North Korea’s ‘Job Test’ trap upgrades to JSON malware dropboxes

North Korea-linked Contagious Interview campaign is now luring developers with trojanized coding tasks and pulling obfuscated payloads from public JSON-storage services like JSON Keeper, JSONSilo, and npoint.io.

An NVISO Labs analysis of the campaign shows threat actors sending fake recruiter messages and demo projects that include configuration values pointing to JSON storage URLs. Those JSON blobs host heavily obfuscated JavaScript that, once decoded and executed by a Node.js test run, unpacks a BeaverTail infostealer and then stages the InvisibleFerret modular RAT.

“The JavaScript code hosted on JSON Keeper is heavily obfuscated with techniques such as packing, array and string obfuscation, and other common techniques such as concatenation,” NVISO researchers said in a blog post.

Contagious Interview is a long-running campaign that targets software developers across Windows, Linux, and macOS–especially those in crypto and Web3–by using social-engineering lures like ClickFix and fake recruiters to deliver trojanized interview code that ultimately drops BeaverTail and OtterCookie infostealers, along with modular RAT.

JSON storage services as the new staging ground

NVISO found and disclosed multiple demo repositories (hosted on GitLab/Github) where a “server/config/.config.env” file contains what looks like an API key but decodes into a JSON Keeper (and similar) URL. The JavaScript fetched from those services is packed and string-obfuscated.

De-obfuscation reveals BeaverTail, which harvests system info, browser wallets/extensions (MetaMask, Phantom, TrontLink), documents, and more, then pulls InvisibleFerret as a next-stage component. The actors even embed coded Pastebin and XOR/base64 layers to evade detection.

The final payload (BeaverTail) showed previously seen capabilities, including “usage of Axioms as embedded HTTP client, enumeration and exfiltration of system information, searching browser profiles and extension directories for sensitive data, and searching for and exfiltrating Word documents, PDF files, screenshots, secret files, files containing environment variables, and other sensitive files such as the logged-in user’s Keychain”.

Developers remain a high-value target

Researchers highlighted that the campaign specifically targets developers involved in crypto and Web3 projects, using realistic-sounding personas and demo applications (real estate, DeFi, game forks) to lower suspicion. The state-linked actors’ shift from direct payload hosting to abusing legitimate JSON storage services suggests that even benign developer-centric platforms are now being weaponized to bypass detection and exploit trust in tech workflows.

Because the attack blends legitimate platforms (GitLab/GitHub, JSON Keeper/npoint) with obfuscated payloads, defenders must treat code provenance as part of security hygiene. Running code in fully isolated sandboxes, auditing any external URLs or keys in config files before executing, and blocking unusual outbound requests to known JSON-storage endpoints and IOCs NVISO listed might help, researchers added.

“Never run code from an unknown repository or from a ‘recruiter’ as part of any first interview, especially when contact has been recently established,” researchers warned. “If needed, inspect the configuration files for any signs of malicious activity.” NVISO has flagged a list of email addresses used to upload the malware to JSON services, repositories hosting malicious code, a GitHub account linked to the campaign, JSON storage URLs, and BeaverTail/InvisibleFerret C2 servers for developers. Additionally, representatives of the JSON storage services were informed of the abuse and are reportedly working on removing all malicious content.