North Korea ‘Contagious Interview’ uses JSON malware channels

North Korea’s “Contagious Interview” campaign now leverages JSON storage services as covert malware delivery channels to target developers and engineers with job-themed lures. Threat actors posing as recruiters on LinkedIn and similar platforms invite victims to collaborate on technical projects or complete assessments, then direct them to download trojanized repositories from GitHub, GitLab or Bitbucket. Inside these projects, configuration files such as server/config/.config.env contain Base64-encoded values posing as API keys but actually embedding URLs to JSON Keeper, JSONsilo or npoint.io, where obfuscated second-stage payloads are stored. This tradecraft maps to T1566 (Phishing), T1204 (User Execution) and T1105 (Ingress Tool Transfer) as adversaries blend social engineering with developer tooling. The retrieved payloads often include BeaverTail, a JavaScript infostealer that harvests browser data, credentials and crypto wallet information, and InvisibleFerret, a Python backdoor providing persistence and command execution. Recent analyses show the toolkit has evolved to fetch an additional module dubbed TsunamiKit from Pastebin, supporting system fingerprinting, staged data collection and retrieval of more malware from a Tor .onion service. By staging payloads on legitimate JSON hosting services and popular code platforms, the operators significantly increase their chances of bypassing URL filters and domain reputation systems, while TLS and JSON formats blend into ordinary developer traffic. These techniques align with T1027 (Obfuscated Files or Information) and T1041 (Exfiltration Over C2 Channel) in a campaign designed for stealth and resilience. From a business perspective, Contagious Interview directly targets organizations that depend on software supply chains, cloud-native applications and internal developer tooling. Compromised developer workstations and CI/CD accounts can quickly lead to source code theft, embedded backdoors in products and downstream supply chain compromise similar to previous high-profile incidents. When stolen credentials or code repositories include customer or payment data, organizations may face GDPR or industry-specific breach notification requirements even if production systems are not immediately ransomed. Defenders should treat unsolicited interview or collaboration invitations that require downloading code as high-risk, especially when they originate from free-mail or newly created domains. Enterprises should implement application allowlisting for development tools, inspect build pipelines for unusual external JSON fetches and monitor for outbound connections to JSON Keeper, JSONsilo, npoint.io and Pastebin in developer segments. Security awareness training for engineers should emphasize campaign-specific lures such as Contagious Interview, while endpoint detection and response tools should be tuned to identify BeaverTail, InvisibleFerret, TsunamiKit and related TTPs in source code and local execution traces.