{"id":23009,"date":"2025-11-04T08:00:35","date_gmt":"2025-11-04T01:00:35","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&#038;p=23009"},"modified":"2026-01-20T10:25:03","modified_gmt":"2026-01-20T03:25:03","slug":"a-gateway-for-north-korean-hackers","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/a-gateway-for-north-korean-hackers\/","title":{"rendered":"Thought It Was a Work Appointment, Turns Out It Was a Gateway for North Korean Hackers"},"content":{"rendered":"<p><span style=\"font-family: arial, helvetica, sans-serif\">Recently, researchers discovered a sophisticated campaign using\u00a0<strong>Telegram<\/strong>\u00a0to impersonate real employees in target companies and create fake websites resembling\u00a0<strong>Calendly<\/strong>\u00a0and\u00a0<strong>Picktime<\/strong>\u00a0to schedule meetings with victims.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">This campaign has been attributed to the North Korean cybercrime group\u00a0<strong>Lazarus Group,<\/strong>\u00a0known for cyberattacks targeting finance, espionage, and stealing cryptocurrency.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/Lazarus-malware-1759394551.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23001\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/Lazarus-malware-1759394551.jpg\" alt=\"Lazarus Malware 1759394551\" width=\"728\" height=\"380\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/Lazarus-malware-1759394551.jpg 728w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/Lazarus-malware-1759394551-700x365.jpg 700w\" sizes=\"(max-width: 728px) 100vw, 728px\" \/><\/a><br \/>\n<\/span><\/p>\n<h2 id=\"heading-about-lazarus-group\" class=\"permalink-heading\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>About Lazarus Group<\/strong><\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Lazarus Group<\/strong>\u00a0is a notorious hacker group (APT &#8211; Advanced Persistent Threat) believed to be closely linked to the\u00a0<strong>North Korean government<\/strong>. This group has been active since the early 2000s and is known for its\u00a0<strong>cyber espionage, sabotage, financial theft<\/strong>, and large-scale cyberattacks worldwide.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Some Notable Campaigns:<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Sony Pictures Hack (2014):<\/strong>\u00a0Caused leaks of internal data, emails, and unreleased films. It also marked the beginning of Lazarus&#8217;s\u00a0<strong>public sabotage attacks.<\/strong><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Bangladesh Bank Heist (2016):<\/strong>\u00a0Attacked the central bank of Bangladesh, attempting to transfer\u00a0<strong>nearly 1 billion USD<\/strong>\u00a0through the SWIFT system. Before being discovered, they successfully stole\u00a0<strong>81 million USD.<\/strong><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>WannaCry Ransomware Attack (2017):<\/strong>\u00a0A global ransomware attack that encrypted data and demanded Bitcoin ransom. The campaign caused damage to hundreds of thousands of computers in 150 countries.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Attacks on Cryptocurrency Exchanges (2017\u2013present):<\/strong>\u00a0Lazarus increasingly focuses on\u00a0<strong>cryptocurrency<\/strong>\u00a0to\u00a0<strong>evade international sanctions.<\/strong>\u00a0The total estimated damage amounts to\u00a0<strong>billions of USD.<\/strong><\/span><\/li>\n<\/ul>\n<h2 id=\"heading-main-impact\" class=\"permalink-heading\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Main Impact<\/strong><\/span><\/h2>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Theft of\u00a0<strong>cryptocurrency wallet keys<\/strong>\u00a0and login credentials.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Leak of digital assets<\/strong>\u00a0worth tens of millions of USD.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Installation of remote access tools (RAT), leading to loss of system control.<\/span><\/li>\n<\/ul>\n<h2 id=\"heading-campaign-details\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Campaign Details<\/strong><\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/attack-overview-1759394633.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23002\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/attack-overview-1759394633.jpg\" alt=\"Attack Overview 1759394633\" width=\"768\" height=\"721\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/attack-overview-1759394633.jpg 768w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/attack-overview-1759394633-700x657.jpg 700w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/><\/a><br \/>\n<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">The hacker group\u00a0<strong>Lazarus Group<\/strong>\u00a0will carry out four main stages in this campaign. Initially, the attackers will conduct phishing through Telegram, where they impersonate employees of a trading company to approach victims. Here, the attacker sets up appointments by leading to fake websites mimicking scheduling services like\u00a0<strong>Calendly<\/strong>\u00a0or\u00a0<strong>Picktime<\/strong>.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/image-1-1759394663.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23003\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/image-1-1759394663.jpg\" alt=\"Image 1 1759394663\" width=\"603\" height=\"330\" \/><\/a><br \/>\n<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">After tricking the victim into visiting the fake websites, the attacker will deploy\u00a0<code>perfhloader<\/code>\u00a0using the\u00a0<strong>phantom DLL loading<\/strong>\u00a0technique. Notably, it will automatically start when the user restarts their computer by setting the command:\u00a0<code>\u201csc config sessionenv start=auto\u201c<\/code>.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/sessionenv-perfhloader-overview-1759394685.