Using my own platform to generate my own intel to publish my own reports. Itâs a closed loop!
Summary
- DPRK-nexus actor FAMOUS CHOLLIMA uses Google Docs to advertise fake jobs to steal data from developers as well as recruit facilicators for their malicious insider operations
- This post shows hunting tips on urlscan and dochunt (my collection of Google Docs), and highlights several documents I identified attributable FAMOUS CHOLLIMA.
Key takeaways
Tactical defenders will be interested in the technical steps I used to gather documents, link them together, and watch them over time to gather IOCs as FAMOUS CHOLLIMA edited them with new lures.
Those with a deeper interest in FAMOUS CHOLLIMAâs operational procedures will be interested in the longevity of the document lifetimes, suggesting long-lived and perhaps heavily used Google accounts for many parts of their playbook.
Additionally, the reuse of a specific, non-default image between a âproxy intervieweeâ advert and a Contagious Interview lure provides tangible evidence of asset reuse between the Contagious Interview campaign and the IT Workers campaign.
Context
If youâve never read my blog before, shame on you. My latest hobby is tracking FAMOUS CHOLLIMA, a splinter of DPRKâs offensive cyber operations.
FAMOUS CHOLLIMA is known for two distinct but thematically similar campaigns:
- IT Worker scheme (aka WageMole): earning salaries as fraudulent insiders
- Contagious Interview (aka DevPopper): a high-pace malware operation targeting developers for monetary gain using infostealing malware to drain cryptocurrency wallets.
My main view into FAMOUS CHOLLIMAâs operations is my corpus of npm packages that faciliate the Contagious Interview campaign, but I find every aspect of their work fascinating.
Separate to my npm tracking, in early 2026, I released a collection of extracted metadata from public Google Docs at dochunt.kmsec.uk. It works by extracting Doc metadata from HTML, and leverages urlscan and Common Crawl for the corpus.
North Koreaâs docs
I have a confession to make. In the intro to my launch post on dochunt and parsing Google Docs, I said I needed a break from DPRK hunting. That was a half-truth. I did want a technical challenge other than analysing JavaScript malware with no end, but the whole trigger for me wanting to mine Docs HTML was North Koreaâs Contagious Interview.
You see, for some time, Iâve been watching FAMOUS CHOLLIMAâs interview tasks on Google Docs. There are a couple of ways Iâve found them but my greatest success came from hunting urlscan.
Hereâs a screenshot from urlscan of a Google Doc that advertises a technical assessment that prospective hires must complete. There are multiple tabs but they all lead to the same link:
The repository it links to has long been taken down, but it would have triggered a multi-stage infection chain leading to infostealing malware like OtterCookie or InvisibleFerrett.
Unfortunately, urlscan is unable to âseeâ the bitbucket.org link in the Google Doc and surface it as a risk factor, which makes automated triage of malicious Google Docs impossible with just urlscanâs metadata (which is why I made dochunt!). But urlscan is still a very powerful tool for pivoting!
On urlscan, you can filter for things like page.title (the <title> HTML
content). The page.title attribute for a Google Doc is <document title> - Google Docs,
so simply pivoting on that attribute leads to more job adverts.
Below, I pivot on the above screenshotâs doc title to gather two more malicious coding task docs.
Recruiting proxy interviewees
I didnât just find interview tasks for Contagious Interview, I also found strong evidence of recruitment for their IT Workers scheme â specifically recruitment of âproxy intervieweesâ, people who can conduct interviews on a FAMOUS CHOLLIMA operatorâs behalf.
By pivoting on the hash of an image loaded into a Google Doc, I was able to tie âproxy intervieweeâ job adverts to the Contagious Interview lures I had been collating:
There are 5 distinct results for hash de7f4a6cc9faa9e8cd165e77963b278f9c377978b1b4a0be58e41b4b1f4a525b.
Four are blockchain developer interview tasks, while the latest is a âProxy Intervieweeâ advert. View the side-by-side
image below that demonstrates the visual semblance between the Contagious
Interview lure and the Proxy Interviewee advert:
The banner photo has a limited footprint on the web and itâs not a banner that Google Docs offers by default. Selecting this specific image would have been a manual process for the author.
