North Korean hackers exploit JSON services for stealthy malware delivery

North Korean hackers have introduced a new layer of stealth to their long-running Contagious Interview campaign by weaponising JSON-based storage services for malware distribution.

According to a new analysis by NVISO researchers, the threat group is increasingly relying on platforms such as JSON Keeper, JSONsilo, and npoint.io to conceal harmful payloads inside seemingly legitimate code projects.

This shift highlights how North Korean hackers continue refining their social engineering and delivery methods to evade detection.

The operation begins with fraudulent outreach on professional networking sites, where victims are persuaded to download “demo projects” hosted on trusted repositories like GitHub or GitLab.

Hidden inside these projects, investigators found configuration files containing Base64 strings disguised as API keys, strings that actually link to JSON-based payloads.

Once retrieved, they deploy BeaverTail, a JavaScript malware designed to harvest sensitive data and install an additional Python backdoor known as InvisibleFerret.

Researchers noted minor updates to the toolkit, including the retrieval of a new payload called TsunamiKit, previously flagged in 2025.

These components enable system fingerprinting, data exfiltration, and further downloads from offline onion domains.