Executive Summary

Recent intelligence has revealed that North Korean state-sponsored threat actors are leveraging legitimate JSON-based web services as covert channels for malware delivery and command-and-control (C2) operations. This innovative tactic exploits the ubiquity and trust associated with JSON data formats and cloud-based APIs, enabling adversaries to bypass traditional security controls and evade detection. The campaign demonstrates a significant evolution in the threat landscape, as attackers increasingly weaponize benign internet infrastructure to facilitate advanced persistent threats (APTs). Organizations across sectors, particularly those in critical infrastructure, defense, and technology, must be vigilant against these sophisticated techniques, which blend living-off-the-land tactics with novel abuse of web technologies.

Threat Actor Profile

The primary actors behind this campaign are believed to be affiliated with Lazarus Group and other North Korean APTs such as APT37 and Kimsuky. These groups are well-documented for their cyber-espionage, financial theft, and disruptive operations, often acting on behalf of the Democratic People’s Republic of Korea (DPRK). Their operations are characterized by rapid adaptation to new technologies, use of custom malware, and exploitation of both zero-day and known vulnerabilities. The groups have a history of targeting government agencies, defense contractors, financial institutions, and cryptocurrency exchanges, with a strategic focus on intelligence gathering and revenue generation to support the DPRK regime.

Technical Analysis of Malware/TTPs

The latest campaign leverages JSON-based web services such as GitHub Gist, Pastebin, and legitimate cloud APIs to host and deliver malicious payloads. Attackers encode malware configuration data, C2 instructions, and even full payloads within JSON objects, which are then retrieved by compromised hosts via standard HTTP(S) requests. This approach allows malicious traffic to blend seamlessly with legitimate web service usage, complicating detection by network security appliances.

The initial infection vector often involves spear-phishing emails containing weaponized documents or links. Upon execution, a lightweight loader—typically written in Python, PowerShell, or JavaScript—contacts a remote JSON service to fetch further instructions or payloads. The loader parses the JSON response, which may contain base64-encoded shellcode, URLs for secondary payloads, or dynamic C2 endpoints. In some observed cases, the malware uses steganography to hide malicious code within seemingly innocuous JSON fields.

Persistence is achieved through registry modifications, scheduled tasks, or abuse of legitimate system binaries (LOLBins). The malware exhibits modularity, allowing operators to update C2 infrastructure or payloads in real time by simply modifying the hosted JSON content. Exfiltration of data is performed via encrypted JSON POST requests to attacker-controlled endpoints, further obfuscating malicious activity.

Detection is further hampered by the use of TLS/SSL encryption, domain fronting, and frequent rotation of cloud service accounts. The attackers also employ anti-analysis techniques such as environment checks, sandbox evasion, and delayed execution to thwart automated detection and forensic analysis.

Exploitation in the Wild

Multiple incidents have been documented in which organizations across North America, Europe, and Asia have been compromised through this technique. Notably, the attackers have targeted supply chain partners and third-party vendors, exploiting trust relationships to propagate malware laterally. In several cases, security teams initially overlooked the malicious activity due to the use of reputable web services and the absence of traditional indicators of compromise (IOCs) such as known malicious domains or file hashes.

Incident response investigations have revealed that the attackers maintained long-term access to victim environments, using the JSON-based C2 channels to issue commands, deploy additional tools, and exfiltrate sensitive data. The use of cloud-based JSON services enabled rapid reconfiguration of infrastructure, allowing the threat actors to evade takedowns and blacklisting efforts. In some instances, the attackers leveraged compromised developer accounts to host malicious JSON payloads, further complicating attribution and remediation.

Victimology and Targeting

The primary targets of this campaign include defense contractors, government agencies, technology firms, and financial institutions, with a particular emphasis on organizations involved in research and development, critical infrastructure, and cryptocurrency. The attackers demonstrate a high degree of reconnaissance, tailoring spear-phishing lures and malware payloads to specific victims. Secondary targeting has been observed against supply chain partners and service providers, enabling the attackers to pivot into high-value networks.

Geographically, victims have been identified in the United States, South Korea, Japan, and several European countries. The selection of targets aligns with the strategic objectives of the DPRK, including intelligence collection, intellectual property theft, and financial gain. The campaign’s reliance on trusted web services and cloud infrastructure increases the risk of collateral damage, as benign organizations may inadvertently facilitate malicious activity.

Mitigation and Countermeasures

To defend against this evolving threat, organizations should implement a multi-layered security strategy. Network monitoring should be enhanced to detect anomalous outbound connections to JSON-based web services, particularly those not required for business operations. Security teams should deploy advanced endpoint detection and response (EDR) solutions capable of identifying suspicious process behaviors, such as unauthorized script execution and dynamic code loading.

Application whitelisting and strict egress filtering can limit the ability of malware to communicate with external JSON services. Regular auditing of cloud service usage and developer accounts is essential to prevent abuse and detect unauthorized activity. Security awareness training should emphasize the risks associated with spear-phishing and social engineering, as these remain primary infection vectors.

Threat intelligence feeds should be integrated to provide up-to-date indicators related to North Korean APTs, including known C2 infrastructure and TTPs. Incident response plans must be updated to account for the abuse of legitimate web services and the challenges associated with attribution and remediation. Collaboration with cloud service providers can facilitate rapid takedown of malicious content and accounts.

References

Key references for this advisory include technical analyses from Mandiant, CrowdStrike, and Microsoft Threat Intelligence, as well as public reporting from CISA, Kaspersky, and Recorded Future. Additional insights were drawn from open-source threat intelligence platforms and recent incident response case studies involving Lazarus Group and related North Korean APTs.

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our advanced analytics and continuous monitoring capabilities empower security teams to proactively identify emerging threats and safeguard critical assets. For more information or to discuss how we can help strengthen your organization’s cyber resilience, please contact us at ops@rescana.com.