{
	"id": "e2d9dfc8-2b28-4576-9cc3-ad2fcb543bfd",
	"created_at": "2026-04-06T00:12:31.061301Z",
	"updated_at": "2026-04-10T03:28:28.769087Z",
	"deleted_at": null,
	"sha1_hash": "e391341491c3a93a178e76eea3fb5b7653a5c9c1",
	"title": "Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5337115,
	"plain_text": "Contagious Interview Actors Now Utilize JSON Storage Services for\r\nMalware Delivery\r\nBy Bart Parys\r\nPublished: 2025-11-13 · Archived: 2026-04-05 20:19:10 UTC\r\nNVISO reports a new development in the Contagious Interview campaign. The threat actors have recently resorted to\r\nutilizing legitimate JSON storage services like JSON Keeper, JSONsilo, and npoint.io to host and deliver malware from\r\ntrojanized code projects, with the lure being a use case or demo project as part of an interview process.\r\nBackground\r\nContagious Interview is a campaign aligned with Democratic People’s Republic of Korea (DPRK) actors that has been\r\nactive since at least 2023, primarily aimed at financial gain to generate revenue for the regime. The campaign targets\r\nsoftware developers across all major operating systems, including Windows, Linux, and macOS, with a particular focus on\r\nthose involved in cryptocurrency and Web3 projects. Initial access is gained through social engineering tactics, such as\r\nClickFix and fake recruiter profiles, delivering trojanized code during staged job interviews. The most common payloads\r\ndeployed by this campaign are the BeaverTail and OtterCookie infostealers, along with the InvisibleFerret modular Remote\r\nAccess Tool (RAT).\r\nAn overview of the campaign discussed in this blog post can be seen in Figure 1:\r\nhttps://blog.nviso.eu/2025/11/13/contagious-interview-actors-now-utilize-json-storage-services-for-malware-delivery/\r\nPage 1 of 15\n\nFigure 1 – Overview of the Contagious Interview malware campaign, illustrating the stages from initial\r\ncontact to malware delivery.\r\nSocial Engineering\r\nThe campaign typically starts with a fake recruiter reaching out to a potential victim on job searching platforms like\r\nLinkedIn. In this identified case, a seemingly medical director reaches out as seen in Figure 2:\r\nhttps://blog.nviso.eu/2025/11/13/contagious-interview-actors-now-utilize-json-storage-services-for-malware-delivery/\r\nPage 2 of 15\n\nFigure 2 – “Dr. med Hubert Buschmann” reaching out to potential hires for a next-generation Realtor Platform\r\ndevelopment.\r\nFrom this first message, alarm bells should go off: a medical doctor would not send a message typically sent by recruiters,\r\nbut even if this were the case, surely it would not be for a new Realtor Platform.\r\nhttps://blog.nviso.eu/2025/11/13/contagious-interview-actors-now-utilize-json-storage-services-for-malware-delivery/\r\nPage 3 of 15\n\nAfter a few messages back and forth, the good doctor sends over a demo project hosted on GitLab as shown in the next\r\nfigures.\r\nFigure 3 – Time for the demo project?\r\nFigure 4 – Link to the ‘demo’ hosted on Gitlab.\r\nThen, the target is intended to run the interview code tasks using Node.JS. A few examples of such demo projects are shown\r\nin Figures 5 through 8.\r\nhttps://blog.nviso.eu/2025/11/13/contagious-interview-actors-now-utilize-json-storage-services-for-malware-delivery/\r\nPage 4 of 15\n\nFigure 5 – “Real Estate Rental Platform project”.\r\nFigure 6 – Another real estate project, this time named ‘GoldenCity’.\r\nFigure 7 – A Web3 project that’s a twist on the well-known board game, Monopoly.\r\nhttps://blog.nviso.eu/2025/11/13/contagious-interview-actors-now-utilize-json-storage-services-for-malware-delivery/\r\nPage 5 of 15\n\nFigure 8 – A decentralized finance ecosystem.