Developers remain a high-value target: Researchers highlighted that the campaign specifically targets developers involved in crypto and Web3 projects, using realistic-sounding personas and demo applications (real estate, DeFi, game forks) to lower suspicion. The state-linked actors’ shift from direct payload hosting to abusing legitimate JSON storage services suggests that even benign developer-centric platforms are now being weaponized to bypass detection and exploit trust in tech workflows.Because the attack blends legitimate platforms (GitLab/GitHub, JSON Keeper/npoint) with obfuscated payloads, defenders must treat code provenance as part of security hygiene. Running code in fully isolated sandboxes, auditing any external URLs or keys in config files before executing, and blocking unusual outbound requests to known JSON-storage endpoints and IOCs NVISO listed might help, researchers added.”Never run code from an unknown repository or from a ‘recruiter’ as part of any first interview, especially when contact has been recently established,” researchers warned. “If needed, inspect the configuration files for any signs of malicious activity.” NVISO has flagged a list of email addresses used to upload the malware to JSON services, repositories hosting malicious code, a GitHub account linked to the campaign, JSON storage URLs, and BeaverTail/InvisibleFerret C2 servers for developers. Additionally, representatives of the JSON storage services were informed of the abuse and are reportedly working on removing all malicious content.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4090979/north-koreas-job-test-trap-upgrades-to-json-malware-dropboxes.html
