top of page
Search

North Korean Hackers Weaponize JSON Services for Malware Distribution

  • Nov 15, 2025
  • 2 min read

Key Findings


  • North Korean threat actors behind the Contagious Interview campaign have adopted a new tactic of using JSON storage services to host and deliver malware.

  • The campaign involves approaching targets on professional networking sites under the pretext of a job assessment or project collaboration, instructing them to download a demo project hosted on platforms like GitHub, GitLab, or Bitbucket.

  • In one such project, a file named "server/config/.config.env" contains a Base64-encoded value that appears to be an API key but is actually a URL to a JSON storage service where the next-stage payload is stored in obfuscated format.

  • The payload is a JavaScript malware known as BeaverTail, which is capable of harvesting sensitive data and dropping a Python backdoor called InvisibleFerret.

  • The InvisibleFerret backdoor can fetch an additional payload dubbed TsunamiKit from Pastebin, which is capable of system fingerprinting, data collection, and fetching more payloads from a hard-coded .onion address.


Background


The North Korean threat actors behind the Contagious Interview campaign have recently resorted to utilizing JSON storage services like JSON Keeper, JSONsilo, and npoint.io to host and deliver malware from trojanized code projects, with the lure of a job assessment or project collaboration.


Modus Operandi


The campaign involves approaching prospective targets on professional networking sites like LinkedIn, either under the pretext of conducting a job assessment or collaborating on a project, as part of which they are instructed to download a demo project hosted on platforms like GitHub, GitLab, or Bitbucket.


Weaponized Projects


In one such project spotted by NVISO researchers, a file named "server/config/.config.env" contains a Base64-encoded value that masquerades as an API key, but, in reality, is a URL to a JSON storage service like JSON Keeper where the next-stage payload is stored in obfuscated format.


Malware Payloads


The payload is a JavaScript malware known as BeaverTail, which is capable of harvesting sensitive data and dropping a Python backdoor called InvisibleFerret. The InvisibleFerret backdoor can fetch an additional payload dubbed TsunamiKit from Pastebin, which is capable of system fingerprinting, data collection, and fetching more payloads from a hard-coded .onion address.


Attacker Objectives


The researchers concluded that the actors behind Contagious Interview are trying to compromise any (software) developer that might seem interesting to them, resulting in the exfiltration of sensitive data and crypto wallet information. The use of legitimate websites and code repositories underlines the actor's motivation and sustained attempts to operate stealthily and blend in with normal traffic.


Sources


  • https://thehackernews.com/2025/11/north-korean-hackers-turn-json-services.html

  • https://www.facebook.com/thehackernews/posts/-north-korean-hackers-have-a-new-tricktheyre-hiding-malware-inside-fake-api-keys/1222178546613393/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page