Ethical Hacking News
North Korean threat actors have been using legitimate JSON storage services to deliver malware through trojanized code projects, as part of the Contagious Interview campaign. This development highlights North Korea's ongoing efforts to evade sanctions through sophisticated tactics. By exploiting these services, attackers demonstrate their ability to blend in with normal traffic and target unsuspecting victims. Stay vigilant and keep up-to-date with the latest threat intelligence to protect yourself from such attacks.
North Korea-linked threat actors are exploiting legitimate JSON storage services to deliver malware through trojanized code projects. The Contagious Interview campaign uses social engineering tactics, including fake job interviews and trojanized demo projects, to deliver malware. Avoid running code from unknown repos or "recruiters" during early interviews, and review config files carefully for signs of malware. Legitimate websites like JSON Keeper, JSON Silo, and npoint.io are being used by North Korean actors to host malicious payloads. The Contagious Interview campaign is part of a larger pattern of North Korea's evading tactics, including RondoDox and IT worker schemes.
North Korea-linked threat actors have been actively exploiting legitimate JSON storage services to deliver malware through trojanized code projects, according to a recent report by NVISO. This development is part of the Contagious Interview campaign, which has been active since November 2023 and targets software developers on Windows, Linux, and macOS.
The Contagious Interview campaign uses social engineering tactics, including fake job interviews and trojanized demo projects, to deliver malware. The attackers focus on developers working in crypto and Web3, targeting them with malicious projects from GitHub-like platforms. Inside these projects, a hidden file contains a Base64 "API key" that points to a JSON storage service hosting the obfuscated next-stage malware payload.
Researchers at NVISO have observed attackers using legitimate JSON storage services to host their malware. By analyzing the indicators, they uncovered more malicious repositories, payloads, and related IPs, including payloads hosted on Railway. The researchers recommend avoiding running code from unknown repos or from "recruiters" during early interviews. If you must, review config files carefully for signs of malware.
The use of legitimate websites such as JSON Keeper, JSON Silo, and npoint.io underlines the actor's motivation and sustained attempts to operate stealthily and blend in with normal traffic. This is a clear indication that the actors behind Contagious Interview are not lagging behind and are trying to cast a very wide net to compromise any (software) developer that might seem interesting to them, resulting in exfiltration of sensitive data and crypto wallet information.
The Contagious Interview campaign is just one example of North Korea's evading tactics. In recent months, we have seen reports of other campaigns, including RondoDox, which has expanded its botnet by exploiting an XWiki RCE bug left unpatched since February 2025. Additionally, there have been reports of five individuals admitting to helping North Korea evade sanctions through IT worker schemes.
These developments highlight the importance of staying vigilant and keeping up-to-date with the latest threat intelligence. As we continue to see the rise of sophisticated nation-state attacks, it is essential that we prioritize cybersecurity awareness and education for developers and individuals alike.
In conclusion, the Contagious Interview campaign serves as a reminder of North Korea's ongoing efforts to evade sanctions through clever tactics. By exploiting legitimate JSON storage services, these actors demonstrate their ability to blend in with normal traffic and target unsuspecting victims. It is essential that we remain aware of these threats and take steps to protect ourselves from such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/North-Koreas-Evading-Tactics-Contagious-Interview-Campaign-Exploits-Legitimate-JSON-Storage-Services-ehn.shtml
https://securityaffairs.com/184726/cyber-warfare-2/north-korean-threat-actors-use-json-sites-to-deliver-malware-via-trojanized-code.html
https://thehackernews.com/2025/11/north-korean-hackers-turn-json-services.html
Published: Mon Nov 17 05:46:41 2025 by llama3.2 3B Q4_K_M
