Ethical Hacking News
North Korean hackers have turned legitimate JSON storage services into covert channels for delivering malicious payloads. The Contagious Interview campaign showcases their ability to adapt and compromise targets through stealthy means.
The Contagious Interview campaign uses legitimate online services like JSON storage platforms and code repositories to host and deliver malicious payloads. Threat actors approach targets on professional networking sites like LinkedIn, offering them "job assessments" or project collaborations. Malicious demo projects are shared via GitHub, GitLab, or Bitbucket, containing payloads such as JavaScript malware and Python backdoors. The use of legitimate services allows North Korean threat actors to deliver malware with relative ease, using tools like TsunamiKit for system fingerprinting and data collection. The campaign aims to blend in with normal traffic and avoid detection by utilizing stealthy malware delivery channels.
In a recent development that highlights the evolving tactics employed by North Korean threat actors, researchers at NVISO have discovered a novel method of delivering malware to prospective targets. The Contagious Interview campaign, as it has come to be known, leverages legitimate online services such as JSON storage platforms and code repositories to host and deliver malicious payloads.
According to the report released by NVISO, the threat actors approach potential victims on professional networking sites like LinkedIn, either under the guise of conducting a job assessment or collaborating on a project. As part of this campaign, targets are instructed to download demo projects hosted on platforms such as GitHub, GitLab, or Bitbucket. These demo projects often contain malicious payloads, including JavaScript malware known as BeaverTail and Python backdoors.
The use of legitimate services by North Korean threat actors is a stark reminder of the sophistication and adaptability of modern cyber threats. By utilizing JSON storage services like JSON Keeper, JSONsilo, and npoint.io, these actors are able to deliver malware from trojanized code projects with relative ease. The inclusion of Base64-encoded values that masquerade as API keys has also been observed, allowing the threat actors to maintain a veneer of legitimacy.
One notable aspect of the Contagious Interview campaign is the use of TsunamiKit, a toolkit capable of system fingerprinting, data collection, and fetching additional payloads from a hard-coded .onion address that is currently offline. This tool has previously been highlighted by ESET as part of similar attacks in September 2025, which also dropped Tropidoor and AkdoorTea.
The researchers at NVISO have concluded that the actors behind Contagious Interview are employing a broad and multifaceted strategy to compromise software developers and exfiltrate sensitive data. By utilizing legitimate websites and code repositories, these actors aim to blend in with normal traffic and avoid detection.
The use of stealthy malware delivery channels by North Korean threat actors serves as a warning to organizations and individuals alike. As the nature of cyber threats continues to evolve, it is essential that we remain vigilant and adaptable in our defenses.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rise-of-Stealthy-Malware-Delivery-Channels-North-Korean-Hackers-Utilize-Legitimate-Services-to-Compromise-Targets-ehn.shtml
https://thehackernews.com/2025/11/north-korean-hackers-turn-json-services.html
Published: Fri Nov 14 13:07:47 2025 by llama3.2 3B Q4_K_M
