1. Forum
  2. Fidonet
  3. CONSPRCY

  • JSON services hijacked by

    From Mike Powell@1:2320/105 to All on Tue Nov 18 09:18:21 2025
    JSON services hijacked by North Korean hackers to send out malware

    Date:
    Mon, 17 Nov 2025 15:00:24 +0000

    Description:
    Lazarus hackers using JSON to hide their tracks and appear legitimate in
    front of their victims.

    FULL STORY

    North Korean state-sponsored threat actors, part of the infamous Lazarus
    Group , have been seen hosting malware and other malicious code on JSON
    storage services.

    Cybersecurity researchers NVISIO flagged they had seen attackers using JSON Keeper, JSONsilo, and npoint.io in a bid to remain unseen and persistent in their attacks.

    The attacks seem to be part of the Contagious Interview campaign. In it, the miscreants would first create fake LinkedIn profiles and reach out to
    software developers either with enticing job offers, or to ask for help on a coding project. During the back-and-forth, the crooks would ask the victims
    to download a demo project from GitHub, GitLab, or Bitbucket.

    Deploying infostealers and backdoors

    Now, NVISIO said that in one of the projects, it found a Base64-encoded value that, even though it looks like an API key, its actually a URL to a JSON storage service. In the storage, they found BeaverTail - an infostealer
    malware and a loader that dropped a Python backdoor named InvisibleFerret,
    and TsunamiKit.

    The latter is a multi-stage malware toolkit written in Python and .NET, that can serve either as an infostealer, or as a cryptojacker that installs XMRig
    on the compromised device and forces it to mine the Monero currency. Some researchers also said they spotted BeaverTrail deploying Tropidoor and AkdoorTea.

    "It's clear that the actors behind Contagious Interview are not lagging
    behind and are trying to cast a very wide net to compromise any (software) developer that might seem interesting to them, resulting in exfiltration of sensitive data and crypto wallet information," the researchers warned.

    "The use of legitimate websites such as JSON Keeper, JSON Silo, and
    npoint.io, along with code repositories such as GitLab and GitHub, underlines the actor's motivation and sustained attempts to operate stealthily and blend in with normal traffic."

    Via The Hacker News

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/json-services-hijacked-by-north-korean- hackers-to-send-out-malware

    $$
    --- SBBSecho 3.28-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)

Novedades:

Servidor de Quake 3 Arena Online! - Conectate a ferchobbs.ddns.net, puerto 27960 y vence con tu equipo!