The North Korean threat actors behind the Contagious Interview campaign have once again tweaked their tactics by using JSON storage services to stage their malicious payloads.
NVISO researchers Bart Parys, Stef Collart, and Efstratios Lontzetidis said in a Thursday report that “attackers have recently been using JSON storage services such as JSON Keeper, JSONsilo, and npoint.io to host and distribute malware from trojanized code projects.”
The campaign essentially approaches potential targets on professional networking sites such as LinkedIn under the pretext of conducting a job evaluation or collaborating on a project, and as part of this, they are instructed to download demo projects hosted on platforms such as GitHub, GitLab, and Bitbucket.
In one such project discovered by NVISO, a file named “server/config/.config.env” contained a Base64-encoded value disguised as an API key, but was actually found to be a URL to a JSON storage service, such as JSON Keeper, where the next stage payload was stored in an obfuscated format.
The payload is a JavaScript malware known as BeaverTail that has the ability to collect sensitive data and drop a Python backdoor called InvisibleFerret. The backdoor’s functionality has remained largely unchanged since it was first documented by Palo Alto Networks in late 2023, but one notable change is that it obtains an additional payload from Pastebin called TsunamiKit.
It is worth noting that the use of TsunamiKit as part of the Contagious Interview campaign was highlighted by ESET in September 2025, and that attack also dropped Tropidoor and AkdoorTea. This toolkit is capable of system fingerprinting, data collection, and fetching additional payloads from hardcoded .onion addresses that are currently offline.
“It is clear that the attackers behind Contagious Interviews are not far behind and are attempting to cast a very wide net to compromise potentially interested (software) developers, resulting in the exposure of sensitive data and cryptocurrency wallet information,” the researchers concluded.
“The use of legitimate websites such as JSON Keeper, JSON Silo, and npoint.io, as well as code repositories such as GitLab and GitHub, highlights the attacker’s motivations and continued attempts to operate covertly and blend in with normal traffic.”
