North Korean Contagious Interview Campaign Uses JSON Services for Malware Delivery
North Korean threat actors associated with the Contagious Interview campaign have adopted new tactics by leveraging JSON storage services such as JSON Keeper, JSONsilo, and npoint.io to host and deliver malware. These actors approach software developers, particularly those in cryptocurrency and Web3 sectors, via professional networking platforms like LinkedIn, posing as recruiters or collaborators. Victims are lured into downloading trojanized code projects from platforms like GitHub or GitLab, which contain hidden links to malicious payloads stored in JSON services. The initial payload, often disguised as an API key, leads to the download of JavaScript malware such as BeaverTail, which can harvest sensitive data and deploy additional backdoors like InvisibleFerret.
The campaign's modular approach allows for further payloads, including TsunamiKit, to be fetched from external sources like Pastebin or .onion addresses. The malware toolkit is capable of system fingerprinting, data collection, and persistent access, with some payloads specifically targeting multiple operating systems including Windows, Linux, and macOS. The Contagious Interview campaign remains focused on financial gain for the DPRK regime and demonstrates ongoing evolution in its social engineering and malware delivery techniques, as highlighted by recent research from NVISO and corroborated by other security firms.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Abused JSON storage providers are notified of malicious content
NVISO said it contacted the legitimate JSON storage providers whose services were being abused, and the providers were reportedly working to remove the malicious content.
NVISO documents BeaverTail, InvisibleFerret, and Tsunami chain
NVISO disclosed technical analysis showing the JSON-hosted payload chain leading to a BeaverTail infostealer variant, followed by the InvisibleFerret Python RAT, with an added Tsunami-related component and Pastebin-based stage retrieval. The report also noted broader infrastructure pivots including Railway-hosted payload delivery and published IOCs.
Actors shift to JSON storage services for malware delivery
In a newly observed evolution of the campaign, the threat actors began hiding malware delivery behind legitimate JSON storage services such as JSON Keeper, JSONsilo, and npoint.io, embedding base64-encoded URLs in trojanized demo project files.
Researchers observe new OtterCookie payload delivery techniques
By July 2025, researchers reported that the Lazarus-linked Contagious Interview campaign was using three distinct malware delivery methods to deploy BeaverTail, InvisibleFerret, and OtterCookie. The techniques included eval-based execution after POST requests, fragmented URLs with Vercel-hosted infrastructure, and try/catch abuse that simulated 500 API errors to evade static detection.
Contagious Interview campaign begins targeting developers
North Korea-linked Contagious Interview activity was active by November 2023, using fake recruiter-themed social engineering and trojanized coding tasks to target software developers, especially in cryptocurrency and Web3 roles.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
North Korea’s Contagious Interview APT Uses JSON Keeper and GitLab to Deliver BeaverTail Spyware
securityonline.info
Open sourceNorth Korean threat actors use JSON sites to deliver malware via trojanized code
securityaffairs.com
Open sourceNorth Korean Hackers Turn JSON Services into Covert Malware Delivery Channels
thehackernews.com
Open sourceContagious Interview campaign exploits JSON storage for malware deployment
scworld.com
Open sourceContagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery - NVISO Labs
blog.nviso.eu
Open sourceLazarus Group Enhances Malware with New OtterCookie Payload Delivery Technique
cyberpress.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
North Korean 'Contagious Interview' Campaign Expands with Malicious npm Packages and OtterCookie Malware
North Korea-linked threat actors have significantly expanded the 'Contagious Interview' campaign, targeting software developers in the crypto and Web3 sectors by uploading 197 new malicious npm packages designed to distribute an updated version of the OtterCookie infostealer. These actors, posing as recruiters on platforms like LinkedIn, use sophisticated social engineering tactics such as fake job interviews and trojanized demo projects to lure victims on Windows, Linux, and macOS. The campaign leverages a full delivery infrastructure, including a threat actor–controlled GitHub account and Vercel-hosted staging sites, to store and deliver malware, with command and control servers used for data theft and remote tasking. The campaign's payloads include the BeaverTail and OtterCookie infostealers and the InvisibleFerret RAT, and the malicious npm packages have been downloaded over 31,000 times, highlighting the scale and persistence of the operation. Technical analysis reveals that the attackers have built a robust malware delivery system, using their GitHub account to host repositories and fetch the latest payloads from Vercel, while maintaining separate C2 infrastructure for exfiltration and tasking. At least five npm packages, including 'tailwind-magic' and its variants, have been directly linked to this campaign. The operation demonstrates the increasing sophistication of North Korean supply chain attacks, with a focus on compromising developers in high-value sectors through open-source ecosystems. Security researchers continue to monitor the evolving tactics and infrastructure associated with this campaign, warning organizations and developers to exercise heightened vigilance when interacting with unsolicited job offers and npm packages.
Apr 9, 2026
North Korean Contagious Interview Campaign Uses Malicious VS Code Projects
North Korea-linked threat actors tied to the long-running **Contagious Interview** operation have been observed using **malicious Microsoft Visual Studio Code (VS Code) projects** as part of fake job-assessment lures, instructing targets to clone repositories from GitHub/GitLab/Bitbucket and open them in VS Code. The technique abuses VS Code `tasks.json` configuration—specifically `"runOn": "folderOpen"`—to trigger execution when a folder is opened, pulling staged payloads from attacker-controlled infrastructure (including Vercel-hosted domains) and ultimately deploying backdoors such as **BeaverTail** and **InvisibleFerret** that enable remote code execution and follow-on control. Recent iterations reportedly add multi-stage droppers embedded in task configuration content and disguised as benign files (e.g., spell-check dictionaries) to improve resilience if network retrieval fails, and include command-and-control behavior that can execute attacker-supplied JavaScript from a remote server (e.g., `ip-regions-check.vercel[.]app`). Separate reporting on North Korean APT trends indicates continued reliance on **fraudulent IT employment schemes** and recruitment-platform abuse to gain access to Western organizations, including long-term social engineering and persistent remote access via legitimate tools (e.g., *AnyDesk*, *Google Remote Desktop*) and VPN/location obfuscation. This broader pattern aligns with the same overarching tradecraft used in developer-targeted “interview” lures: leveraging hiring workflows and developer tooling to establish initial access and persistence while reducing suspicion, particularly in environments with remote-work infrastructure and developer workstations.
Mar 21, 2026
DPRK-Linked Contagious Interview Campaign Stole Crypto via Fake Developer Job Tests
North Korea-linked operators tracked as **HexagonalRodent**, **Contagious Interview**, and overlaps of **Lazarus/Famous Chollima** used fake recruiter outreach on LinkedIn and sham company infrastructure to lure software and Web3 developers into opening malicious coding assessments. Researchers said the campaign delivered malware including **BeaverTail**, **InvisibleFerret**, and **OtterCookie** through backdoored GitHub repositories, rogue npm content, malicious VS Code `tasks.json` execution, and weaponized Git hooks such as `pre-commit` and `post-checkout`. The malware targeted Windows, macOS, and Linux systems, stealing browser credentials, keychains, wallet data, seed phrases, and developer secrets while maintaining persistence and remote access.
Jun 17, 2026