Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery
2025-11-13 • NVISO •
NVISO reports that DPRK-aligned Contagious Interview operators are abusing JSON Keeper, JSONsilo, npoint.io, GitLab, and GitHub to host and deliver malware through trojanized interview demo projects. The activity targets software developers across Windows, Linux, and macOS, with emphasis on cryptocurrency and Web3 roles, using fake recruiter outreach and staged coding tasks as the infection path. A base64-masked configuration value in the project points to JSON-hosted obfuscated code that resolves to BeaverTail, which steals system details, browser profiles, wallet extensions, documents, screenshots, secret files, and macOS Keychain data before fetching InvisibleFerret. The chain also includes Pastebin-based next-stage retrieval, a Tsunami component set for Defender exclusions, scheduled tasks, Python installation, and payload integrity verification, with infrastructure including 146.70.253.107, 23.254.164.156, and an offline .onion address. The use of legitimate JSON storage and code-hosting services helps the actors blend malicious delivery into normal developer workflows.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 216.126.229.166 | 2025-11-13 | 2026-04-02 |
| IPv4 | 95.164.17.24 | 2024-07-15 | 2026-04-01 |
| IPv4 | 66.235.175.109 | 2025-11-13 | 2026-02-26 |
| IPv4 | 146.70.253.107 | 2025-10-10 | 2026-02-03 |
| IPv4 | 147.124.214.129 | 2024-05-10 | 2026-02-03 |
| IPv4 | 45.61.150.30 | 2025-11-13 | 2026-01-21 |
| IPv4 | 165.140.86.227 | 2025-11-13 | 2026-01-21 |
| IPv4 | 38.92.47.91 | 2025-11-13 | 2026-01-21 |
| IPv4 | 38.92.47.151 | 2025-11-13 | 2026-01-21 |
| IPv4 | 38.92.47.85 | 2025-11-13 | 2026-01-21 |
| IPv4 | 66.235.168.232 | 2025-11-13 | 2026-01-21 |
| IPv4 | 45.43.11.201 | 2025-11-13 | 2026-01-21 |
| IPv4 | 144.172.95.226 | 2025-11-13 | 2026-01-21 |
| IPv4 | 144.172.103.97 | 2025-11-13 | 2026-01-21 |
| IPv4 | 45.61.133.110 | 2025-11-13 | 2026-01-21 |
| IPv4 | 144.172.100.142 | 2025-11-13 | 2026-01-21 |
| IPv4 | 147.124.197.138 | 2025-11-13 | 2026-01-21 |
| IPv4 | 88.218.0.78 | 2025-10-20 | 2026-01-21 |
| IPv4 | 23.227.202.244 | 2025-10-10 | 2026-01-21 |
| IPv4 | 67.203.7.163 | 2024-10-23 | 2026-01-21 |
| IPv4 | 23.106.70.154 | 2024-10-23 | 2026-01-21 |
| IPv4 | 147.124.214.237 | 2024-05-10 | 2026-01-21 |
| IPv4 | 147.124.214.131 | 2024-04-25 | 2026-01-21 |
| HASH | 9d9a25482e7e40e8e27fdb5a1d87a1c… | 2025-11-13 | 2025-11-13 |
| DOMAIN | api.jsonsilo.com | 2025-11-13 | 2025-11-13 |
| IPv4 | 23.227.202.242 | 2025-11-13 | 2025-11-13 |
| IPv4 | 147.124.197.149 | 2025-11-13 | 2025-11-13 |
| IPv4 | 45.76.160.53 | 2025-11-13 | 2025-11-13 |
| IPv4 | 23.254.164.156 | 2025-11-13 | 2025-11-13 |
| IPv4 | 23.106.253.242 | 2025-11-13 | 2025-11-13 |
| IPv4 | 107.189.25.109 | 2025-11-13 | 2025-11-13 |
| IPv4 | 146.70.253.10 | 2025-11-13 | 2025-11-13 |
| DOMAIN | n34kr3z26f3jzp4ckmwuv5ipqyatumd… | 2025-04-25 | 2025-11-13 |
| IPv4 | 45.61.151.71 | 2025-04-04 | 2025-11-13 |
| IPv4 | 45.137.213.30 | 2025-03-17 | 2025-11-13 |
| IPv4 | 94.131.97.195 | 2025-03-17 | 2025-11-13 |
| IPv4 | 45.61.150.31 | 2025-03-17 | 2025-11-13 |
| IPv4 | 144.172.97.7 | 2025-03-17 | 2025-11-13 |
| IPv4 | 172.86.84.38 | 2025-03-10 | 2025-11-13 |
| IPv4 | 23.106.253.221 | 2025-02-07 | 2025-11-13 |
| IPv4 | 45.128.52.14 | 2025-01-29 | 2025-11-13 |
| IPv4 | 185.153.182.241 | 2025-01-29 | 2025-11-13 |
| IPv4 | 5.253.43.122 | 2025-01-29 | 2025-11-13 |
| IPv4 | 86.104.74.51 | 2024-12-03 | 2025-11-13 |
| IPv4 | 23.106.253.215 | 2024-10-23 | 2025-11-13 |
| IPv4 | 172.86.98.240 | 2024-09-04 | 2025-11-13 |
| IPv4 | 23.106.253.194 | 2024-09-04 | 2025-11-13 |
| IPv4 | 185.235.241.208 | 2024-08-13 | 2025-11-13 |
| IPv4 | 147.124.212.146 | 2024-05-10 | 2025-11-13 |
| IPv4 | 67.203.7.171 | 2024-05-10 | 2025-11-13 |
| IPv4 | 147.124.212.89 | 2023-12-12 | 2025-11-13 |