The Contagious Interview campaign, attributed to North Korean threat actors, has evolved its malware delivery tactics by exploiting legitimate JSON storage services such as JSON Keeper, JSONsilo, and npoint.io. These services are used to host obfuscated malicious payloads, which are delivered through trojanized code projects shared on trusted platforms like GitHub, GitLab, and Bitbucket. The attack vector begins with social engineering on professional networking sites like LinkedIn, where targets are approached under the guise of job assessments or collaborative projects. Victims are instructed to download demo projects containing a file (e.g., server/config/.config.env) with a Base64-encoded string masquerading as an API key but actually pointing to a JSON storage URL hosting the next-stage payload. The primary malware, BeaverTail, is a JavaScript-based tool designed to harvest sensitive information. It subsequently deploys the InvisibleFerret Python backdoor, which remains consistent with previous versions but now also fetches an additional payload named TsunamiKit from Pastebin. TsunamiKit, previously reported by ESET, performs system fingerprinting, data collection, and can retrieve further payloads from a now-offline .onion address. The campaign also involves other malware families like Tropidoor and AkdoorTea. By leveraging legitimate web services and popular code repositories, the attackers blend their malicious activities into normal network traffic, complicating detection and response efforts. The campaign targets software developers globally, aiming to exfiltrate sensitive data and cryptocurrency wallet credentials, highlighting a strategic focus on high-value technical personnel.

European organizations, particularly those with significant software development operations, face considerable risk from this campaign. The targeting of developers via professional networks and trojanized code repositories can lead to credential theft, intellectual property loss, and unauthorized access to internal systems. The exfiltration of sensitive data and crypto wallet information could result in financial losses and reputational damage. The use of legitimate JSON storage services and popular code hosting platforms complicates detection, increasing the likelihood of prolonged undetected compromise. Organizations involved in software development, fintech, and blockchain technologies are especially vulnerable due to the campaign's focus on crypto wallets and developer tools. Additionally, the stealthy nature of the malware delivery and multi-stage payload deployment can facilitate lateral movement and persistent access within networks, potentially enabling broader espionage or sabotage activities. The campaign's medium severity reflects the moderate ease of exploitation combined with significant potential impact on confidentiality and integrity.

European organizations should implement targeted defenses beyond generic advice. First, enforce strict verification of code sources and dependencies, especially those received via unsolicited communications on professional networks. Employ automated scanning tools to detect obfuscated or suspicious payloads in downloaded projects, focusing on unusual Base64-encoded strings or unexpected external resource calls. Monitor network traffic for connections to known JSON storage services used in this campaign and flag anomalous data retrieval patterns. Implement endpoint detection and response (EDR) solutions capable of identifying JavaScript malware behaviors and Python backdoor activities. Educate developers and staff about social engineering tactics used on platforms like LinkedIn, emphasizing caution when engaging with unknown contacts or downloading code. Restrict execution privileges for downloaded code and sandbox untrusted projects to limit potential damage. Regularly audit and monitor cryptocurrency wallet access and transactions for signs of compromise. Finally, collaborate with threat intelligence providers to stay updated on evolving tactics and indicators related to this campaign.