North Korean hackers have adapted their strategies by using JSON storage services to deliver malware, according to a report by NVISO researchers. The campaign, linked to the “Contagious Interview” operation, targets software developers through professional networking sites like LinkedIn, encouraging them to download malicious code disguised as legitimate projects hosted on platforms like GitHub and GitLab. These hackers utilize JSON Keeper and similar services to host malicious payloads, which include a JavaScript malware known as BeaverTail. This malware is designed to harvest sensitive data and deploy a Python backdoor called InvisibleFerret. The researchers emphasize that the use of legitimate websites for malware delivery demonstrates a concerted effort by these actors to operate stealthily while compromising potential targets.
Ransomware activity has reached unprecedented levels, with 85 active ransomware and extortion groups reported in the third quarter of 2025. According to Check Point Research, these groups disclosed 1,590 victims across various leak sites, indicating a decentralized ransomware ecosystem that continues to thrive despite law enforcement efforts. The emergence of 14 new ransomware brands illustrates the rapid reconstitution of affiliates following takedowns of larger operations, while LockBit’s return with version 5.0 suggests a potential shift back toward centralization in the ransomware landscape. The report highlights that as enforcement actions disrupt large groups, smaller, independent operations are becoming more prevalent, complicating the tracking and prediction of ransomware activities for cybersecurity professionals.
Why do we care?
The bad guys are hiding in plain sight. They’re using GitHub, GitLab, JSON stores — the exact same places your developers pull code and config from every single day. That means the old idea of “just block the sketchy stuff” doesn’t work anymore. This is legitimate traffic being weaponized, and unless you understand what normal behavior looks like in your customer environments, you’re going to miss this.
And the ransomware data tells a similar story: we’re not winning. We’re just knocking down the big names, and as soon as that happens, the affiliates scatter, launch their own brands, and keep going. Smaller groups move faster, break patterns, and make intel feeds less useful. LockBit popping back up with 5.0 shows the cycle just repeats.
So MSPs have to stop relying on the idea that big takedowns buy us time. They don’t. The only thing that matters is whether you can spot weird behavior — weird JSON pulls, weird interpreter activity, weird process chains. It’s about what’s happening on the endpoint, not who the ransomware brand is this month.
Clients need to hear that message too. Threats aren’t going down. They’re just getting harder to recognize. The job now is visibility, not wishful thinking.