654 reports
Sophos profiles NICKEL TAPESTRY as a North Korea-linked fraudulent IT worker activity set, aligned with names such as DPRK IT Workers, Famous Chollima, Jasper Sleet, Purpledelta, Storm-0287, UNC5267, and Wagemole. The activity comprises multiple clusters …
AhnLab reports that attackers often install proxy tools after compromise to reach infected systems by RDP when the systems sit behind NAT. The Korean-language article cites Ngrok, Plink, and custom proxy tools, including Kimsuky and Andariel cases where o…
AhnLab describes how threat actors use proxy and tunneling tools after compromise to expose RDP access from systems hidden behind NAT. The report highlights Ngrok commands that publish port 3389, Plink SSH tunneling used after Exchange exploitation in a L…
Kimsuky, also known as APT43, APT-Q-2, Velvet Chollima, Black Banshee, Thallium, Sparkling Pisces, etc., has been operating since 2012 and is supported by the North Korean government. Recently, SecAI has detected a series of targeted attacks launched by K…
The excerpt catalogs North Korean IT worker activity as a DPRK revenue-generation and espionage threat tied to entities such as the 313 General Bureau, Pyongyang technology organizations, Yanbian Silverstar, Volasys Silver Star, and Chinyong. It lists nam…
ASEC reports that attackers in 2024 increasingly used Microsoft Management Console MSC files as Office document malware declined. One MSC class abuses CVE-2024-43572 in apds.dll, while another uses MMC Console Taskpad entries to run commands from files di…
VulnCheck reviewed CISA's 2023 routinely exploited vulnerabilities list and mapped threat-actor activity against the 15 CVEs. The DPRK-relevant finding is that North Korea's Silent Chollima was associated with exploitation of 9 of the 15 vulnerabilities, …
Microsoft summarized CYBERWARCON research on DPRK operators that steal cryptocurrency, collect intelligence on weapons systems and sanctions policy, and place North Korean IT workers abroad to generate regime revenue. Sapphire Sleet was described as using…
SOCRadar profiles Moonstone Sleet, also tracked as Storm-1789, as a North Korean state-sponsored actor targeting technology, financial, and cryptocurrency organizations for espionage and revenue generation. The report cites fake job offers, project-collab…
Kimsuky is linked to a malicious MSC file disguised as a South Korean National Assembly advisory about North Korea's new suicide drones. The lure opens a Google Docs decoy while command-line logic downloads files from petssecondchance.larcity.dev into Pub…
Sophos profiles NICKEL JUNIPER as a North Korea-linked espionage group, also associated with Konni, Opal Sleet, and OSMIUM. The group targets South Korea and Russia, especially government entities and the cryptocurrency industry, with both intelligence-ga…
This APT group has been associated with other threat actor groups, including Bluenoroff and Andariel, believed to be subgroups or closely aligned with Lazarus. One of their recent campaigns, "Dream Job," specifically targets cryptocurrency-adjacent entiti…
The Microsoft Threat Intelligence Podcast episode features Proofpoint and Microsoft researchers discussing DPRK state-sponsored cyber activity and how it differs from other nation-state operations. The notes frame North Korean operators as technically sop…
South Korea's National Police Agency attributed the 2019 theft of 342,000 Ethereum from a domestic cryptocurrency exchange to North Korea, citing North Korean IP addresses, traced asset flows, North Korean vocabulary found during the investigation, and lo…
SentinelLabs linked several active software-consulting front companies to the DPRK IT worker scheme and to a wider set of organizations being created in China. The report describes websites for Independent Lab LLC, Shenyang Tonywang Technology, Tony WKJ L…