TZUTC: -0500   
   MSGID: 1723.consprcy@1:2320/105 2d81bce8   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   JSON services hijacked by North Korean hackers to send out malware   
      
   Date:   
   Mon, 17 Nov 2025 15:00:24 +0000   
      
   Description:   
   Lazarus hackers using JSON to hide their tracks and appear legitimate in    
   front of their victims.   
      
   FULL STORY   
      
   North Korean state-sponsored threat actors, part of the infamous Lazarus    
   Group , have been seen hosting malware and other malicious code on JSON   
   storage services.    
      
   Cybersecurity researchers NVISIO flagged they had seen attackers using JSON   
   Keeper, JSONsilo, and npoint.io in a bid to remain unseen and persistent in   
   their attacks.    
      
   The attacks seem to be part of the Contagious Interview campaign. In it, the   
   miscreants would first create fake LinkedIn profiles and reach out to    
   software developers either with enticing job offers, or to ask for help on a   
   coding project. During the back-and-forth, the crooks would ask the victims    
   to download a demo project from GitHub, GitLab, or Bitbucket.   
      
   Deploying infostealers and backdoors   
      
   Now, NVISIO said that in one of the projects, it found a Base64-encoded value   
   that, even though it looks like an API key, its actually a URL to a JSON   
   storage service. In the storage, they found BeaverTail - an infostealer   
   malware and a loader that dropped a Python backdoor named InvisibleFerret,    
   and TsunamiKit.    
      
   The latter is a multi-stage malware toolkit written in Python and .NET, that   
   can serve either as an infostealer, or as a cryptojacker that installs XMRig   
   on the compromised device and forces it to mine the Monero currency. Some   
   researchers also said they spotted BeaverTrail deploying Tropidoor and   
   AkdoorTea.    
      
   "It's clear that the actors behind Contagious Interview are not lagging    
   behind and are trying to cast a very wide net to compromise any (software)   
   developer that might seem interesting to them, resulting in exfiltration of   
   sensitive data and crypto wallet information," the researchers warned.    
      
   "The use of legitimate websites such as JSON Keeper, JSON Silo, and    
   npoint.io, along with code repositories such as GitLab and GitHub, underlines   
   the actor's motivation and sustained attempts to operate stealthily and blend   
   in with normal traffic."    
      
    Via The Hacker News    
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/json-services-hijacked-by-north-korean-   
   hackers-to-send-out-malware   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426