North Korea-linked ‘application trap’ evolves: JSON storage used to host malware

A threat campaign linked to North Korean cyber operators has significantly expanded its capabilities by using public JSON storage services as covert malware hosts. Security researchers report that the long-running operation known as Contagious Interview now relies on platforms such as JSON Keeper, JSON Silo and npoint.io to store and distribute malicious code during fake testing scenarios. This marks one of the most technically advanced versions of the campaign, which continues to target developers, blockchain engineers and Web3 professionals around the world.

How the attack works

The attack begins with a persuasive recruitment drive that invites the victim to participate in a skills assessment or coding test. The victim receives a compressed archive or Git repository containing what appears to be legitimate source code. Embedded in the project are configuration values ​​disguised as environment variables or helper scripts. When decoded, these values ​​refer to JSON hosted on public services. Within these JSON files is hidden JavaScript that serves as the primary malware loader.

Once the victim runs the project within a Node.js environment, the loader fetches and runs the first-stage infostealer, known as BeaverTail. This malware is designed to capture extensive system information, browser data, session data, cryptocurrency wallet data, and high-quality local documents.

System screenshots and security tool checks are also needed. After the exploration phase, the malware deploys a second phase component called InvisibleFerret, which functions as a modular remote access tool capable of downloading additional payloads, executing commands, and maintaining persistent access between Windows, Linux, and macOS systems.

The level and nature of the threat

Using public JSON storage significantly complicates detection. Security tools often classify JSON endpoints of popular public services as benign, allowing the attackers to combine their infrastructure with normal developer traffic.

Developers regularly pull JSON-based configurations from such platforms, making the malicious traffic appear completely legitimate. Some of the attack samples include configuration files hidden in nested folders named .config or server variables, with base64 encoded strings that are decoded into URLs for JSON-based malware loaders. Because these files mimic the structure of real development environments, researchers warn that many victims may never suspect anything unusual.

This technique represents an escalation of North Korea’s cyber activity. Historically, operators connected to the DPRK relied on phishing documents, infected installers, or trojanized blockchain tools. Moving to supply chain style through developer workflows gives the attackers a more reliable foothold with less exposure. Security researchers note that threat actors are deliberately targeting individuals with access to digital assets, resource repositories, or infrastructure credentials, suggesting both espionage and financial motives. With crypto theft remaining a major revenue stream for North Korea, this campaign echoes past activities attributed to groups like Lazarus and Kimsuky.

Researchers describe this attack as one of the clearest examples of how modern developer workflows can be weaponized.