CommentGiven the low prevalence of this image online and the evidence of asset re-use across the other blockhain role adverts, the âProxy Intervieweeâ advert was highly likely created from the same template or by the same FAMOUS CHOLLIMA operator.
This was a really neat finding. We know from prior reporting that the same cells conduct Contagious Interview and the IT Worker scheme, but this image re-use gives us a small glimpse into how blurred those lines are at times.
Unfortunately, weâre reaching the limit for what we can find on urlscan. If only there was a website that allowed you to freetext-search Google DocsâŚđ
Pivoting on dochunt
Up till now, weâve found several FAMOUS CHOLLIMA docs on urlscan by pivoting on attributes like the page.title and image resource hashes. Now, I want to demonstrate the utility of dochunt.
Using dochuntâs search functionality, we can also find Contagious Interview lures using the document title:
title:"test requirement" - check out the results - all FAMOUS CHOLLIMA!
Moreover, we can also get straight to actionable documents by looking for an
outgoing link. We can switch out searching for a specific title attribute
to hunting for anything containing âblockchainâ:
links:"bitbucket" AND blockchain - more FAMOUS CHOLLIMA, some noise
Examining outgoing links and full text search on parsed content makes
dochunt a powerful tool for hunting.
Hereâs a query I used to hunt for proxy interviewee job adverts:
proxy AND interview* AND remote AND compensation - likely FAMOUS CHOLLIMA results mixed in with lots of noise
That was just a short exercise in how to hunt on dochunt.
Edit history
After identifying interesting docs, we can zero in on a document to understand its edit history:
urlscan picked up three revisions with markedly different text in a 20-day
period. urlscan is unable to surface these edits, but dochunt extracts the
revision metadata that suggests active tailoring of the job advert to make it more
enticing to prospective facilitators.
Watching docs over time
dochuntâs revision collation shows that, unsurprisingly, FAMOUS CHOLLIMA are not concerned at all with document re-use. By checking in on several docs over time, I was able to watch FAMOUS CHOLLIMA change coding task repositories over the course of days.
I identified 10 documents containing links with lures for Contagious Interview and tracked them over the course of several weeks to generate the following timeline:
| time | id | revision | title | links |
|---|---|---|---|---|
| 2025-02-25 | 1utjâŚWOKs | 0 | Test Requirement | |
| 2025-10-23 | 1LmnâŚxtIg | 0 | Test for Blockchain Dev | |
| 2026-02-04 | 1J1YâŚv9YI | 751 | Test Requirement | hxxps[://]bitbucket[.]org/workspace052/testing/src/dev/ |
| 2026-03-01 | 117zâŚrQ2E | 20 | Betfin Poker â Blockchain Integration Skill Test | hxxps[://]github[.]com/BetFin-ProWorkspace/Betfin-Poker |
| 2026-03-01 | 12wwâŚG24c | 130 | Test Requirement | hxxps[://]bitbucket[.]org/notion-dex/ultraxhxxps[://]bitbucket[.]org/web3_space/novax |
| 2026-03-01 | 19x-âŚfkb8 | 563 | Top Talent Developer | hxxps[://]www[.]loom[.]com/share/5701c37802ee4de78ed57d6d5d526bf8 |
| 2026-03-01 | 1J1YâŚv9YI | 773 | Test Requirement | hxxps[://]bitbucket[.]org/workspace1101/testing/src/dev/hxxps[://]bitbucket[.]org/workspace622/testing/src/dev/ |
