North Korean “Contagious Interview” Campaign Evolves With New JSON-Based Delivery Techniques

North Korean state-sponsored threat actors continue to adapt their tradecraft, this time by abusing legitimate JSON storage services to deliver malware in a renewed wave of the long-running Contagious Interview campaign, according to researchers at NVISO.

Overview of the Campaign

The Contagious Interview operation has historically focused on developers, engineers, and technical professionals. Attackers pose as recruiters or collaborators on platforms such as LinkedIn, initiating conversations that appear to involve job assessments or software project contributions.

Targets are ultimately persuaded to download “demo projects” or sample code hosted on legitimate repositories like GitHub, GitLab, or Bitbucket. These repositories contain hidden or trojanized components designed to deliver malware under the guise of normal development files.

New Delivery Method: JSON Storage Services

NVISO’s latest analysis reveals a key tactical shift: staging malicious payloads on JSON hosting platforms, including JSON Keeper, JSONsilo, and npoint.io. This approach allows attackers to hide their second-stage malware in seemingly benign cloud-based JSON objects to better blend with ordinary developer traffic.

In one identified example, a file named:

server/config/.config.env

contains a Base64-encoded value masquerading as an API key. Instead of containing credentials, the value decodes into a URL pointing to a JSON-based payload.

This payload delivers BeaverTail, a JavaScript malware designed to:

• Collect sensitive system and browser information

• Steal credentials and crypto wallet data

• Load an additional Python backdoor, InvisibleFerret

Expanding the Malware Toolkit

While InvisibleFerret maintains much of its previously documented functionality, NVISO notes a significant addition: the backdoor now retrieves an extra component named TsunamiKit from Pastebin.

TsunamiKit — previously highlighted by ESET in 2025 — supports:

• System fingerprinting

• Data harvesting

• Fetching additional tools from a hard-coded .onion service (currently inactive)

Other malware families previously observed in the campaign include Tropidoor and AkdoorTea, underscoring the group’s growing modular ecosystem.

Stealth Through Legitimate Infrastructure

The threat actors heavily rely on legitimate services to disguise malicious activity, hosting payloads on trusted platforms and embedding malicious logic inside developer-oriented repositories. This blending strategy increases the likelihood of bypassing both user suspicion and automated security controls.

Conclusion

NVISO’s findings demonstrate that the operators behind the Contagious Interview campaign remain active, creative, and persistent. Their use of JSON storage services, cloud repositories, and familiar developer workflows reflects a deliberate effort to compromise software developers worldwide and steal sensitive data, including cryptocurrency assets.

Organizations and developers should remain vigilant, particularly when engaging with unsolicited recruiters or collaborators and when downloading third-party code repositories or project samples.