Researchers have uncovered that North Korean threat actors behind the Contagious Interview campaign are increasingly leveraging JSON storage services to host and deploy malicious payloads. These platforms allow attackers to operate covertly while blending in with normal traffic.
Tactics and Techniques
According to NVISO researchers Bart Parys, Stef Collart, and Efstratios Lontzetidis, the actors now use JSON storage platforms such as JSON Keeper, JSONsilo, and npoint.io to stage malware hidden in seemingly legitimate code projects. The campaign targets developers and professionals on platforms like LinkedIn, often under the pretext of conducting a job assessment or collaborative project.
Victims are encouraged to download demo projects from public repositories, including GitHub, GitLab, or Bitbucket. In one observed project, a file named server/config/.config.env contained a Base64-encoded value, posing as an API key. In reality, this value points to a JSON storage URL hosting the next-stage malicious payload.
Malware Used
The payload is a JavaScript malware called BeaverTail, designed to exfiltrate sensitive information. It also deploys a Python backdoor named InvisibleFerret, which operates similarly to its original version documented by Palo Alto Networks in 2023. A notable update includes fetching additional malicious payloads called TsunamiKit from Pastebin.
Previous reporting by ESET in September 2025 indicated that the campaign has also deployed Tropidoor and AkdoorTea payloads. These toolkits enable system fingerprinting, data exfiltration, and fetching of additional payloads from hard-coded .onion addresses (currently offline).
Impact
The attackers aim to compromise software developers of interest, stealing sensitive data and even cryptocurrency wallet information. By using legitimate services like JSON Keeper, JSON Silo, and npoint.io, alongside public code repositories, they maintain stealth and avoid detection by blending malicious activity with legitimate traffic.
