Contagious Interview Actors Now Utilize JSON Storage Services for…

216.73.217.22

Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery

· Published 14/11/2025 12:25 · Modified 14/11/2025 13:10

Essential information

Published: 14/11/2025 12:25
Modified: 14/11/2025 13:10
Tags: 2025-11-14 beavertail cryptocurrency infostealer invisibleferret json storage north korea ottercookie rat social engineering trojanized code tsunami payload web3
Related entities: 84 observables, 1 intrusion sets (apt), 15 techniques (mitre), 4 malware, 2 others

Description

The Contagious Interview campaign, linked to North Korean actors, has evolved to use JSON storage services for hosting and delivering malware. This campaign targets software developers, particularly those in cryptocurrency and Web3 projects, across Windows, Linux, and macOS. The attackers use social engineering tactics, including fake recruiter profiles, to deliver trojanized code during staged job interviews. The malware payload includes BeaverTail and OtterCookie infostealers, along with the InvisibleFerret RAT. The attack chain involves multiple stages, from initial contact to malware delivery, utilizing legitimate websites like JSON Keeper and code repositories to operate stealthily. The campaign also incorporates additional components such as the Tsunami Payload, which adds exceptions to Windows Defender and creates scheduled tasks.

Related entities

94.131.97.195
88.218.0.78
45.61.133.110
45.61.150.30
45.137.213.30
23.227.202.244
23.227.202.242
23.106.70.154
23.106.253.242
216.126.229.166
146.70.253.107
146.70.253.10
144.172.97.7
144.172.95.226
144.172.103.97
144.172.100.142
107.189.25.109
45.76.160.53
23.254.164.156
172.86.84.38
23.106.253.221
45.61.150.31
45.61.151.71
45.43.11.201
38.92.47.91
38.92.47.151
165.140.86.227
147.124.197.138
66.235.168.232
38.92.47.85
147.124.197.149
86.104.74.51
5.253.43.122
45.128.52.14
185.153.182.241
67.203.7.163
23.106.253.215
95.164.17.24
23.106.253.194
185.235.241.208
172.86.98.240
147.124.214.129
147.124.212.89
147.124.212.146
147.124.214.237
67.203.7.171
66.235.175.109
147.124.214.131
http://www.jsonkeeper.com/b/VBFK7
http://www.jsonkeeper.com/b/T7Q4V
http://www.jsonkeeper.com/b/RZATI
http://www.jsonkeeper.com/b/O2QKK
http://www.jsonkeeper.com/b/JNGUQ
http://jsonkeeper.com/b/JV43N
http://jsonkeeper.com/b/IXHS4
http://jsonkeeper.com/b/IARGW
http://jsonkeeper.com/b/GCGEX
http://jsonkeeper.com/b/GNOX4
http://jsonkeeper.com/b/FM8D6
http://jsonkeeper.com/b/E4YPZ
http://jsonkeeper.com/b/BADWN
http://jsonkeeper.com/b/8RLOV
http://jsonkeeper.com/b/86H03
http://jsonkeeper.com/b/6OCFY
http://jsonkeeper.com/b/4NAKK
http://api.npoint.io/f6dd89c1dd59234873cb
http://api.npoint.io/f4be0f7713a6fcdaac8b
http://api.npoint.io/e6a6bfb97a294115677d
http://api.npoint.io/cb0f9d0d03f50a5e1ebe
http://api.npoint.io/a1dbf5a9d5d0636edf76
http://api.npoint.io/8df659fd009b5af90d35
http://api.npoint.io/832d58932fcfb3065bc7
http://api.npoint.io/62755a9b33836b5a6c28
http://api.npoint.io/38acf86b6eb42b51b9c2
http://api.npoint.io/336c17cbc9abf234d423
http://api.npoint.io/2169940221e8b67d2312
http://api.npoint.io/148984729e1384cbe212
http://api.npoint.io/03f98fa639fa37675526
http://api.jsonsilo.com/public/942acd98-8c8c-47d8-8648-0456b740ef8b
http://api.jsonsilo.com/public/0048f102-336f-45dd-aef6-3641158a4c5d
http://23.254.164.156/introduction-video.
http://23.254.164.156/introduction-video
n34kr3z26f3jzp4ckmwuv5ipqyatumdxhgjgsmucc65jac56khdy5zqd.onion
9d9a25482e7e40e8e27fdb5a1d87a1c12839226c85d00c6605036bd1f4235b21