{"id":5833,"date":"2025-11-17T11:51:39","date_gmt":"2025-11-17T11:51:39","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5833"},"modified":"2025-11-17T11:51:39","modified_gmt":"2025-11-17T11:51:39","slug":"north-koreas-job-test-trap-upgrades-to-json-malware-dropboxes","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5833","title":{"rendered":"North Korea\u2019s \u2018Job Test\u2019 trap upgrades to JSON malware dropboxes"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>North Korea-linked Contagious Interview campaign is now luring developers with trojanized coding tasks and pulling obfuscated payloads from public JSON-storage services like JSON Keeper, JSONSilo, and npoint.io.<\/p>\n<p>An NVISO Labs analysis of the campaign shows threat actors sending fake recruiter messages and demo projects that include configuration values pointing to JSON storage URLs. Those JSON blobs host heavily obfuscated JavaScript that, once decoded and executed by a Node.js test run, unpacks a BeaverTail infostealer and then stages the <a href=\"https:\/\/www.csoonline.com\/article\/3817394\/macos-ferret-operators-add-a-deceptive-bite-to-their-malware-family.html\">InvisibleFerret<\/a> modular RAT.<\/p>\n<p>\u201cThe JavaScript code hosted on JSON Keeper is heavily obfuscated with techniques such as packing, array and string obfuscation, and other common techniques such as concatenation,\u201d NVISO researchers said in a blog post.<\/p>\n<p>Contagious Interview is a <a href=\"https:\/\/www.csoonline.com\/article\/4009603\/north-koreas-bluenoroff-uses-ai-deepfakes-to-push-mac-malware-in-fake-zoom-calls.html\">long-running campaign<\/a> that targets software developers across Windows, Linux, and macOS\u2013especially those in crypto and Web3\u2013by using social-engineering lures like <a href=\"https:\/\/www.csoonline.com\/article\/3610611\/rising-clickfix-malware-distribution-trick-puts-powershell-it-policies-on-notice.html\">ClickFix<\/a> and fake recruiters to deliver trojanized interview code that ultimately drops BeaverTail and OtterCookie infostealers, along with modular RAT.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>JSON storage services as the new staging ground<\/h2>\n<p>NVISO found and disclosed multiple demo repositories (hosted on GitLab\/Github) where a \u201cserver\/config\/.config.env\u201d file contains what looks like an API key but decodes into a JSON Keeper (and similar) URL. The JavaScript fetched from those services is packed and string-obfuscated.<\/p>\n<p>De-obfuscation reveals BeaverTail, which harvests system info, browser wallets\/extensions (MetaMask, Phantom, TrontLink), documents, and more, then pulls InvisibleFerret as a next-stage component. The actors even embed coded Pastebin and XOR\/base64 layers to evade detection.<\/p>\n<p>The final payload (BeaverTail) showed previously seen capabilities, including \u201cusage of Axioms as embedded HTTP client, enumeration and exfiltration of system information, searching browser profiles and extension directories for sensitive data, and searching for and exfiltrating Word documents, PDF files, screenshots, secret files, files containing environment variables, and other sensitive files such as the logged-in user\u2019s Keychain\u201d.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Developers remain a high-value target<\/h2>\n<p>Researchers <a href=\"https:\/\/blog.nviso.eu\/2025\/11\/13\/contagious-interview-actors-now-utilize-json-storage-services-for-malware-delivery\/\" target=\"_blank\" rel=\"noopener\">highlighted<\/a> that the campaign specifically targets developers involved in crypto and Web3 projects, using realistic-sounding personas and demo applications (real estate, DeFi, game forks) to lower suspicion. The state-linked actors\u2019 shift from direct payload hosting to abusing legitimate JSON storage services suggests that even benign developer-centric platforms are <a href=\"https:\/\/www.csoonline.com\/article\/4081492\/modern-supply-chain-attacks-and-their-real-world-impact.html\">now being weaponized<\/a> to bypass detection and exploit trust in tech workflows.<\/p>\n<p>Because the attack blends legitimate platforms (GitLab\/GitHub, JSON Keeper\/npoint) with obfuscated payloads, defenders must treat code provenance as part of security hygiene. Running code in fully isolated sandboxes, auditing any external URLs or keys in config files before executing, and blocking unusual outbound requests to known JSON-storage endpoints and IOCs NVISO listed might help, researchers added.<\/p>\n<p>\u201cNever run code from an unknown repository or from a \u2018recruiter\u2019 as part of any first interview, especially when contact has been recently established,\u201d researchers warned. \u201cIf needed, inspect the configuration files for any signs of malicious activity.\u201d NVISO has flagged a list of email addresses used to upload the malware to JSON services, repositories hosting malicious code, a GitHub account linked to the campaign, JSON storage URLs, and BeaverTail\/InvisibleFerret C2 servers for developers. Additionally, representatives of the JSON storage services were informed of the abuse and are reportedly working on removing all malicious content.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>North Korea-linked Contagious Interview campaign is now luring developers with trojanized coding tasks and pulling obfuscated payloads from public JSON-storage services like JSON Keeper, JSONSilo, and npoint.io. An NVISO Labs analysis of the campaign shows threat actors sending fake recruiter messages and demo projects that include configuration values pointing to JSON storage URLs. Those JSON [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5834,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5833","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5833"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5833"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5833\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5834"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5833"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5833"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5833"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}