North Korean cyber espionage continues to evolve, with the latest tactics in the ‘Contagious Interview’ campaign showcasing a pivot to more covert malware distribution channels. According to cybersecurity researchers at NVISO, the campaign now leverages legitimate JSON-based storage services to stage and serve malicious payloads embedded within trojanized development tools—demonstrating both creativity and persistence by the threat actors.
JSON Platforms Used as Malware Delivery Infrastructure
Shift to Web-Based Object Storage Services
Researchers investigating recent incidents attributed to the ‘Contagious Interview’ campaign have observed attackers using seemingly harmless web platforms such as JSON Keeper, JSONsilo, and npoint.io to host malware payloads. These services are typically used by software developers to store and access structured data in the JavaScript Object Notation (JSON) format.
“The approach allows the attackers to hide in plain sight. General-purpose JSON platforms don’t typically draw attention from security filters,” noted NVISO researchers Bart Parys and Stefaan Bureau.
This adaptation allows threat actors to bypass traditional filtering mechanisms that often inspect domain reputation but not necessarily payload structure or hosting services associated with malware.
New Variants of Trojanized Developer Tools Used as Lures
Targeting Developers Through Familiar Tooling
The campaign continues its focus on social engineering developers and IT professionals, packaging malware inside software repositories posing as legitimate development tools. NVISO reports that recent observed samples mimic code or utilities used within development environments, enticing users to unknowingly download compromised software.
Attackers effectively combine:
- Trusted open-source tools modified with embedded malicious logic
- Social engineering techniques like fake job offers or interview requests
- Payload retrievals mediated through benign-seeming JSON snippets
Once the user executes the trojanized script, it contacts one of the JSON storage endpoints to retrieve the secondary malware stage.
Advantages of a JSON-Based Delivery Mechanism
Detection Evasion and Payload Modularity
The switch to using JSON as a malware distribution vector brings several tactical benefits for threat actors:
- Stealth – JSON payloads blend into legitimate development environments; they appear as harmless configuration or data files
- Modularity – Attackers can update payloads without modifying the initial dropper code; only the content on the JSON hosting site needs replacement
- Low barrier to access – JSON-hosting services rarely implement access restrictions or active file scanning, making them conducive to staging malicious scripts
Such techniques are aligned with advanced persistent threat (APT) behaviors and underline the group’s evolution from traditional phishing and custom command-and-control (C2) servers.
Attribution and Broader Strategic Goals
Link to North Korean State-Sponsored Activities
The ‘Contagious Interview’ campaign has long been associated with North Korean state-backed cyber actors, most notably the groups tracked as Lazarus or Hidden Cobra. These campaigns often pursue multiple objectives:
- Stealing intellectual property
- Gaining footholds in foreign development environments
- Collecting intelligence or credentials for deeper lateral movement
Unlike financially motivated ransomware groups, these operations are marked by methodical reconnaissance and a willingness to repurpose public infrastructure for covert delivery, including GitHub repositories, cloud functions, and now JSON storage platforms.
Defensive Considerations and Mitigation Steps
Threat Detection Must Account for Obscure Data Channels
Given the ambiguity of JSON-based delivery vehicles, traditional security layers may fail to detect such payload retrievals. Security teams should consider:
- Implementing behavioral analytics to identify unusual script executions or data parsing behavior
- Blocking or forwarding logs from known JSON storage services if not required in enterprise contexts
- Encouraging development teams to verify the origin and integrity of external tools before execution
Additionally, threat intelligence sharing plays a vital role in flagging known indicators of compromise (IoCs) as attackers make use of smaller and lesser-known hosting services to delay detection times.
Evasion Remains a Core Strategy
The continued development of the ‘Contagious Interview’ campaign illustrates the ingenuity of North Korean cyber actors in their pursuit of long-term espionage goals. The use of JSON-based malware delivery further complicates detection and reveals the blurred lines between legitimate developer ecosystems and malicious activity. Organizations should elevate scrutiny around developer tools and data formats previously considered benign, as threat actors find increasingly unconventional paths to infiltrate systems.
