SEOUL / LONDON (IT BOLTWISE) – North Korean hackers have refined their tactics and are now using JSON storage services to spread malware. This new method shows how cleverly they are misusing legitimate platforms for their own purposes.
Today’s daily deals at Amazon! ˗ˋˏ$ˎˊ˗
North Korean hackers behind the so-called Contagious Interview campaign have again adapted their methods by using JSON storage services as platforms to spread malware. These services, including JSON Keeper, JSONsilo, and npoint.io, are used to host and deliver malicious payloads from Trojanized code projects. This strategy shows how cleverly attackers are misusing legitimate platforms for their own purposes.
The campaign aims to target potential victims through professional networks such as LinkedIn, often under the guise of a job review or project collaboration. Victims are then instructed to download a demo project from platforms such as GitHub, GitLab or Bitbucket. In a project discovered by NVISO, a file named “server/config/.config.env” was found to contain a Base64 encoded value disguised as an API key, but in reality represents a URL to a JSON storage service where the next stage of malware is stored in an obfuscated form.
The payload is a JavaScript malware called BeaverTail, which is capable of collecting sensitive data and installing a Python backdoor called InvisibleFerret. Although the functionality of the backdoor has remained largely unchanged since it was documented by Palo Alto Networks in late 2023, there is one notable change: fetching an additional payload called TsunamiKit from Pastebin. This component was already highlighted by ESET in September 2025 as part of the Contagious Interview campaign.
The use of TsunamiKit, along with other tools such as Tropidoor and AkdoorTea, shows the versatility and adaptability of attackers. These tools are able to identify systems, collect data and retrieve additional payloads from a .onion address that is currently offline. The attackers appear determined to cast a wide net to compromise developers who may be of interest to them, resulting in the exfiltration of sensitive data and crypto wallet information.
The use of legitimate websites such as JSON Keeper and code repositories such as GitLab and GitHub underscores the attackers’ motivation to operate stealthily and blend in with normal traffic. This tactic poses a significant threat to the security of software developers who may be unaware of the potential risks of such platforms.
Order an Amazon credit card without an annual fee with a credit limit of 2,000 euros!
Bestseller No. 1 ᵃ⤻ᶻ “KI Gadgets”
Bestseller No. 2 ᵃ⤻ᶻ “KI Gadgets”
Bestseller No. 3 ᵃ⤻ᶻ “KI Gadgets”
Bestseller No. 4 ᵃ⤻ᶻ «KI Gadgets»
Bestseller No. 5 ᵃ⤻ᶻ “KI Gadgets”
Please send any additions and information to the editorial team by email to de-info[at]it-boltwise.de. Since we cannot rule out AI hallucinations, which rarely occur with AI-generated news and content, we ask you to contact us via email and inform us in the event of false statements or misinformation. Please don’t forget to include the article headline in the email: “North Korean hackers use JSON services as malware channels”.