North Korea-linked hackers have set up a new trap to lure developers into downloading malware-laced coding tasks, according to recent research. The Contagious Interview campaign uses fake recruiter messages and demo projects that include configuration values pointing to JSON storage URLs. These JSON blobs host heavily obfuscated JavaScript code that, once decoded and executed, unpacks a BeaverTail infostealer and then stages the InvisibleFerret modular RAT.

The New Staging Ground: JSON Storage Services

NVISo researchers found multiple demo repositories hosted on GitLab/Github where a “server/config/.config.env” file contains an API key that decodes into a JSON Keeper (and similar) URL. The JavaScript fetched from these services is packed and string-obfuscated, making it difficult to detect.

The actors use various techniques to evade detection, including embedding coded Pastebin and XOR/base64 layers. Once decoded, the final payload (BeaverTail) shows previously seen capabilities, such as harvesting system info, browser wallets/extensions, documents, and more.

Developers Remain a High-Value Target

The campaign specifically targets developers involved in crypto and Web3 projects, using realistic-sounding personas and demo applications to lower suspicion. The state-linked actors’ shift from direct payload hosting to abusing legitimate JSON storage services suggests that even benign developer-centric platforms are now being weaponized.

This new attack blends legitimate platforms with obfuscated payloads, making it essential for defenders to treat code provenance as part of security hygiene. Running code in fully isolated sandboxes, auditing any external URLs or keys in config files before executing, and blocking unusual outbound requests can help prevent such attacks.

Protecting Your Code

Developers need to be aware of this new threat and take necessary precautions to protect their code. This includes running code in fully isolated sandboxes, auditing any external URLs or keys in config files before executing, and blocking unusual outbound requests. By doing so, developers can prevent the malicious code from unpacking and causing harm to their systems.

The Contagious Interview campaign is a reminder that even legitimate-looking job opportunities can be a trap. Developers should remain vigilant and report any suspicious activity to ensure their security and the security of their projects.

Inspired by

• https://www.infoworld.com/article/4090984/north-koreas-job-test-trap-upgrades-to-json-malware-dropboxes-2.html

Sources

• csoonline.com
• csoonline.com
• csoonline.com
• nviso.eu
• csoonline.com