Nov 14, 2025Ravie LakshmananMalware / Menace Intelligence
The North Korean menace actors behind the Contagious Interview marketing campaign have as soon as once more tweaked their techniques through the use of JSON storage providers to stage malicious payloads.
“The menace actors have lately resorted to using JSON storage providers like JSON Keeper, JSONsilo, and npoint.io to host and ship malware from trojanized code tasks, with the lure,” NVISO researchers Bart Parys, Stef Collart, and Efstratios Lontzetidis mentioned in a Thursday report.
The marketing campaign basically entails approaching potential targets on skilled networking websites like LinkedIn, both below the pretext of conducting a job evaluation or collaborating on a challenge, as a part of which they’re instructed to obtain a demo challenge hosted on platforms like GitHub, GitLab, or Bitbucket.
In a single such challenge noticed by NVISO, it has been discovered {that a} file named “server/config/.config.env” comprises a Base64-encoded worth that masquerades as an API key, however, in actuality, is a URL to a JSON storage service like JSON Keeper the place the next-stage payload is saved in obfuscated format.
The payload is a JavaScript malware often known as BeaverTail, which is able to harvesting delicate knowledge and dropping a Python backdoor known as InvisibleFerret. Whereas the performance of the backdoor has remained largely unchanged from when it was first documented by Palo Alto Networks in late 2023, one notable change entails fetching a further payload dubbed TsunamiKit from Pastebin.
It is value noting that use of TsunamiKit as a part of the Contagious Interview marketing campaign was highlighted by ESET again in September 2025, with the assaults additionally dropping Tropidoor and AkdoorTea. The toolkit is able to system fingerprinting, knowledge assortment, and fetching extra payloads from a hard-coded .onion deal with that is at the moment offline.
“It is clear that the actors behind Contagious Interview aren’t lagging behind and are attempting to solid a really extensive web to compromise any (software program) developer that may appear fascinating to them, leading to exfiltration of delicate knowledge and crypto pockets data,” the researchers concluded.
“Using professional web sites resembling JSON Keeper, JSON Silo and npoint.io, together with code repositories resembling GitLab and GitHub, underlines the actor’s motivation and sustained makes an attempt to function stealthily and mix in with regular site visitors.”
