778 reports
Okta Threat Intelligence found that DPRK IT-worker operations now affect remote-hiring organizations far beyond U.S. big technology companies. The investigation tracked more than 130 facilitator and worker identities tied to over 6,500 initial job intervi…
A Korean analysis attributes a Python malware file named config.py to Lazarus activity focused on cryptocurrency theft. The script is designed to collect Chrome and Chromium browser profile data, including cryptocurrency wallet extension storage, cookies,…
Sandfly Security released a detection script for a Linux Loadable Kernel Module rootkit described in a Phrack data dump attributed in the source to a threat actor purportedly from North Korea. The tool checks for hidden kernel modules that disappear from …
PIOLINK links recent APT37 activity to a shared C2 infrastructure used to operate Rustonotto, Chinotto, and FadeStealer against targets connected to North Korea policy, human rights, and South Korean interests. Initial access uses Windows shortcut files a…
The analysis reviews file listings, shell history, browser history and development artifacts from the Phrack “APT Down — The North Korea Files” leak and frames them as Kimsuky/APT43-related material. The evidence shows malware-development and intrusion to…
ESET describes DeceptiveDevelopment as a North Korea-aligned financially motivated group active since at least 2023 and tightly connected to WageMole, the activity cluster associated with North Korean IT workers. Operators pose as recruiters on platforms …
Seedify reported that a DPRK state-affiliated Web3 hacking group gained access to a developer’s private key at about 12:05 UTC and used the access to abuse minting privileges. The attacker modified OFT contract settings and minted unauthorized SFUND token…
A Korean-language analysis attributes a malicious LNK lure to suspected Kimsuky activity targeting a Korea National Defense University security policy professor. The lure impersonated the Military Affairs Office of the Chinese Embassy in South Korea and d…
Trellix uncovered a North Korean IT-worker employment fraud attempt after correlating applicant email addresses from OSINT reporting with telemetry from a major U.S. healthcare provider’s hiring process. The suspected operative used the persona “Kyle Lank…
Barracuda profiles Lazarus Group as a DPRK state-linked cybercrime and espionage ecosystem operating under the Reconnaissance General Bureau rather than a single monolithic actor. The article distinguishes major clusters including TEMP.Hermit, Kimsuky/APT…
Logpresso attributes a late-July 2025 campaign to Kimsuky that used compressed archives with sex-offender and tax-notice themes to deliver deceptive Windows shortcut files. When opened, the LNK chain runs mshta.exe to retrieve HTA and log files, shows a d…
The leaked “APT Down - The North Korea Files” material exposed a Deepin workstation dump and VPS data containing malware source code, attack tools, exfiltrated material, and phishing infrastructure tied by the authors to activity against South Korea. ENKI…
AhnLab tracks Larva-25004 as a Kimsuky-linked operation active since at least August 2023 against South Korean public enterprises, defense industry organizations, research institutes, and at least one job seeker of unknown nationality. The group uses spea…
ENKI’s Korean analysis of the “APT Down - The North Korea Files” leak examines the actor’s VMware workstation and VPS dumps, which contained malware source code, attack tools, stolen data, logs, and phishing infrastructure. The leaked rootkit code matched…
Andrew MacPherson’s LABScon 25 talk examines large-scale cryptocurrency crime affecting decentralized finance, including attacks against browser-based wallet interactions, smart contracts, and crypto applications. The excerpt highlights major attack patte…