654 reports
Unit 42 linked Jumpy Pisces, also known as Andariel or PLUTONIUM, to an intrusion that preceded Play ransomware deployment and assessed with moderate confidence that the North Korean state-sponsored group collaborated with Play ransomware operators or act…
ThreatBook reports that Konni targeted South Korean RTP engineering staff and people working on tax and North Korean market analysis from mid-April to early July 2024. The campaign used Korean-themed LNK lures such as meeting materials, tax evasion, and m…
The Coinmonks recap links suspicious GitHub and LinkedIn activity to DPRK IT worker and Contagious Interview tradecraft, starting from the Onder Kayabasi profile and its connections to fake recruiter accounts. The source says Unit 42 assessed similar acti…
SecurityScorecard describes a Famous Chollima job-recruitment lure against one of its developers under the Contagious Interview campaign. The attacker used LinkedIn and crypto-related targeting data to push a Bitbucket coding test, where the repository de…
SecurityScorecard says a North Korean state actor tried to compromise a DevOps engineer through a fake Web3 job approach on LinkedIn. The attacker used a compromised UK LinkedIn account to send the target to a Bitbucket repository for a skills test, where…
Cyvers reported that WazirX's Ethereum Safe multisig wallet was compromised on July 18, 2024, with about $234.9 million in assets moved to a new address funded through Tornado Cash. The attacker swapped tokens including PEPE, GALA, and USDT into ETH, whil…
Hunt identified a suspected North Korean-linked phishing server targeting Naver users from an exposed directory at 158.247.238[.]155/naver on infrastructure hosted in Seoul. The server redirected port 80 traffic to the legitimate Naver site, hosted more t…
NSHC's July 2024 intelligence roundup records four SectorA activity clusters, a set it describes as pursuing both intelligence collection tied to Korean political and diplomatic interests and financially motivated operations worldwide. SectorA01 activity …
NSHC’s August 2024 roundup records six SectorA activity clusters and says they continued intelligence collection tied to Korean government interests while also pursuing financial gain worldwide. SectorA01 used recruiter impersonation and compressed files …
Contagious Interview activity linked in the excerpt to DPRK operators continues to target software developers through recruiter lures on LinkedIn and other hiring platforms, with Web3 and DeFi developers especially exposed because cryptocurrency theft is …
The Chinese thread summarizes reporting from Unchained, CoinDesk, and Taylor Monahan on North Korean workers infiltrating Web3 and cryptocurrency companies through remote developer roles. It cites Sam Kessler’s investigation that named firms including Inj…
HYPR reports an attempted fraudulent hire that aligned with the wider DPRK IT worker threat but also warns that fake-employee schemes are broader than North Korea. The candidate passed early interviews but failed onboarding checks when location data chang…
Kimsuky, also called Black Banshee in the advisory, is described as a North Korean espionage group active since at least 2012 and focused on organizations and individuals in South Korea, Japan, and the United States. The source lists phishing, malware inf…
Lazarus used a fake DeFi tank game, DeTankZone, to target Bitcoin and cryptocurrency users while exploiting the Google Chrome zero-day CVE-2024-4947 from detankzone[.]com. The campaign began around February 2024 and was identified after researchers found …
Datadog Security Research found three malicious npm packages, passports-js, bcrypts-js, and blockscan-api, carrying obfuscated BeaverTail malware and totaling 323 downloads. The packages used namesquatting or backdoored copies of legitimate JavaScript lib…