North Korean threat actors have adopted novel tactics in their ongoing “Contagious Interview” campaign, now leveraging legitimate JSON storage services to host and distribute malicious payloads. This evolution in their methodology highlights a persistent effort to bypass security measures and compromise software developers for sensitive data exfiltration, including cryptocurrency wallet information.
Researchers from NVISO have identified a pattern where these actors approach potential victims on professional networking platforms like LinkedIn. They often pose as recruiters or collaborators, enticing individuals to download seemingly innocuous demo projects from popular code repositories such as GitHub, GitLab, or Bitbucket. Within these trojanized code projects, a new delivery technique has emerged.
Contagious Interview Campaign Evolves with JSON Payload Hosting
The latest iteration of the Contagious Interview campaign utilizes JSON storage services, including JSON Keeper, JSONsilo, and npoint.io, as staging grounds for their malware. This approach allows the threat actors to obscure their malicious activity by relying on established and trusted web infrastructure.
According to the NVISO report, a specific instance observed involved a configuration file named “server/config/.config.env.” This file contained a Base64-encoded string that, while appearing to be an API key, actually served as a URL pointing to a JSON storage service. The actual next-stage malware payload was then stored in an obfuscated format on these services.
Unpacking the Malware Chain
The initial payload delivered through this method is a JavaScript-based malware known as BeaverTail. This malware is designed to harvest sensitive data directly from compromised systems. Following its execution, BeaverTail is capable of deploying a secondary malicious tool: a Python backdoor identified as InvisibleFerret.
While the core functionality of InvisibleFerret remains consistent with its earlier discovery by Palo Alto Networks in late 2023, a notable addition has been introduced to its operations. The backdoor now retrieves an additional payload, named TsunamiKit, from the Pastebin service. This further complicates the attack chain and expands the threat actor’s capabilities.
Earlier reports by ESET in September 2025 had already noted the use of TsunamiKit within the Contagious Interview campaign. At that time, the attacks were also observed distributing Tropidoor and AkdoorTea. TsunamiKit itself is equipped with features for system fingerprinting, extensive data collection, and the ability to download further malicious components from a hard-coded .onion address, though this particular address is currently offline.
The researchers emphasize that the actors behind the Contagious Interview campaign are actively adapting and expanding their methods. Their objective appears to be casting a wide net, aiming to compromise any software developer deemed valuable. This sustained effort is driven by the motivation to exfiltrate critical data, including sensitive intellectual property and financial information related to cryptocurrency holdings.
The strategic use of legitimate platforms such as JSON Keeper, JSON Silo, and npoint.io, alongside reputable code repositories like GitLab and GitHub, underscores the actors’ commitment to operating stealthily. By blending in with normal network traffic and utilizing trusted services, they aim to minimize detection and maintain prolonged access to victim environments.
Moving forward, continued monitoring of code repositories and cloud storage services for suspicious activity will be crucial. The threat actors are likely to continue refining their obfuscation techniques and exploring new legitimate services to host their malicious infrastructure, making adaptability and vigilant threat intelligence essential for defense.