North Korea’s Contagious Interview APT Uses JSON Keeper and GitLab to Deliver BeaverTail Spyware
Do Son 
Security researchers at NVISO have identified a significant evolution in the long-running Contagious Interview malware campaign, a threat activity cluster attributed to North Korean (DPRK) operators. According to NVISO, the threat actors have βrecently resorted to utilizing JSON storage services like JSON Keeper, JSONsilo, and npoint.io to host and deliver malware from trojanized code projects.β
NVISO describes Contagious Interview as βa campaign aligned with Democratic Peopleβs Republic of Korea (DPRK) actors that has been active since at least 2023, primarily aimed at financial gain to generate revenue for the regime.β
The campaign specifically targets:
- Software engineers
- Blockchain and cryptocurrency developers
- Web3 professionals
- Windows, Linux, and macOS users
The threat actors impersonate recruitersβoften using detailed fake personasβto lure victims into running malicious code under the guise of job interview assignments.
NVISO highlights one recent case where a supposed βmedical directorβ contacted a developer about building a βnext-generation Realtor Platform.β The report notes that the outreach came from a persona whose behavior should immediately raise suspicion:
βA medical doctor would not send a message typically sent by recruiters, but even if this were the case, surely it would not be for a new Realtor Platform.β
After a short exchange, the victim is instructed to download a project from GitLabβtypically involving Node.js tasksβwith titles such as:
- Real Estate Rental Platform
- GoldenCity
- A Web3-based βMonopolyβ clone
- A decentralized finance ecosystem
But inside the project lies a hidden payload.
The report describes how the malicious code is embedded:
βThe file server/config/.config.env contains a base64-encoded variable that is masqueraded as an API key, which is actually a JSON storage service URL hosting obfuscated code.β
Once decoded, the variable reveals a direct JSON Keeper link containing heavily obfuscated JavaScript. This code is dynamically imported into the project and ultimately delivers the BeaverTail infostealer.
After multiple rounds of deobfuscation, NVISO concludes,Β βThe final payload is a variant of BeaverTail.β
BeaverTailβs capabilities include:
- Harvesting credentials, crypto wallets (MetaMask, Phantom, TronLink)
- Exfiltrating system information
- Stealing documents, PDFs, screenshots, and macOS Keychain data
- Scanning browser profiles and extensions for sensitive data
Once active, BeaverTail fetches the next stage malwareβInvisibleFerret, a modular Python RAT. NVISO notes,Β βBeaverTail fetches and executes the next stage which is InvisibleFerret.β
This RAT includes components named Tsunami Payload, Tsunami Injector, and Tsunami Infector, which:
- Add Windows Defender exclusions
- Install Python packages
- Achieve persistence
- Download further stages from Pastebin
- Even install Python silently if missing from the system
NVISO emphasizes that InvisibleFerret includes a covert mechanism to retrieve encrypted Pastebin content, decode it through a multi-layer XOR/Base64/Hex process, and fetch yet another stage from a remote server.
NVISO states, βThe attack chainβ¦ uses JSON storage services for payload hostingβ and expands into βadditional repositories, payloads hosted on JSON storage services and IP addresses,β including misuse of Railway and TOR-hosted command-and-control endpoints.
One observed Pastebin profile tied to the campaign had been viewed over 400 times, indicating meaningful victim engagement.
NVISO concludes that,Β βThe actors behind Contagious Interview are not lagging behind and are trying to cast a very wide net to compromise any (software) developer that might seem interesting to them.β
The report warns that the abuse of legitimate servicesβJSON Keeper, JSONsilo, npoint.io, GitLab, GitHub, Railwayβdemonstrates the actorβs focus on stealth and blending into everyday developer workflows.
Related Posts:
- North Korean APT “Contagious Interview” Floods npm Registry with 338 Malicious Packages to Steal Crypto
- Black Basta Exploits Microsoft Teams for Phishing Attacks
- Lazarus APT Targets Job Seekers with “Contagious Interview” Campaign Using ClickFix Technique
- North Korean Threat Actors Targeting Tech Job Seekers with Contagious Interview Campaign
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
