The North Korean threat actors behind the Contagious Interview campaign have once again tweaked their tactics by using JSON storage services to stage malicious payloads.
“The threat actors have recently resorted to utilizing JSON storage services like JSON Keeper, JSONsilo, and npoint.io to host and deliver malware from trojanized code projects, with the lure,” NVISO researchers Bart Parys, Stef Collart, and Efstratios Lontzetidis said in a Thursday report.
The campaign essentially involves approaching prospective targets on professional networking sites like LinkedIn, either under the pretext of conducting a job assessment or collaborating on a project, as part of which they are instructed to download a demo project hosted on platforms like GitHub, GitLab, or Bitbucket.
In one such project spotted by NVISO, it has been found that a file named “server/config/.config.env” contains a Base64-encoded value that masquerades as an API key, but, in reality, is a URL to a JSON storage service like JSON Keeper where the next-stage payload is stored in obfuscated format.
The payload is a JavaScript malware known as BeaverTail, which is capable of harvesting sensitive data and dropping a Python backdoor called InvisibleFerret. While the functionality of the backdoor has remained largely unchanged from when it was first documented by Palo Alto Networks in late 2023, one notable change involves fetching an additional payload dubbed TsunamiKit from Pastebin.
It’s worth noting that use of TsunamiKit as part of the Contagious Interview campaign was highlighted by ESET back in September 2025, with the attacks also dropping Tropidoor and AkdoorTea. The toolkit is capable of system fingerprinting, data collection, and fetching more payloads from a hard-coded .onion address that’s currently offline.
“It’s clear that the actors behind Contagious Interview are not lagging behind and are trying to cast a very wide net to compromise any (software) developer that might seem interesting to them, resulting in exfiltration of sensitive data and crypto wallet information,” the researchers concluded.
“The use of legitimate websites such as JSON Keeper, JSON Silo and npoint.io, along with code repositories such as GitLab and GitHub, underlines the actor’s motivation and sustained attempts to operate stealthily and blend in with normal traffic.”
