BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

North Korean Hackers Use JSON Services for Malware Delivery

North Korean Threat Group Behind Contagious Interview Campaign Uses JSON Storage Services to Deliver Trojanized Malware Targeting Developers on Professional Networks

  • A North Korean group behind the Contagious Interview campaign now uses JSON storage services to host Malware payloads.
  • The attackers lure targets on professional networks to download trojanized code from legitimate repositories.
  • Malware includes JavaScript BeaverTail and a Python backdoor called InvisibleFerret with updated payload delivery.
  • The campaign also employs additional tools like TsunamiKit for system fingerprinting and data theft.
  • Legitimate platforms help the attackers evade detection by blending malicious traffic with normal activity.

Threat actors from North Korea linked to the Contagious Interview campaign have adopted new tactics in late 2025 by using JSON storage services such as JSON Keeper, JSONsilo, and npoint.io to distribute malware payloads. These changes were detailed by researchers Bart Parys, Stef Collart, and Efstratios Lontzetidis, who noted the group’s use of trojanized code projects as a baiting method detailed here.

- Advertisement -

The attackers approach potential victims on professional networking platforms like LinkedIn, posing as collaborators or recruiters conducting job assessments. Targets are then prompted to download demo projects hosted on popular code-sharing sites such as GitHub, GitLab, or Bitbucket. Within these projects, a file named “server/config/.config.env” often contains a disguised Base64-encoded URL linking to JSON storage services where the following-stage malware is hidden in an obfuscated format.

The primary malware identified is a JavaScript strain called BeaverTail, which steals sensitive information. BeaverTail also deploys a Python backdoor named InvisibleFerret. This backdoor remains mostly unchanged from its initial report by Palo Alto Networks in late 2023, except for its new ability to retrieve an additional payload, TsunamiKit, from Pastebin.

Earlier reports from ESET in September 2025 confirmed Contagious Interview’s use of TsunamiKit alongside other tools like Tropidoor and AkdoorTea. TsunamiKit serves functions such as system fingerprinting, data collection, and downloading further payloads from a hardcoded .onion address, which is currently inactive.

Researchers concluded, “It’s clear that the actors behind Contagious Interview are not lagging behind and are trying to cast a very wide net to compromise any (software) developer that might seem interesting to them, resulting in exfiltration of sensitive data and crypto wallet information.” They also highlighted how the usage of legitimate JSON storage platforms and popular code repositories supports the attackers’ goal of remaining stealthy and blending malicious operations with normal network traffic.

- Advertisement -

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

AI freelancers could drive $262B in stablecoin payments by 2033

Swyftx projects that $262 billion of the AI-native gig economy's payment volume could be...

LINE NEXT launches global stablecoin platform Unifi

LINE NEXT has launched Unifi, a non-custodial stablecoin platform, now available globally as it...

Saylor’s ‘Orange Dots’ Signal Fails to Clarify Bitcoin Strategy

Strategy founder Michael Saylor posted a cryptic signal on Sunday, prompting analysts to call...

Crypto’s $2T Crash Awaits BlackRock Shock & FOMO

Bitcoin has stabilized near $60,000 after a downturn erased $2 trillion from the crypto...

Cambridge: Ethereum Energy Intensity Low, Overall Use High

Ethereum consumes roughly 7.87 GWh annually, the second-lowest energy intensity per market value among...

Must Read

How to Buy Dedicated Hosting With Crypto

In this article I am going to show you how to buy dedicated hosting with crypto from one of the best European hosting providers...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading