/dat" or url like "https://astraluck-vercel.vercel.app/api/dat" or siteurl like "https://astraluck-vercel.vercel.app/api/dat" or domainname like "talentacq.pro" or url like "talentacq.pro" or siteurl like "talentacq.pro" or domainname like "https://github.com/mishalepo/test-project" or url like "https://github.com/mishalepo/test-project" or siteurl like "https://github.com/mishalepo/test-project" 

    Detection Query 2 :

    dstipaddress IN ("95.169.180.140","144.172.93.88") or srcipaddress IN ("95.169.180.140","144.172.93.88")

    Detection Query 3 :

    md5hash IN ("1d652e7ab71621c7245bfbf84bacdc3e","52f173a760db5d68e52ba1f1ac51c023","e9b9d86a22f9795d42632650a78d57df","a55629dc112ee133ac8dba80549cb0c7")

    Detection Query 4 :

    sha1hash IN ("2151d4d7dc8d6dca7242928a17ea3fb14f58ccef","de05ecc9f0136246d0160923108026660eee06e6","0f010280ee2a91a57b0edf8f18c0091ce741d4e7","ac26ecf52002d87f3ba89f9e1b0742eed9e75e3d")

    Detection Query 5 :

    sha256hash IN ("1b42fc77155bd78b098e0b72440dd72d6154312569e6ba46f1e5dc94b31c6b42","5e307ef3aa9f20d963382700173530cdc455c1523631bbe22ede3710a2a30373","58c1e49c67e5b7bcf10d30e370685d10c2fa263f24b8d099a97005c7a35f1346","5ee13db6a646a9de00bbeec6030677e412bfeecdca226b1ff035e07927970ce0")

    Reference: 

    https://www.sophos.com/en-us/blog/nickel-alley-strategy-fake-it-til-you-make-it  


    Tags

    GitHubInformation TechnologyMalwareThreat ActorExploitClickFix

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.