| 2026-03-01 | 1LmnâŚxtIg | 29 | Test for Blockchain Dev | hxxps[://]bitbucket[.]org/bg86889002000/propchain/src/master/ |
| 2026-03-01 | 1WxUâŚ5lI0 | 950 | Technical Assessment | hxxps[://]bitbucket[.]org/workspace503/real_estate-b_s/src/main/hxxps[://]drive[.]google[.]com/file/d/1ow5UOpvsXH_9ILKdpwkIekplcSVMm4F3/hxxps[://]bitbucket[.]org/workspace602/bestcity-v1/src/main/ |
| 2026-03-01 | 1utjâŚWOKs | 278 | Test Requirement | hxxps[://]bitbucket[.]org/acebrian604/fm_dex/src/main/ |
| 2026-03-04 | 1WxUâŚ5lI0 | 951 | Technical Assessment | hxxps[://]bitbucket[.]org/workspace503/real_estate-b_s/src/main/hxxps[://]drive[.]google[.]com/file/d/1ow5UOpvsXH_9ILKdpwkIekplcSVMm4F3/hxxps[://]bitbucket[.]org/bestcity-work609/bestcity-v1/src/main/ |
| 2026-03-06 | 1WxHâŚ12JQ | 12 | Hiring - 0G Labs | hxxps[://]0g[.]ai/hxxps[://]www[.]landmarkworldwide[.]com/hxxps[://]www[.]thelivingheart[.]life/ |
| 2026-03-11 | 1J1YâŚv9YI | 785 | Test Requirement | hxxps[://]bitbucket[.]org/tech_workspace/testing/src |
| 2026-03-23 | 1WxUâŚ5lI0 | 965 | Technical Assessment | hxxps[://]bitbucket[.]org/workspace503/real_estate-b_s/src/main/hxxps[://]drive[.]google[.]com/file/d/1ow5UOpvsXH_9ILKdpwkIekplcSVMm4F3/hxxps[://]bitbucket[.]org/royalcity-work302/royalcity-v1/src/main/ |
| 2026-04-16 | 1rFAâŚoxwA | 3 | Technical Assessment: Blockchain | hxxps[://]bitbucket[.]org/workspace814/technical-assessment436http://Web3[.]py |
| 2026-04-20 | 1J1YâŚv9YI | 933 | Test Requirement | hxxps[://]bitbucket[.]org/tech_workspace/testing/src/dev/ |
| 2026-04-24 | 1J1YâŚv9YI | 938 | Test Requirement | hxxps[://]bitbucket[.]org/dev-space0314/testing/src/dev/ |
| 2026-05-27 | 1SuOâŚhTPQ | 75 | Technical Assessment: Blockchain | hxxps[://]bitbucket[.]org/workspace401/royal-city497-pochxxps[://]loom[.]com/ |
| 2026-05-31 | 1SuOâŚhTPQ | 77 | Technical Assessment: Blockchain | hxxps[://]bitbucket[.]org/workspace403/royal-city497-pochxxps[://]loom[.]com/ |
| 2026-05-31 | 1rFAâŚoxwA | 68 | Technical Assessment: Blockchain | hxxps[://]bitbucket[.]org/workspace401/technical-assessment496 |
| 2026-06-08 | 1SuOâŚhTPQ | 79 | Technical Assessment: Blockchain | hxxps[://]bitbucket[.]org/workspace406/royal-city497-pochxxps[://]loom[.]com/ |
Whatâs notable about the timeline is the longevity of some of these documents. 1J1YâŚv9YI had a lifetime of over a year, having been created in April 2025 and the last observed edit in roughly April 2026.
Below you can click through to view each documentâs page on dochunt, showing each revision and their contents.
- 117z2gQBTTYydkEOS4BHjdxYjIbycgjvgFHIkYZ5rQ2E
- 12wwfZJVsv5oFiVvH99xasxtuU7JcxQdZNSAs6wrG24c
- 19x-cO3YqihSWt34JojRJo71YDzyTZFCGIko8Ognfkb8
- 1J1YwL0a94brFB8v_-zh8WVGlNxtZmjmRiRP5Gbpv9YI
- 1LmnsyTDso3v01Sev1ERQd5g0M2f_RAjz70jekIhxtIg
- 1rFAazbDieiqGnZXtciXPD2Fec05RXP_cXCKyMQsoxwA
- 1SuOrFpMm7v9IiPW-f-UOUYVm8EhnxsMkvWnqtBkhTPQ
- 1utjBuSCPTowBAizoL7GWt4039P1o62YBTerSyM-WOKs
- 1WxH4K5V-X4RwFxLxRINKX0iBwZtPd30z68mlV2-12JQ
- 1WxU9CUL4YeB6-Xbulnt8Qf-iANOgv_x1XbOihTG5lI0
Assessment
FAMOUS CHOLLIMA have abused Google Docs for over a year and itâs highly likely they will continue to do so throughout 2026. It is unclear where and how FAMOUS CHOLLIMA are advertising proxy interviewee roles, but the image asset reuse across a poisoned coding task and a proxy interviewee advert contributes to a high confidence attribution of this proxy interview role to FAMOUS CHOLLIMA.