Contagious Interview JSON storage delivery campaign targeting software developers
Campaign
Summary
Hide ▲
Show ▼
The Contagious Interview campaign has shifted to using JSON storage services to stage malware, making delivery harder to spot and increasing risk to developer systems. The operation reaches prospective software developers through professional networking sites and lures them into downloading trojanized demo projects. A deceptive config file can point to the next-stage payload, which then drops tools such as BeaverTail and InvisibleFerret. The activity matters because it is designed to steal sensitive data and crypto wallet information while blending into legitimate web traffic.
Related Happenings
Contagious Interview UNK_DeadDrop GitHub phishing campaign
Campaign
H score37
First: 15.06.2026 22:32
Last: 15.06.2026 22:32
Sources 1
About this happening:
The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...
Contagious Interview UNK_DeadDrop GitHub phishing campaign
CampaignAbout this happening: The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...
UNK_DeadDrop developer phishing campaign using fake job and code-review lures
Campaign
H score30
First: 08.06.2026 18:00
Last: 08.06.2026 18:00
Sources 1
About this happening:
A **UNK_DeadDrop** phishing campaign sent **more than 250 emails** to software developers at **almost 100 organizations**, using fake job and code-review lures to steal **cryptocu...
UNK_DeadDrop developer phishing campaign using fake job and code-review lures
CampaignAbout this happening: A **UNK_DeadDrop** phishing campaign sent **more than 250 emails** to software developers at **almost 100 organizations**, using fake job and code-review lures to steal **cryptocu...
CL-CRI-1089 Operation FlutterBridge macOS malvertising campaign
Campaign
H score33
First: 04.06.2026 14:19
Last: 04.06.2026 14:19
Sources 1
About this happening:
A **macOS malvertising campaign** is delivering **FlutterShell** through malicious ads and trojanized apps, expanding browser-hijacking and backdoor risk across **the U.S., Canada...
CL-CRI-1089 Operation FlutterBridge macOS malvertising campaign
CampaignAbout this happening: A **macOS malvertising campaign** is delivering **FlutterShell** through malicious ads and trojanized apps, expanding browser-hijacking and backdoor risk across **the U.S., Canada...
WeedHack Minecraft MaaS campaign expands with malicious JARs and remote access
Malware Activity
H score65
First: 03.06.2026 00:54
Last: 03.06.2026 00:54
Sources 1
About this happening:
**WeedHack** is a **Minecraft-focused malware-as-a-service** operation that has been active since **January 2026** and uses **SEO poisoning** and **YouTube** to push malicious dow...
WeedHack Minecraft MaaS campaign expands with malicious JARs and remote access
Malware ActivityAbout this happening: **WeedHack** is a **Minecraft-focused malware-as-a-service** operation that has been active since **January 2026** and uses **SEO poisoning** and **YouTube** to push malicious dow...
JINX-0164 cryptocurrency recruitment-lure campaign
Campaign
H score39
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
JINX-0164 cryptocurrency recruitment-lure campaign
CampaignAbout this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
Timeline
-
14.11.2025 20:25 3 articles · 7mo ago
Contagious Interview adds JSON storage staging for malware delivery
Technical Analysis UpdateNVISO describes North Korean threat actors behind Contagious Interview as using JSON Keeper, JSONsilo, and npoint.io to host and deliver malware from trojanized developer projects, with a Base64-encoded value in `server/config/.config.env` pointing to an obfuscated next-stage payload that leads to BeaverTail, InvisibleFerret, and TsunamiKit delivery against prospective software developers.
Show sources
- North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels — thehackernews.com — 14.11.2025 20:25
- North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels — thehackernews.com — 14.11.2025 20:25
- New BeaverTail Malware Variant Linked to Lazarus Group — www.infosecurity-magazine.com — 18.12.2025 14:00