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23004\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/sessionenv-perfhloader-overview-1759394685.jpg\" alt=\"Sessionenv Perfhloader Overview 1759394685\" width=\"800\" height=\"221\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/sessionenv-perfhloader-overview-1759394685.jpg 800w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/sessionenv-perfhloader-overview-1759394685-700x193.jpg 700w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/a><br \/>\n<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">These loaders are responsible for reading an encrypted file (<code>perfh011.dat<\/code>), decrypting it, and loading the malware into memory. To avoid\u00a0<strong>detection<\/strong>\u00a0or complicate static analysis, the attacker used an XOR code.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/a0433bc5-67ea-4132-8bd2-2371a6bc1c92-1759394705.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23005\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/a0433bc5-67ea-4132-8bd2-2371a6bc1c92-1759394705.jpg\" alt=\"A0433bc5 67ea 4132 8bd2 2371a6bc1c92 1759394705\" width=\"732\" height=\"290\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/a0433bc5-67ea-4132-8bd2-2371a6bc1c92-1759394705.jpg 732w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/a0433bc5-67ea-4132-8bd2-2371a6bc1c92-1759394705-700x277.jpg 700w\" sizes=\"(max-width: 732px) 100vw, 732px\" \/><\/a><br \/>\n<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">After infiltrating and setting up the loader, the hacker group begins deploying\u00a0<strong>PondRAT<\/strong>\u00a0along with additional tools for the campaign.\u00a0<strong>PondRAT<\/strong>\u00a0can be understood as a simple variant of\u00a0<strong>POOLRAT (aka SIMPLESEA)<\/strong>\u00a0\u2013 deployed as a basic RAT to read and write files, launch processes, and execute shellcode.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Supplementary tools are also installed at this stage, such as a keylogger, screenshot utility, cookie or Chrome credential stealer,\u00a0<strong>Mimikatz<\/strong>, and proxies like\u00a0<strong>FRPC<\/strong>,\u00a0<strong>MidProxy<\/strong>,\u00a0<strong>Proxy Mini<\/strong>\u00a0to support attacks through hidden networks.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Next,\u00a0<strong>ThemeForestRAT<\/strong>\u00a0will be deployed and run entirely in memory (fileless), through the previously established PondRAT. It can execute up to about 20 commands: manage files, list processes, inject shellcode, timestomp, execute commands, check TCP, download files, spawn processes, hibernate\u2026 Additionally, it will continuously communicate with C2 servers.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/comparison-status-codes-c2-1759394727.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23006\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/comparison-status-codes-c2-1759394727.jpg\" alt=\"Comparison Status Codes C2 1759394727\" width=\"768\" height=\"125\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/comparison-status-codes-c2-1759394727.jpg 768w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/comparison-status-codes-c2-1759394727-700x114.jpg 700w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/><\/a><br \/>\n<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/4b25f91d-df8b-4e2b-8162-c0ed6da4257d-1759394747.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23007\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/4b25f91d-df8b-4e2b-8162-c0ed6da4257d-1759394747.jpg\" alt=\"4b25f91d Df8b 4e2b 8162 C0ed6da4257d 1759394747\" width=\"1596\" height=\"888\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/4b25f91d-df8b-4e2b-8162-c0ed6da4257d-1759394747.jpg 1596w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/4b25f91d-df8b-4e2b-8162-c0ed6da4257d-1759394747-700x389.jpg 700w\" sizes=\"(max-width: 1596px) 100vw, 1596px\" \/><\/a><br \/>\n<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">In the final stage, after operating with\u00a0<strong>PondRAT and ThemeForestRAT<\/strong>, Lazarus will clean up traces of the previous RATs and deploy\u00a0<strong>RemotePE<\/strong>.\u00a0<strong>RemotePE<\/strong>\u00a0is downloaded from the C2 through\u00a0<strong>RemotePELoader<\/strong>, which is encrypted using\u00a0<strong>Windows DPAPI (Data Protection API)<\/strong>\u00a0and loaded by\u00a0<strong>DPAPILoader<\/strong>. This enhances security and reduces the likelihood of analysis by security experts.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/remotepe-checkin-request-1759394800.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23008\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/remotepe-checkin-request-1759394800.jpg\" alt=\"Remotepe Checkin Request 1759394800\" width=\"800\" height=\"259\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/remotepe-checkin-request-1759394800.jpg 800w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/10\/remotepe-checkin-request-1759394800-700x227.jpg 700w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/a><br \/>\n<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">RemotePE is written in C++ by the attackers, indicating that it is the most sophisticated RAT,\u00a0<strong>used only for high-value targets<\/strong>, with the ability for long-term control and high stealth.<\/span><\/p>\n<h2 id=\"heading-conclusion\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Conclusion<\/strong><\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">The Lazarus Group&#8217;s attack campaign, observed in 2024 and published on September 2, 2025, demonstrated a\u00a0<strong>multi-layered<\/strong>\u00a0approach\u2014from social engineering, through loaders, to advanced-stage RATs\u2014to deeply infiltrate DeFi financial organizations. The attackers showed the ability to adapt their tactics flexibly depending on the situation and target.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">This serves as a continued warning about the sophistication that APT groups like Lazarus can deploy in the high-tech and crypto-financial space.