Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

CMC Releases Analysis and Guidance for Education Sector After Canvas D

June 26, 2026

DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic

June 26, 2026

macOS Flaw Lets Standard Users Disable EDR and MDM

June 26, 2026
Facebook X (Twitter) Instagram
Friday, June 26
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels
News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

Team-CWDBy Team-CWDNovember 24, 2025No Comments2 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


The North Korean threat actors behind the Contagious Interview campaign have once again tweaked their tactics by using JSON storage services to stage malicious payloads.

“The threat actors have recently resorted to utilizing JSON storage services like JSON Keeper, JSONsilo, and npoint.io to host and deliver malware from trojanized code projects, with the lure,” NVISO researchers Bart Parys, Stef Collart, and Efstratios Lontzetidis said in a Thursday report.

The campaign essentially involves approaching prospective targets on professional networking sites like LinkedIn, either under the pretext of conducting a job assessment or collaborating on a project, as part of which they are instructed to download a demo project hosted on platforms like GitHub, GitLab, or Bitbucket.

In one such project spotted by NVISO, it has been found that a file named “server/config/.config.env” contains a Base64-encoded value that masquerades as an API key, but, in reality, is a URL to a JSON storage service like JSON Keeper where the next-stage payload is stored in obfuscated format.

The payload is a JavaScript malware known as BeaverTail, which is capable of harvesting sensitive data and dropping a Python backdoor called InvisibleFerret. While the functionality of the backdoor has remained largely unchanged from when it was first documented by Palo Alto Networks in late 2023, one notable change involves fetching an additional payload dubbed TsunamiKit from Pastebin.

It’s worth noting that the use of TsunamiKit as part of the Contagious Interview campaign was highlighted by ESET back in September 2025, with the attacks also dropping Tropidoor and AkdoorTea. The toolkit is capable of system fingerprinting, data collection, and fetching more payloads from a hard-coded .onion address that’s currently offline.

“It’s clear that the actors behind Contagious Interview are not lagging behind and are trying to cast a very wide net to compromise any (software) developer that might seem interesting to them, resulting in exfiltration of sensitive data and crypto wallet information,” the researchers concluded.

“The use of legitimate websites such as JSON Keeper, JSON Silo, and npoint.io, along with code repositories such as GitLab and GitHub, underlines the actor’s motivation and sustained attempts to operate stealthily and blend in with normal traffic.”



Source

computer security cyber attacks cyber news cyber security news cyber security news today cyber security updates cyber updates data breach hacker news hacking news how to hack information security network security ransomware malware software vulnerability the hacker news
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleFlaws Expose Risks in Fluent Bit Logging Agent
Next Article Russian-linked Malware Campaign Hides in Blender 3D Files
Team-CWD
  • Website

Related Posts

News

CMC Releases Analysis and Guidance for Education Sector After Canvas D

June 26, 2026
News

DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic

June 26, 2026
News

macOS Flaw Lets Standard Users Disable EDR and MDM

June 26, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

What if your romantic AI chatbot can’t keep a secret?

November 18, 2025

Here’s how to avoid a ‘second strike’

April 11, 2026

In memoriam: David Harley

November 12, 2025

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.