North Korean Hackers Exploit JSON Services for Stealthy Malware Distribution
In a sophisticated evolution of cyberattack strategies, North Korean threat actors associated with the Contagious Interview campaign have begun leveraging JSON storage services to discreetly deliver malicious payloads. This method underscores a significant shift towards utilizing legitimate platforms to mask nefarious activities.
According to researchers Bart Parys, Stef Collart, and Efstratios Lontzetidis from NVISO, these adversaries are now employing JSON storage services such as JSON Keeper, JSONsilo, and npoint.io to host and disseminate malware embedded within compromised code projects. This tactic enhances the stealth and efficacy of their operations.
The Mechanics of the Attack
The attack sequence typically initiates with the perpetrators reaching out to potential victims via professional networking platforms like LinkedIn. Posing as recruiters or project collaborators, they entice targets with job assessments or collaborative projects, prompting them to download demonstration projects from repositories like GitHub, GitLab, or Bitbucket.
In a specific instance observed by NVISO, a file named server/config/.config.env within the downloaded project contained a Base64-encoded string. While it appeared to be an API key, it actually concealed a URL directing to a JSON storage service, such as JSON Keeper, where the subsequent stage of the payload was obfuscated and stored.
Unveiling the Malware
The concealed payload is a JavaScript-based malware identified as BeaverTail. This malware is adept at extracting sensitive information and deploying a Python backdoor known as InvisibleFerret. Although the core functionalities of InvisibleFerret have remained consistent since its initial documentation by Palo Alto Networks in late 2023, a notable enhancement includes the retrieval of an additional payload named TsunamiKit from Pastebin.
ESET highlighted the incorporation of TsunamiKit into the Contagious Interview campaign in September 2025. This toolkit is capable of system fingerprinting, data collection, and fetching more payloads from a hard-coded .onion address that’s currently offline.
Implications and Conclusions
The strategic use of legitimate JSON storage services and code repositories like GitHub and GitLab underscores the attackers’ commitment to blending malicious activities with normal network traffic, thereby evading detection. This approach not only broadens their reach but also increases the likelihood of compromising software developers, leading to the exfiltration of sensitive data and cryptocurrency wallet information.
The continuous adaptation and refinement of tactics by the actors behind the Contagious Interview campaign highlight the persistent and evolving nature of cyber threats. Organizations and individuals must remain vigilant, adopting robust security measures and maintaining awareness of emerging attack vectors to safeguard against such sophisticated intrusions.
