The entire chain of infection hides in plain sight
In the quiet corridors where professional ambition meets digital trust, North Korean operatives have constructed an elaborate illusion — posing as recruiters on LinkedIn to lure software developers into downloading code that carries hidden malware. The campaign, known as Contagious Interview, exploits the very platforms developers rely on daily, turning familiar tools like GitHub and JSON storage services into vectors of compromise. At its heart, this is a story about the weaponization of trust: the trust professionals extend to their networks, their tools, and the routines of their craft.
- North Korean hackers are actively impersonating recruiters on LinkedIn, using the credibility of professional networking to initiate contact with software developers who hold access to sensitive systems and cryptocurrency assets.
- Victims unknowingly download trojanized code repositories where a disguised configuration file silently fetches malware from legitimate JSON storage platforms, making the infection nearly invisible to standard scrutiny.
- The BeaverTail malware harvests credentials and sensitive data before deploying the InvisibleFerret backdoor, which now pulls an additional toolkit — TsunamiKit — capable of system fingerprinting, data collection, and reaching further payloads via Tor.
- Security researchers at NVISO and ESET have documented the campaign's evolution through late 2025, revealing an expanding arsenal that includes additional backdoors like Tropidoor and AkdoorTea.
- The operation's sustained refinement and broad targeting of developers signals a long-term strategic effort, not an isolated incident, with no clear indication the actors intend to slow their pace.
North Korean hackers are running a sophisticated recruitment scam designed to slip malware onto developers' machines by exploiting the platforms they trust most. The operation, tracked as Contagious Interview, begins on LinkedIn, where a fake recruiter offers a job or project collaboration. The target is directed to download a demo codebase from GitHub, GitLab, or Bitbucket — and buried inside is a Base64-encoded string that decodes into a URL pointing to a JSON storage service. That URL delivers the first malware payload.
Researchers at NVISO documented the scheme in a Thursday report, tracing how attackers have evolved their methods to exploit developer trust in legitimate infrastructure. The initial payload, BeaverTail, is a JavaScript malware that steals sensitive information before dropping a second-stage backdoor called InvisibleFerret — a Python tool granting persistent system access. InvisibleFerret has since been updated to fetch an additional toolkit called TsunamiKit from Pastebin, which can fingerprint systems, harvest data, and retrieve further payloads from a hardcoded Tor address.
Security firm ESET documented TsunamiKit's use in Contagious Interview attacks as recently as September 2025, alongside other backdoors including Tropidoor and AkdoorTea. For attackers focused on cryptocurrency theft, developers are high-value targets — they frequently hold access to crypto wallets, API keys, and privileged systems.
What makes the campaign so effective is its camouflage. Every step of the infection chain — the GitHub repository, the configuration file, the JSON API call — resembles normal developer activity. The malware hides in plain sight, relying on the assumption that professionals trust the tools of their trade. Researchers concluded that the actors are casting a wide net with no sign of slowing, and as long as LinkedIn connects recruiters with developers and legitimate services can be quietly repurposed, this attack surface will remain open.
North Korean hackers are running a sophisticated recruitment scam that uses the trappings of legitimate business to slip malware onto developers' machines. The operation, tracked as Contagious Interview, works like this: a recruiter reaches out on LinkedIn with a job offer or project collaboration opportunity. The target is asked to download a demo codebase from GitHub, GitLab, or Bitbucket. Inside that repository, buried in a configuration file, sits a Base64-encoded string that looks like an API key but is actually a URL pointing to a JSON storage service—platforms like JSON Keeper, JSONsilo, or npoint.io. When decoded and accessed, that URL delivers the first piece of malware.
Researchers at NVISO discovered the scheme in a Thursday report, documenting how the threat actors have evolved their delivery methods to exploit the trust developers place in legitimate code-hosting and data-storage platforms. The initial payload is BeaverTail, a JavaScript malware designed to steal sensitive information from the infected machine. Once BeaverTail establishes itself, it drops a second-stage backdoor called InvisibleFerret, a Python tool that gives attackers persistent access to the system. The backdoor's capabilities have remained largely consistent since it was first identified by Palo Alto Networks in late 2023, but the North Korean operators have added a new wrinkle: InvisibleFerret now fetches an additional toolkit called TsunamiKit from Pastebin.
TsunamiKit is where the operation's ambitions become clear. The toolkit can fingerprint a system, collect data from it, and retrieve further payloads from a hardcoded Tor address. Security firm ESET documented TsunamiKit's use in Contagious Interview attacks as recently as September 2025, noting that the campaign also deployed other backdoors like Tropidoor and AkdoorTea. For attackers focused on stealing cryptocurrency, the toolkit's data-harvesting capabilities make it particularly valuable—developers often have access to crypto wallets, API keys, and other high-value secrets.
What makes this campaign effective is its use of camouflage. By routing malware through JSON storage services and code repositories that developers use every day, the attackers blend their traffic with legitimate activity. A developer downloading a project from GitHub sees nothing unusual. The configuration file looks like standard boilerplate. The JSON storage service appears to be a normal API call. The entire chain of infection hides in plain sight, relying on the assumption that developers trust the platforms they work with.
The researchers concluded that the actors behind Contagious Interview are casting a wide net, targeting any software developer who might have access to valuable systems or assets. The campaign's persistence and evolving tactics suggest this is not a one-off operation but a sustained effort to compromise developers at scale. As long as LinkedIn remains a place where recruiters and developers connect, and as long as legitimate services can be repurposed to host malware, this attack surface will remain open. The North Korean operators have shown they are willing to invest in refining their approach, and there is little reason to expect them to stop.
Notable Quotes
The actors behind Contagious Interview are not lagging behind and are trying to cast a very wide net to compromise any software developer that might seem interesting to them— NVISO researchers Bart Parys, Stef Collart, and Efstratios Lontzetidis
The use of legitimate websites and code repositories underlines the actor's motivation and sustained attempts to operate stealthily and blend in with normal traffic— NVISO researchers
The Hearth Conversation Another angle on the story
Why would North Korean hackers focus specifically on developers rather than, say, finance workers or government employees?
Developers are the skeleton key. They have legitimate access to production systems, code repositories, cloud infrastructure, and often cryptocurrency wallets. A compromised developer can move laterally through an entire organization's systems without raising suspicion—they're supposed to be accessing those things.
The JSON storage services—JSON Keeper, JSONsilo, npoint.io—these are real, legitimate platforms?
Yes. That's the whole point. They're services developers actually use. By hosting malware there, the attackers make their traffic look normal. It's like hiding contraband in a shipping container full of legal goods.
Once BeaverTail installs InvisibleFerret, what stops a developer from noticing something is wrong?
The backdoor runs quietly in the background. It doesn't crash the system or consume obvious resources. A developer might notice unusual network traffic or CPU spikes if they're paying close attention, but most people don't monitor their own machines that carefully.
The campaign has been active since at least 2023. Why hasn't it been shut down?
Because it uses legitimate platforms. You can't shut down GitHub or JSON Keeper. You can take down individual malicious repositories or payloads, but the attackers just create new ones. It's a game of whack-a-mole where the moles have infinite resources.
What's the endgame? Are they stealing data, planting backdoors for future use, or both?
Both. Immediate theft—credentials, keys, wallet information—but also persistence. A compromised developer is a long-term asset. They can be reactivated months or years later when the attackers need access to something specific.