Advanced persistent threat actors linked to North Korea have evolved their Contagious Interview campaign by incorporating JSON storage platforms as malware delivery infrastructure. This tactical shift demonstrates the threat group’s continuous adaptation to evade detection while maintaining operational effectiveness.
Campaign Overview
The Contagious Interview operation continues to target software developers through sophisticated social engineering techniques. Recent analysis by NVISO Labs has revealed that attackers now leverage legitimate JSON storage services—including JSON Keeper, JSONsilo, and npoint.io—to host and distribute malicious payloads embedded within seemingly legitimate code repositories.
Attack Methodology
Initial Contact and Lure
Attackers initiate contact with potential victims through professional networking platforms, particularly LinkedIn. The social engineering approach typically follows one of two scenarios:
- Invitation to participate in a technical skills assessment for a job opportunity
- Request to collaborate on an open-source development project
Payload Distribution
Targets receive instructions to download demonstration projects hosted on reputable code repositories such as GitHub, GitLab, or Bitbucket. These platforms provide legitimacy to the malicious content and make detection more challenging.
Technical Implementation
Security researchers identified a novel obfuscation technique within the attack chain. Inside compromised projects, a configuration file located at server/config/.config.env contains what appears to be a Base64-encoded API key. However, this encoded string actually resolves to a URL pointing to a JSON storage service where the next-stage payload resides in obfuscated format.
Malware Arsenal
BeaverTail Stealer
The primary payload delivered through this campaign is BeaverTail, a JavaScript-based information stealer designed to:
- Harvest sensitive system information
- Exfiltrate credentials and authentication tokens
- Extract cryptocurrency wallet data
- Deploy additional malware components
InvisibleFerret Backdoor
BeaverTail subsequently deploys InvisibleFerret, a Python-based backdoor first documented in late 2023. While the core functionality remains consistent with earlier variants, recent versions incorporate enhanced capabilities, including the retrieval of supplementary payloads from Pastebin.
TsunamiKit Framework
The attack chain may include TsunamiKit, a comprehensive post-exploitation toolkit previously documented in September 2025. This framework provides attackers with advanced capabilities:
- System reconnaissance and fingerprinting
- Comprehensive data collection
- Additional payload retrieval from .onion domains
- Persistent access mechanisms
Notably, security researchers have observed that the command-and-control infrastructure utilizing .onion addresses is currently offline, though the malware maintains functionality through alternative channels.
Infrastructure Abuse
The threat actors strategically abuse legitimate services to obscure malicious activity:
- JSON Storage Platforms: JSON Keeper, JSONsilo, and npoint.io serve as payload hosting infrastructure
- Code Repositories: GitHub and GitLab host trojanized demonstration projects
- Paste Services: Pastebin facilitates secondary payload distribution
This approach enables malicious traffic to blend seamlessly with legitimate network activity, significantly complicating detection efforts.
Threat Actor Motivation
The Contagious Interview campaign demonstrates a systematic effort to compromise software developers and technology professionals. Primary objectives include:
- Theft of intellectual property and source code
- Compromise of development infrastructure
- Exfiltration of cryptocurrency assets
- Establishment of persistent access to target organizations
The threat group’s willingness to continuously refine tactics and expand target selection suggests sustained operational momentum and sophisticated capabilities.
Detection and Mitigation Recommendations
For Organizations
- Code Review Protocols: Implement mandatory security reviews for all externally sourced code, including demonstration projects and assessment materials
- Network Monitoring: Deploy monitoring solutions capable of identifying unusual connections to JSON storage services and paste sites from development workstations
- User Awareness: Conduct targeted training for developers on recruitment-based social engineering tactics
- Endpoint Protection: Ensure comprehensive endpoint detection and response (EDR) coverage on development systems
For Individual Developers
- Verification: Independently verify the legitimacy of job opportunities and collaboration requests
- Isolation: Execute untrusted code only in isolated virtual environments
- Inspection: Carefully examine configuration files and encoded strings within demonstration projects
- Caution: Exercise skepticism toward unsolicited technical assessments requiring code execution
Conclusion
The evolution of the Contagious Interview campaign underscores the persistent and adaptive nature of North Korean cyber operations. By leveraging trusted platforms and services, these threat actors have developed an effective methodology for bypassing traditional security controls while maintaining a broad targeting approach across the software development community.
Organizations and individual developers must remain vigilant against recruitment-themed social engineering attacks and implement layered defensive measures to mitigate exposure to this ongoing threat.
Indicators of Compromise (IOCs)
Organizations are encouraged to monitor for:
- Unusual Base64-encoded strings in configuration files
- Connections to JSON storage services from development workstations
- JavaScript files with obfuscation characteristics matching BeaverTail samples
- Python backdoor components exhibiting InvisibleFerret behavioral patterns
References
- NVISO Labs Analysis: “Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery”
- ESET Research: Previous documentation of TsunamiKit and AkdoorTea deployment
- Palo Alto Networks: Initial BeaverTail and InvisibleFerret documentation (2023)
Stay informed about the latest cybersecurity threats. Subscribe to our security intelligence feed for timely updates on emerging attack campaigns and defensive strategies.
