North Korean threat actors in the “Contagious Interview” campaign now use JSON storage services to host and deliver malicious payloads. This signals an evolving strategy by state-sponsored hacking groups to evade detection and maintain persistence.
These seemingly benign services create a covert channel for distributing malware. This makes it harder for traditional security mechanisms to identify and block illicit traffic. The “Contagious Interview” campaign typically involves impersonating job recruiters on professional networking sites like LinkedIn. They lure targets into downloading compromised projects, often from platforms such as GitHub, GitLab, or Bitbucket.
These projects contain embedded, Base64-encoded URLs. These URLs, disguised as API keys, appear in files like server/config/.config.env. They direct to JSON storage services such as JSON Keeper, JSONsilo, and npoint.io. The retrieved payload is often obfuscated. For instance, NVISO found a project where server/config/.config.env contained a Base64-encoded value masquerading as an API key, actually pointing to a JSON storage service for the next-stage payload.
Researchers Bart Parys, Stef Collart, and Efstratios Lontzetidis from NVISO documented these findings on Thursday, November 13, 2025. The distributed malware includes BeaverTail, a JavaScript-based information stealer, and InvisibleFerret, a Python backdoor. Palo Alto Networks first identified InvisibleFerret in late 2023. Another payload, TsunamiKit, has also been fetched from Pastebin as part of this campaign. These tools allow collecting sensitive data and establishing persistent access to compromised systems. For more on North Korean cyber tactics, see our article on North Korean APT Utilizing AI Deepfakes in Remote Job Interview Infiltrations.
Using JSON storage services for malware delivery highlights North Korean threat actors’ ongoing adaptation. They constantly refine their attack infrastructure and maintain operational secrecy. This method provides a decentralized and legitimate-appearing infrastructure, complicating threat intelligence and incident response efforts. “The threat actors have recently resorted to utilizing JSON storage services like JSON Keeper, JSONsilo, and npoint.io to host and deliver malware from trojanized code projects, with the lure,” stated NVISO researchers.