<\/span><\/p>\n<h2 id=\"heading-recommendations\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>Recommendations<\/strong><\/span><\/h2>\n<ol>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Enhance Input Security<\/strong><\/span><\/li>\n<\/ol>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Train employees to recognize phishing techniques on Telegram, LinkedIn, and fake meeting schedules (fake Calendly\/Picktime).<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Limit sharing of email addresses or personal contact information publicly.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Implement an\u00a0<strong>email gateway with sandbox<\/strong>\u00a0to check attachments and links.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Alert when employees click on external links.<\/span><\/li>\n<\/ul>\n<ol start=\"2\">\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Access Management and Monitoring<\/strong><\/span><\/li>\n<\/ol>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Enable mandatory\u00a0<strong>MFA (2FA)<\/strong>.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Remove admin rights from regular users.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Apply the principle of\u00a0<strong>Least Privilege Access<\/strong>.<\/span><\/li>\n<\/ul>\n<h2 id=\"heading-ioc\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>IOC<\/strong><\/span><\/h2>\n<ol>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Malicious Domain<\/strong><\/span><\/li>\n<\/ol>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">calendly[.]live<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">picktime[.]live<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">oncehub[.]co<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">go.oncehub[.]co<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">dpkgrepo[.]com<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">pypilibrary[.]com<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">pypistorage[.]com<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">keondigital[.]com<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">arcashop[.]org<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">jdkgradle[.]com<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">latamics[.]org<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">lmaxtrd[.]com<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">paxosfuture[.]com<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">www[.]plexisco[.]com<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">ftxstock[.]com<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">www[.]natefi[.]org<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">nansenpro[.]org<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">aes-secure[.]net<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">azureglobalaccelerator[.]com<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">azuredeploypackages[.]net<\/span><\/li>\n<\/ul>\n<ol start=\"2\">\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>IP Addresss<\/strong><\/span><\/li>\n<\/ol>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">144.172.74[.]120<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">192.52.166[.]253<\/span><\/li>\n<\/ul>\n<h2 id=\"heading-references\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\"><strong>References<\/strong><\/span><\/h2>\n<ol>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/thehackernews.com\/2025\/09\/lazarus-group-expands-malware-arsenal.html\" target=\"_blank\" rel=\"noopener nofollow\">Lazarus Group Expands Malware Arsenal With PondRAT, ThemeForestRAT, and RemotePE<\/a><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/cybersecuritynews.com\/lazarus-hackers-deploying-three-rats\/\" target=\"_blank\" rel=\"noopener nofollow\">Lazarus Hackers Deploying Three RATs on Compromised Systems Possibly Using 0-Day Vulnerability<\/a><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/gbhackers.com\/lazarus-hackers-exploit-0-day\/\" target=\"_blank\" rel=\"noopener nofollow\">Lazarus Hackers Exploit 0-Day to Deploy Three Remote Access Trojans<\/a><\/span><\/li>\n<\/ol>\n<table style=\"border-collapse: collapse;width: 100%\">\n<tbody>\n<tr>\n<td style=\"width: 100%\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong class=\"custom-cursor-default-hover default_cursor_land\">Exclusive article by FPT IS Technology Experts<\/strong> <\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><em>Luu Tuan Anh \u2013 FPT IS Cyber Security Center<\/em><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"author":21,"featured_media":23010,"parent":0,"template":"","nang_luc":[790,821],"danh_muc_goc_nhin_so":[789],"dich_vu":[712],"linh_vuc":[],"platform":[],"san_pham":[],"the_goc_nhin_so":[],"class_list":["post-23009","goc_nhin_so","type-goc_nhin_so","status-publish","has-post-thumbnail","hentry","nang_luc-experts-sharing","nang_luc-security","danh_muc_goc_nhin_so-expert-sharing","dich_vu-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so\/23009","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so"}],"about":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/types\/goc_nhin_so"}],"author":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/users\/21"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media\/23010"}],"wp:attachment":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media?parent=23009"}],"wp:term":[{"taxonomy":"nang_luc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/nang_luc?post=23009"},{"taxonomy":"danh_muc_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/danh_muc_goc_nhin_so?post=23009"},{"taxonomy":"dich_vu","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/dich_vu?post=23009"},{"taxonomy":"linh_vuc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/linh_vuc?post=23009"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/platform?post=23009"},{"taxonomy":"san_pham","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/san_pham?post=23009"},{"taxonomy":"the_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/the_goc_nhin_so?post=23009"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}