\r\nThe file server/config/.config.env contains a base64-encoded variable that is masqueraded as an API key, which is\r\nactually a JSON storage service URL hosting obfuscated code:\r\nFigure 9 – Base64 encoded variable masquerading as an API key in the config file.\r\nFigure 10 – The variable decodes to a JSON Keeper URL.\r\nhttps://blog.nviso.eu/2025/11/13/contagious-interview-actors-now-utilize-json-storage-services-for-malware-delivery/\r\nPage 6 of 15\n\nFigure 11 – Obfuscated JavaScript code hosted on JSON Keeper.\r\nThis code is fetched from JSON Keeper and imported in server/controllers/userController.js :\r\nFigure 12 – Loading the encoded data from config.env via userController.js.\r\nThe JavaScript code hosted on JSON Keeper is heavily obfuscated with techniques such as packing, array and string\r\nobfuscation, and other common techniques such as concatenation.\r\nhttps://blog.nviso.eu/2025/11/13/contagious-interview-actors-now-utilize-json-storage-services-for-malware-delivery/\r\nPage 7 of 15\n\nAfter several layers of deobfuscation, the final payload is a variant of BeaverTail with the same capabilities described in\r\nVeracode’s article:\r\nUsage of Axios as ’embedded’ HTTP client.\r\nEnumeration and exfiltration of system information.\r\nSearching browser profiles and extension directories for sensitive data (wallets, logs and extensions such as\r\nMetaMask, Phantom and TronLink) and trying to exfiltrate them.\r\nSearching for and exfiltrating Word documents, PDF files, screenshots, secret files, files containing environment\r\nvariables, and other sensitive files such as the logged-in user’s Keychain (macOS password database).\r\nBeaverTail fetches and executes the next stage which is InvisibleFerret:\r\nhxxp[:]//146[.]70[.]253[.]107:1224/pdown (ZIP file with Python)\r\nhxxp[:]//146[.]70[.]253[.]107:1224/client/99/81 (Malicious Python script – InvisibleFerret)\r\nInterestingly, the campaign used here specifically mentions it has been “Updated on 5th of August”. The additional\r\ncomponents are outlined in Figure 1 from the introduction and also described further.\r\nInvisibleFerret\r\nInvisibleFerret, a modular malware framework written in Python, has been described as well in several publications like the\r\none from Palo Alto. The sample discussed in this blog does not differ significantly from those specific reports, with the\r\nexception of gathering an additional payload from Pastebin.\r\nA high-level view of this additional Pastebin functionality is shown in Figure 13 below:\r\nFigure 13 – InvisibleFerret’s Pastebin functionality\r\nDo note that this functionality is part of the capability in 'pow ‘ as seen in stage 4 of this campaign (refer to Figure 1 for the\r\ncampaign overview). It has 3 main components:\r\n1. Tsunami Payload: Adds exceptions to Windows Defender, creates scheduled tasks, and downloads the next stage\r\nfrom Pastebin.\r\n2. Tsunami Injector: Ensures persistence and installs required Python packages, such as cryptography , and\r\nobfuscates the injector script.\r\n3. Tsunami Infector: Validates if Python is installed on the system. If not, it downloads and installs Python silently,\r\nusing a User Account Control (UAC) prompt to gain administrative privileges. This ensures both the payload and\r\ninjector component can be executed.\r\nhttps://blog.nviso.eu/2025/11/13/contagious-interview-actors-now-utilize-json-storage-services-for-malware-delivery/\r\nPage 8 of 15\n\nSince the threat actors have given those names to these components, they are slightly confusing. The component responsible\r\nfor retrieving the next stage from Pastebin, sits within ‘Tsunami Payload’. The ‘pow’ script further embeds a hardcoded\r\npublic SSL that will verify the integrity of the ‘message’ (explained further below). Exactly 1.000 encoded URLs are\r\nembedded in the script, which get converted from hex, decoded with the hardcoded XOR key “!!!HappyPenguin1950!!!”\r\nand finally base64-decoded.