Contagious Interview Campaign Escalates: DPRK Threat Actors Target Developers Using JSON Storage Exploits

Listen to this Post

Featured Image

Introduction

A new investigation by cybersecurity firm NVISO has revealed an alarming escalation in the “Contagious Interview” campaign, a cyber espionage operation linked to North Korea–aligned actors. The campaign continues to specifically target software developers, particularly in cryptocurrency and Web3 industries, using fake job interviews as bait. By exploiting legitimate developer tools and cloud services, attackers have devised a sophisticated method to distribute malware while evading traditional security detection.

Luring Developers with Fake Job Projects

The campaign begins with attackers posing as recruiters on professional networks like LinkedIn, contacting developers with enticing job offers. Victims are encouraged to download “demo” projects from platforms such as GitHub or GitLab, supposedly as part of an interview evaluation. On the surface, these projects appear functional, often representing Web3 applications or real estate platforms built in Node.js.

Hidden within these repositories is a cleverly disguised configuration file, usually located at server/config/.config.env. This file contains a base64-encoded variable masquerading as an API key. When decoded, it points to a URL hosted on JSON storage platforms such as JSON Keeper, JSONsilo, or npoint.io. The JSON content fetched from these services contains obfuscated JavaScript, which the Node.js environment imports and executes as if it were a legitimate library.

BeaverTail Infostealer and Data Theft

The obfuscated script ultimately downloads BeaverTail, an infostealer capable of extracting browser histories, cryptocurrency wallets, keychain files, and other sensitive documents. This malware then deploys additional payloads, initiating the next stage of infection.

Modular Infection via InvisibleFerret and Tsunami

The campaign’s second stage involves InvisibleFerret, a Python-based modular RAT (Remote Access Trojan). NVISO’s analysis shows it now fetches components from Pastebin, with internal modules such as “pow” decoding up to 1,000 Pastebin URLs using a XOR key and verifying them via RSA signatures before executing further downloads.

One downloaded payload, Tsunami, is highly sophisticated: it performs system fingerprinting, disables security tools like Windows Defender, establishes persistence through scheduled tasks, and even integrates a TOR client to communicate with a .onion command-and-control server. Although the TOR server was offline at the time of analysis, the malware’s architecture demonstrates advanced stealth and modularity.

Abuse of Legitimate Infrastructure

NVISO’s findings underscore the attackers’ clever use of legitimate platforms to hide malicious activity. JSON storage services, GitLab repositories, and platforms like Railway were leveraged to distribute malware under the guise of normal developer workflows. The exploited services have been notified and are actively removing malicious content.

Developers are strongly advised to treat any unsolicited code from interviews with extreme caution. Running such code in a sandboxed environment, scrutinizing embedded URLs, and verifying configuration files is critical to prevent infection.

What Undercode Say:

This campaign represents a new level of sophistication in social engineering and supply chain attacks. By targeting developers directly, attackers bypass traditional corporate defenses, exploiting the natural trust developers place in code repositories. The use of legitimate infrastructure—JSON storage services, Git repositories, and cloud platforms—adds another layer of stealth, making detection exceptionally difficult.

The modular nature of InvisibleFerret and Tsunami indicates that these campaigns are not only well-funded but also adaptive. Malware components can be updated or replaced dynamically via Pastebin or other storage services, allowing threat actors to continuously evolve attack techniques without redeploying the entire campaign.

Furthermore, the targeting of cryptocurrency and Web3 developers is strategic. These industries inherently involve sensitive financial and identity data, providing higher-value targets for espionage or direct theft. By masquerading as interview projects, attackers exploit a psychological vector—developers are naturally inclined to evaluate code samples, creating a perfect attack surface.

The campaign also highlights the growing trend of abusing legitimate APIs and developer tools for malicious purposes. Traditional antivirus solutions may not flag obfuscated JavaScript or Python scripts retrieved from trusted platforms, emphasizing the need for behavioral analysis and endpoint monitoring.

Organizationally, companies should enforce policies preventing employees from executing unvetted external code and provide education on recognizing social engineering attacks. The combination of human psychology and technical manipulation in this campaign sets a new benchmark for modern cyber threats.

From an operational perspective, the integration of TOR communication and encryption signatures indicates potential state-sponsored activity, consistent with DPRK-aligned operations. This aligns with previous reports where modular malware and multi-layered obfuscation were central to North Korean campaigns targeting the cryptocurrency sector.

Developers themselves must adopt a “zero trust” approach to code from unknown sources, employing static and dynamic code analysis tools before execution. Similarly, monitoring outbound traffic for suspicious communications can mitigate the later stages of modular malware like Tsunami.

In sum, this campaign exemplifies the convergence of social engineering, supply chain compromise, and advanced malware modularity. It signals an urgent need for both individual developers and organizations to reassess operational security and strengthen defenses against increasingly targeted attacks.

🔍 Fact Checker Results

✅ NVISO reported the campaign targets developers in cryptocurrency and Web3 sectors.
✅ BeaverTail and InvisibleFerret are confirmed malware used in the campaign.
❌ There is no evidence that the TOR server was active at the time of analysis.

📊 Prediction

As the Contagious Interview campaign evolves, we can expect even more sophisticated targeting, potentially expanding to AI and blockchain developers. Malware may increasingly leverage legitimate cloud infrastructure and APIs to evade detection, and threat actors could implement automated, adaptive attacks to harvest higher-value data. Developers and firms that ignore sandboxing and behavioral analysis will remain at high risk. 🔮💻🛡️

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon