A sophisticated campaign attributed to North Korean-aligned threat actors is weaponizing legitimate JSON storage services as an effective vector for deploying advanced malware to software developers worldwide.
The “Contagious Interview” operation demonstrates how threat actors continue to innovate in their abuse of trusted infrastructure to evade security controls and establish persistent system access.
The Contagious Interview campaign has operated continuously since at least 2023, with primary objectives centered on financial gain for the North Korean regime.
The operation targets explicitly software developers across all major operating systems Windows, Linux, and macOS with particular emphasis on individuals involved in cryptocurrency and Web3 development projects.
This focus reflects the attackers’ clear motivation to steal digital assets and sensitive credentials from individuals managing valuable accounts and wallets.
Social Engineering as Initial Access
The attack chain begins with meticulously crafted social engineering. Threat actors create fraudulent recruiter profiles on professional networking platforms like LinkedIn, impersonating legitimate hiring professionals or company representatives.
In documented examples, attackers posed as medical directors or other professionals conducting outreach for seemingly legitimate development projects.
After establishing initial rapport through brief correspondence, the fake recruiter sends a “demo project” hosted on legitimate code repositories, such as GitLab, and requests that the target execute interview coding tasks using Node.js.
The technical sophistication emerges in how malware is delivered. Within the demo project’s configuration files, specifically in server/config/.config.env, threat actors embed base64-encoded variables that masquerade as benign API keys.
Upon decoding, these variables reveal URLs pointing to legitimate JSON storage services, including JSON Keeper, JSON Silo, and npoint.io.
These services host heavily obfuscated JavaScript code that is fetched and executed dynamically when the innocent-appearing project runs.
This methodology is deliberately designed to circumvent detection systems. The malicious payload is not present in the repository itself only a reference to it making static analysis insufficient for discovering the threat.
During runtime execution, the obfuscated code appears as normal API traffic, blending seamlessly into legitimate network activity.
After multiple layers of deobfuscation, the primary payload deploys BeaverTail, an infostealer capable of sophisticated data exfiltration.
BeaverTail enumerates and steals browser profiles, focusing particularly on cryptocurrency wallet extensions such as MetaMask, Phantom, and TronLink.
The malware additionally exfiltrates system information, Word documents, PDF files, screenshots, environment variables, and on macOS systems, the user’s Keychain database containing sensitive passwords.
BeaverTail subsequently fetches and executes InvisibleFerret, a modular Python-based Remote Access Trojan providing complete system control and persistence capabilities.
InvisibleFerret incorporates sophisticated obfuscation techniques, utilizing an embedded XOR key for string obfuscation and embedding over 1,000 encoded URLs for continued payload distribution.
Advanced Persistence Mechanisms
The campaign employs a three-component Tsunami framework within InvisibleFerret: the Tsunami Payload adds Windows Defender exceptions and creates scheduled tasks, the Tsunami Injector ensures persistence and installs required Python packages, and the Tsunami Infector validates Python installation and silently installs it if necessary using UAC prompts to gain administrative privileges.
The framework implements RSA signature verification for payload integrity, demonstrating mature operational security practices.
Evidence indicates substantial campaign success, with analysis revealing one Pastebin repository used for payload staging receiving over 400 views.
Researchers identified multiple additional repositories and infrastructure components through pivoting on discovered indicators. Security teams coordinated with representatives from the abused JSON storage services, who confirmed removal of malicious content and committed to continued monitoring.
The Contagious Interview campaign exemplifies how sophisticated threat actors abuse legitimate, trusted infrastructure to execute targeted attacks while remaining operationally stealthy.
Organizations should implement strict code review processes for all recruitment assessments, verify recruiter legitimacy through official channels, and monitor unusual API requests to JSON storage services as part of comprehensive defense strategies.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.