\r\nFigure 14 – URL Downloader functionality\r\nA few examples of decoded Pastebin URLs:\r\nPastebin URL Profile File\r\nhxxps[://]pastebin[.]com/u/NotingRobe2871_FranzStill8494 hxxps[://]pastebin[.]com/u/NotingRobe2871 FranzStill8\r\nhxxps[://]pastebin[.]com/u/ShadowGates1462_PastPhys9067 hxxps[://]pastebin[.]com/u/ShadowGates1462 PastPhys9\r\nhxxps[://]pastebin[.]com/u/AmendMinds7934_LoverTumor2853 hxxps[://]pastebin[.]com/u/AmendMinds7934 LoverTum\r\nThe list goes on. In this campaign, the first Paste listed in the table,\r\nhxxps[://]pastebin[.]com/u/NotingRobe2871_FranzStill8494, is the one that exists and will therefore go through the\r\ndecoding routine. Interestingly, this paste has been ‘viewed’ over 400 times, which implies the campaign has had a\r\nreasonable amount of success. The content of the paste is hex encoded and can be observed in Figure 15.\r\nhttps://blog.nviso.eu/2025/11/13/contagious-interview-actors-now-utilize-json-storage-services-for-malware-delivery/\r\nPage 9 of 15\n\nFigure 15 – The content of Pastebin, hex decoded.\r\nThe signature (highlighted in blue) is an RSA signature over the ‘message’. The malware uses an embedded public key to\r\nverify if the signature matches, and if so, it will perform the decoding of the data contained in ‘message’.\r\nThis message (highlighted in green) in the JSON data will be hex decoded, XORed with the same key as before, base64\r\ndecoded and finally reversed to end up with the next stage downloader URL, which is:\r\nhxxp[://]23[.]254[.]164[.]156/introduction-video. This CyberChef recipe displays the decoding functionality.\r\nAt the time of writing this post, the next stage or ‘introduction-video’, was offline. However, we assess with medium\r\nconfidence, this would be the TsunamiInstaller. Through further hunting, we discovered a binary recently uploaded to\r\nVirusTotal, which incorporates a .NET payload\r\n(9d9a25482e7e40e8e27fdb5a1d87a1c12839226c85d00c6605036bd1f4235b21) with capabilities as seen in Figure 16.\r\nFigure 16 – Tsunami Payload showing key components such as anti-malware and logging.\r\nThis Tsunami ‘payload’ (again a slight misnomer as it is also an installer/dropper) has multiple capabilities such as\r\nadditional system fingerprinting, data collection, and embedding TOR for downloading additional payloads from a\r\nhardcoded .onion address (offline at the time of writing this blog):\r\nhxxp[://]n34kr3z26f3jzp4ckmwuv5ipqyatumdxhgjgsmucc65jac56khdy5zqd[.]onion.\r\nInfrastructure\r\nhttps://blog.nviso.eu/2025/11/13/contagious-interview-actors-now-utilize-json-storage-services-for-malware-delivery/\r\nPage 10 of 15\n\nThe attack chain discussed in this blog uses JSON storage services for payload hosting. By pivoting on identified indicators,\r\nwe were able to identify many additional repositories, payloads hosted on JSON storage services and IP addresses. This\r\nincludes for example the use of Railway to host and serve additional payloads.\r\nWe have listed the identified IOCs at the end of the blog. Representatives of the JSON storage services were contacted and\r\nbriefed regarding the abuse and are working on removing all malicious content. We’d like to thank them for their swift\r\nresponse and actions.\r\nConclusion\r\nIt’s clear that the actors behind Contagious Interview are not lagging behind and are trying to cast a very wide net to\r\ncompromise any (software) developer that might seem interesting to them, resulting in exfiltration of sensitive data and\r\ncrypto wallet information.\r\nThe use of legitimate websites such as JSON Keeper, JSON Silo and npoint.io, along with code repositories such as Gitlab\r\nand GitHub, underlines the actor’s motivation and sustained attempts to operate stealthily and blend in with normal traffic.\r\nNever run code from an unknown repository or from a ‘recruiter’ as part of any first interview, especially when contact has\r\nbeen recently established. If needed, inspect the configuration files for any signs of malicious activity.\r\nIndicators of Compromise (IOCs)\r\nThe following IOCs list all indicators seen in this campaign, as well as additional indicators uncovered via threat hunting\r\nand other methods.\r\nEmail addresses used to upload the malware to JSON storage services\r\nahmadbahai07[@]gmail.com\r\ndrgru854[@]gmail.com\r\njack.murray.tf7[@]gmail.com\r\njackhill2765[@]gmail.com\r\nreichenausteve[@]gmail.com\r\nmagalhaesbruno236[@]gmail.com\r\nstromdev712418[@]gmail.com\r\ntrungtrinh0818[@]gmail.com\r\nRepositories hosting malicious code\r\nhxxps[://]gitlab[.]com/technicalmanager-group/real-esate\r\nhxxps[://]gitlab[.]com/real-world-assest-tokenization/goldencity\r\nhxxps[://]gitlab[.]com/goldencity-group/goldencity-demo\r\nhxxps[://]github[.]com/meta-stake/RealEstateVC\r\nhxxps[://]github[.]com/meta-stake/RaceStake\r\nhxxps[://]github[.]com/parth5805/iGuru-Task\r\nhxxps[://]github[.]com/adammajoros250-creator/alex111\r\nhxxps[://]github[.]com/adammajoros250-creator/123456ddd\r\nhxxps[://]github[.]com/adammajoros250-creator/corex-arc-fork\r\nhxxps[://]github[.]com/adammajoros250-creator/demotest\r\nhxxps[://]github[.]com/adammajoros250-creator/bot111\r\nhxxps[://]github[.]com/adammajoros250-creator/Apexora-test\r\nhxxps[://]github[.]com/adammajoros250-creator/123456ddd\r\nhxxps[://]github[.]com/harrypotter060327-netizen/test_project\r\nhxxps[://]github[.]com/harrypotter060327-netizen/Harry-Potter\r\nhxxps[://]github[.]com/harrypotter060327-netizen/David-test\r\nhxxps[://]github[.]com/harrypotter060327-netizen/Test_Estoken\r\nhxxps[://]github[.]com/harrypotter060327-netizen/eeeee\r\nhxxps[://]github[.]com/harrypotter060327-netizen/TEST_LORD\r\nhttps://blog.nviso.eu/2025/11/13/contagious-interview-actors-now-utilize-json-storage-services-for-malware-delivery/\r\nPage 11 of 15\n\nhxxps[://]github[.]com/edwardtam919/staking-platform-main\r\nhxxps[://]github[.]com/TommyMinion/DeFi-Market\r\nhxxps[://]github[.]com/0x3ca54/arena-world\r\nhxxps[://]github[.]com/InfiniGods-Tech/rei\r\nGitHub account identified making initial commits to other repositories containing malicious code\r\nhxxps[://]github[.]com/carlotalentengine-sketch\r\nJSON Storage URLs\r\nhxxps[://]jsonkeeper[.]com/b/GNOX4\r\nhxxps[://]jsonkeeper[.]com/b/IARGW\r\nhxxps[://]jsonkeeper[.]com/b/FM8D6\r\nhxxps[://]jsonkeeper[.]com/b/GCGEX\r\nhxxps[://]jsonkeeper[.]com/b/IXHS4\r\nhxxps[://]jsonkeeper[.]com/b/86H03\r\nhxxps[://]jsonkeeper[.]com/b/6OCFY\r\nhxxps[://]jsonkeeper[.]com/b/E4YPZ\r\nhxxps[://]jsonkeeper[.]com/b/8RLOV\r\nhxxps[://]jsonkeeper[.]com/b/BADWN\r\nhxxps[://]jsonkeeper[.]com/b/4NAKK\r\nhxxps[://]jsonkeeper[.]com/b/JV43N\r\nhxxps[://]www[.]jsonkeeper[.]com/b/VBFK7\r\nhxxps[://]www[.]jsonkeeper[.]com/b/JNGUQ\r\nhxxps[://]www[.]jsonkeeper[.]com/b/O2QKK\r\nhxxps[://]www[.]jsonkeeper[.]com/b/RZATI\r\nhxxps[://]www[.]jsonkeeper[.]com/b/T7Q4V\r\nhxxps[://]api[.]jsonsilo[.]com/public/0048f102-336f-45dd-aef6-3641158a4c5d\r\nhxxps[://]api[.]jsonsilo[.]com/public/942acd98-8c8c-47d8-8648-0456b740ef8b\r\nhxxps[://]api[.]npoint[.]io/e6a6bfb97a294115677d\r\nhxxps[://]api[.]npoint[.]io/8df659fd009b5af90d35\r\nhxxps[://]api[.]npoint[.]io/f4be0f7713a6fcdaac8b\r\nhxxps[://]api[.]npoint[.]io/148984729e1384cbe212\r\nhxxps[://]api[.]npoint[.]io/2169940221e8b67d2312\r\nhxxps[://]api[.]npoint[.]io/a1dbf5a9d5d0636edf76\r\nhxxps[://]api[.]npoint[.]io/62755a9b33836b5a6c28\r\nhxxps[://]api[.]npoint[.]io/336c17cbc9abf234d423\r\nhxxps[://]api[.]npoint[.]io/832d58932fcfb3065bc7\r\nhxxps[://]api[.]npoint[.]io/cb0f9d0d03f50a5e1ebe\r\nhxxps[://]api[.]npoint[.]io/f6dd89c1dd59234873cb\r\nhxxps[://]api[.]npoint[.]io/03f98fa639fa37675526\r\nhxxps[://]api[.]npoint[.]io/38acf86b6eb42b51b9c2\r\nBeaverTail/InvisibleFerret Command \u0026 Control servers\r\n107[.]189[.]25[.]109\r\n144[.]172[.]100[.]142\r\n144[.]172[.]103[.]97\r\n144[.]172[.]95[.]226\r\n144[.]172[.]97[.]7\r\n146[.]70[.]253[.]10\r\n146[.]70[.]253[.]107\r\n147[.]124[.]197[.]138\r\n147[.]124[.]197[.]149\r\n147[.]124[.]212[.]146\r\nhttps://blog.nviso.eu/2025/11/13/contagious-interview-actors-now-utilize-json-storage-services-for-malware-delivery/\r\nPage 12 of 15\n\n147[.]124[.]212[.]89\r\n147[.]124[.]214[.]129\r\n147[.]124[.]214[.]131\r\n147[.]124[.]214[.]237\r\n165[.]140[.]86[.]227\r\n172[.]86[.]84[.]38\r\n172[.]86[.]98[.]240\r\n185[.]153[.]182[.]241\r\n185[.]235[.]241[.]208\r\n216[.]126[.]229[.]166\r\n23[.]106[.]253[.]194\r\n23[.]106[.]253[.]215\r\n23[.]106[.]253[.]221\r\n23[.]106[.]253[.]242\r\n23[.]106[.]70[.]154\r\n23[.]227[.]202[.]242\r\n23[.]227[.]202[.]244\r\n23[.]254[.]164[.]156\r\n38[.]92[.]47[.]151\r\n38[.]92[.]47[.]85\r\n38[.]92[.]47[.]91\r\n45[.]128[.]52[.]14\r\n45[.]137[.]213[.]30\r\n45[.]43[.]11[.]201\r\n45[.]61[.]133[.]110\r\n45[.]61[.]150[.]30\r\n45[.]61[.]150[.]31\r\n45[.]61[.]151[.]71\r\n45[.]76[.]160[.]53\r\n5[.]253[.]43[.]122\r\n66[.]235[.]168[.]232\r\n66[.]235[.]175[.]109\r\n67[.]203[.]7[.]163\r\n67[.]203[.]7[.]171\r\n86[.]104[.]74[.]51\r\n88[.]218[.]0[.]78\r\n94[.]131[.]97[.]195\r\n95[.]164[.]17[.]24\r\nTsunami Indicators\r\nhxxp[://]23[.]254[.]164[.]156/introduction-video\r\nhxxps[://]pastebin[.]com/u/NotingRobe2871_FranzStill8494\r\nhxxp[://]n34kr3z26f3jzp4ckmwuv5ipqyatumdxhgjgsmucc65jac56khdy5zqd[.]onion\r\nAnydesk Command \u0026 Control server\r\n95[.]164[.]17[.]24\r\nAbout the authors\r\nBart Parys\r\nBart is a senior manager at NVISO where he mainly focuses on SOC maturity \u0026 assessments, Threat Intelligence, Incident\r\nResponse and Malware Analysis.\r\nhttps://blog.nviso.eu/2025/11/13/contagious-interview-actors-now-utilize-json-storage-services-for-malware-delivery/\r\nPage 13 of 15\n\nStef Collart\r\nStef Collart is a Threat Hunter \u0026 CTI Analyst within NVISO’s CSIRT, combining information gained from CTI to perform\r\nthreat hunts for various customers.\r\nhttps://blog.nviso.eu/2025/11/13/contagious-interview-actors-now-utilize-json-storage-services-for-malware-delivery/\r\nPage 14 of 15\n\nEfstratios Lontzetidis\r\nEfstratios Lontzetidis is a CTI analyst within NVISO’s CSIRT and is mainly involved in Intelligence Production.\r\nSource: https://blog.nviso.eu/2025/11/13/contagious-interview-actors-now-utilize-json-storage-services-for-malware-delivery/\r\nhttps://blog.nviso.eu/2025/11/13/contagious-interview-actors-now-utilize-json-storage-services-for-malware-delivery/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.nviso.eu/2025/11/13/contagious-interview-actors-now-utilize-json-storage-services-for-malware-delivery/"
	],
	"report_names": [
		"contagious-interview-actors-now-utilize-json-storage-services-for-malware-delivery"
	],
	"threat_actors": [
		{
			"id": "4fc99d9b-9b66-4516-b0db-520fbef049ed",
			"created_at": "2025-10-29T02:00:51.949631Z",
			"updated_at": "2026-04-10T02:00:05.346203Z",
			"deleted_at": null,
			"main_name": "Contagious Interview",
			"aliases": [
				"Contagious Interview",
				"DeceptiveDevelopment",
				"Gwisin Gang",
				"Tenacious Pungsan",
				"DEV#POPPER",
				"PurpleBravo",
				"TAG-121"
			],
			"source_name": "MITRE:Contagious Interview",
			"tools": [
				"InvisibleFerret",
				"BeaverTail",
				"XORIndex Loader",
				"HexEval Loader"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434351,
	"ts_updated_at": 1775791708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e391341491c3a93a178e76eea3fb5b7653a5c9c1.pdf",
		"text": "https://archive.orkl.eu/e391341491c3a93a178e76eea3fb5b7653a5c9c1.txt",
		"img": "https://archive.orkl.eu/e391341491c3a93a178e76eea3fb5b7653a5c9c1.jpg"
	}
}