TZUTC: -0500
MSGID: 1723.consprcy@1:2320/105 2d81bce8
PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FORMAT: flowed
JSON services hijacked by North Korean hackers to send out malware

Date:
Mon, 17 Nov 2025 15:00:24 +0000

Description:
Lazarus hackers using JSON to hide their tracks and appear legitimate in 
front of their victims.

FULL STORY

North Korean state-sponsored threat actors, part of the infamous Lazarus 
Group , have been seen hosting malware and other malicious code on JSON
storage services. 

Cybersecurity researchers NVISIO flagged they had seen attackers using JSON
Keeper, JSONsilo, and npoint.io in a bid to remain unseen and persistent in
their attacks. 

The attacks seem to be part of the Contagious Interview campaign. In it, the
miscreants would first create fake LinkedIn profiles and reach out to 
software developers either with enticing job offers, or to ask for help on a
coding project. During the back-and-forth, the crooks would ask the victims 
to download a demo project from GitHub, GitLab, or Bitbucket.

Deploying infostealers and backdoors

Now, NVISIO said that in one of the projects, it found a Base64-encoded value
that, even though it looks like an API key, its actually a URL to a JSON
storage service. In the storage, they found BeaverTail - an infostealer
malware and a loader that dropped a Python backdoor named InvisibleFerret, 
and TsunamiKit. 

The latter is a multi-stage malware toolkit written in Python and .NET, that
can serve either as an infostealer, or as a cryptojacker that installs XMRig
on the compromised device and forces it to mine the Monero currency. Some
researchers also said they spotted BeaverTrail deploying Tropidoor and
AkdoorTea. 

"It's clear that the actors behind Contagious Interview are not lagging 
behind and are trying to cast a very wide net to compromise any (software)
developer that might seem interesting to them, resulting in exfiltration of
sensitive data and crypto wallet information," the researchers warned. 

"The use of legitimate websites such as JSON Keeper, JSON Silo, and 
npoint.io, along with code repositories such as GitLab and GitHub, underlines
the actor's motivation and sustained attempts to operate stealthily and blend
in with normal traffic." 

 Via The Hacker News 

======================================================================
Link to news story:
https://www.techradar.com/pro/security/json-services-hijacked-by-north-korean-
hackers-to-send-out-malware

$$
--- SBBSecho 3.28-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 206 300 307 317 400 426 428 470 664
SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45
SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426