Malware activities life not easy since malware detector is common and popular. Even though the malware circumvent the detector but it is hard to bypass the monitor of SOC because of SIEM product. It looks that it limit space for spy or malware to hunt your data. The design weakness of malware is that it requires a static connectivity to C&C. I foresee that the descendants of spyware or malware will deploy similar of smartphone technology relies on HTTP connection (Setting headers in POST request with Java). The spyware or malware make use of this method is able to dynamic connection to destination. Such method benefits to fool the defense mechanism. To be honest, send JSON data from the client side is popular today. It is hard to judge. Hacker more focusing on application design weakness is ongoing trend of cyber security world. Should you be interested of related details, please refer to following url for reference.