Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery
Nov. 14, 2025, 1:10 p.m.
Description
The Contagious Interview campaign, linked to North Korean actors, has evolved to use JSON storage services for hosting and delivering malware. This campaign targets software developers, particularly those in cryptocurrency and Web3 projects, across Windows, Linux, and macOS. The attackers use social engineering tactics, including fake recruiter profiles, to deliver trojanized code during staged job interviews. The malware payload includes BeaverTail and OtterCookie infostealers, along with the InvisibleFerret RAT. The attack chain involves multiple stages, from initial contact to malware delivery, utilizing legitimate websites like JSON Keeper and code repositories to operate stealthily. The campaign also incorporates additional components such as the Tsunami Payload, which adds exceptions to Windows Defender and creates scheduled tasks.
Tags
Date
- Created: Nov. 14, 2025, 12:25 p.m.
- Published: Nov. 14, 2025, 12:25 p.m.
- Modified: Nov. 14, 2025, 1:10 p.m.
Indicators
- 9d9a25482e7e40e8e27fdb5a1d87a1c12839226c85d00c6605036bd1f4235b21
- 94.131.97.195
- 88.218.0.78
- 45.61.133.110
- 45.61.150.30
- 45.137.213.30
- 23.227.202.244
- 23.227.202.242
- 23.106.70.154
- 23.106.253.242
- 216.126.229.166
- 146.70.253.107
- 146.70.253.10
- 144.172.97.7
- 144.172.95.226
- 144.172.103.97
- 144.172.100.142
- 107.189.25.109
- 45.76.160.53
- 23.254.164.156
- 172.86.84.38
- 23.106.253.221
- 45.61.150.31
- 45.61.151.71
- 45.43.11.201
- 38.92.47.91
- 38.92.47.151
- 165.140.86.227
- 147.124.197.138
- 66.235.168.232
- 38.92.47.85
- 147.124.197.149
- 86.104.74.51
- 5.253.43.122
- 45.128.52.14
- 185.153.182.241
- 67.203.7.163
- 23.106.253.215
- 95.164.17.24
- 23.106.253.194
- 185.235.241.208
- 172.86.98.240
- 147.124.214.129
- 147.124.212.89
- 147.124.212.146
- 147.124.214.237
- 67.203.7.171
- 66.235.175.109
- 147.124.214.131
- http://www.jsonkeeper.com/b/VBFK7
- http://www.jsonkeeper.com/b/T7Q4V
- http://www.jsonkeeper.com/b/RZATI
- http://www.jsonkeeper.com/b/O2QKK
- http://www.jsonkeeper.com/b/JNGUQ
- http://jsonkeeper.com/b/JV43N
- http://jsonkeeper.com/b/IXHS4
- http://jsonkeeper.com/b/IARGW
- http://jsonkeeper.com/b/GCGEX
- http://jsonkeeper.com/b/GNOX4
- http://jsonkeeper.com/b/FM8D6
- http://jsonkeeper.com/b/E4YPZ
- http://jsonkeeper.com/b/BADWN
- http://jsonkeeper.com/b/8RLOV
- http://jsonkeeper.com/b/86H03
- http://jsonkeeper.com/b/6OCFY
- http://jsonkeeper.com/b/4NAKK
- http://api.npoint.io/f6dd89c1dd59234873cb
- http://api.npoint.io/f4be0f7713a6fcdaac8b
- http://api.npoint.io/e6a6bfb97a294115677d
- http://api.npoint.io/cb0f9d0d03f50a5e1ebe
- http://api.npoint.io/a1dbf5a9d5d0636edf76
- http://api.npoint.io/8df659fd009b5af90d35
- http://api.npoint.io/832d58932fcfb3065bc7
- http://api.npoint.io/62755a9b33836b5a6c28
- http://api.npoint.io/38acf86b6eb42b51b9c2
- http://api.npoint.io/336c17cbc9abf234d423
- http://api.npoint.io/2169940221e8b67d2312
- http://api.npoint.io/148984729e1384cbe212
- http://api.npoint.io/03f98fa639fa37675526
- http://api.jsonsilo.com/public/942acd98-8c8c-47d8-8648-0456b740ef8b
- http://api.jsonsilo.com/public/0048f102-336f-45dd-aef6-3641158a4c5d
- http://23.254.164.156/introduction-video.
- http://23.254.164.156/introduction-video
- n34kr3z26f3jzp4ckmwuv5ipqyatumdxhgjgsmucc65jac56khdy5zqd.onion
Additional Informations
- Technology
- Finance