778 reports
KuCoin links recent fake-recruiter phishing against cryptocurrency-sector personnel to Lazarus Group/APT38, with lures delivered through LinkedIn, Telegram, and X. Non-technical victims are pushed through a fake interview site that claims a missing camera…
The research identifies suspected DPRK IT worker activity across GitHub, code-sharing sites, freelancing platforms, forums, personal portfolio pages, and resume-hosting services. It frames the activity as part of North Korean remote-job fraud, with worker…
Qianxin attributes a recent ClickFix campaign to Lazarus, tracked internally as APT-Q-1, based on overlap with prior Lazarus reporting and deployment of BeaverTail and InvisibleFerret. The campaign uses fake recruiting and interview sites to persuade vict…
OFAC sanctioned Russian national Vitaliy Sergeyevich Andreyev for allegedly facilitating payments to Chinyong Information Technology Cooperation Company, a previously sanctioned DPRK-linked organization employing North Korean IT workers in Russia and Laos…
Anthropic reports that North Korean operatives misused Claude to support fraudulent remote-employment schemes targeting US Fortune 500 technology companies. The activity involved creating convincing false identities, completing technical and coding assess…
OFAC sanctioned a DPRK-linked fraudulent IT worker network that Chainalysis connects to cryptocurrency-enabled revenue generation for North Korea's WMD and ballistic missile programs. The designation names Vitaliy Sergeyevich Andreyev, Kim Ung Sun, Shenya…
OFAC sanctioned Vitaliy Sergeyevich Andreyev, Kim Ung Sun, Shenyang Geumpungri Network Technology, and Korea Sinjin Trading Corporation for roles in a DPRK IT worker revenue scheme. The Treasury release says DPRK IT workers use fraudulent documents, stole…
Japan, the United States, and South Korea warned that North Korean IT workers are continuing to earn overseas revenue for DPRK weapons programs while expanding malicious cyber activity. The statement says these workers hide their identities and locations …
GolangGhost is presented as a cross-platform remote access trojan associated with North Korea's Lazarus-linked Famous Chollima activity against cryptocurrency and blockchain job seekers. The infection chain uses fake recruitment sites and bogus video inte…
AppleJeus is identified as a North Korean state-sponsored group attributed to the Reconnaissance General Bureau and associated with the broader Lazarus Group umbrella. The entry says the group focuses on generating and laundering revenue for the DPRK gove…
Chollima Group links the DeTankZone/Moonstone Sleet ecosystem to a broader cluster of DPRK IT workers it calls BABYLONGROUP, centered on web3 and blockchain development. The investigation says the supposedly legitimate predecessor DefiTankLand was likely …
The YouTube transcript describes OSINT researchers discussing North Korean compromises of South Korean government and media servers, with VPN weaknesses presented as a common intrusion cause. The discussion ties the activity to Kimsuky tradecraft, includi…
A leaked operational dump attributed in the source to North Korea’s Kimsuky exposed virtual machine images, VPS data, phishing kits, rootkits, credentials, browser history, and operator infrastructure. The material shows phishing activity against South Ko…
AhnLab’s July 2025 APT trend report highlights multiple North Korea-linked intrusion patterns, including Kimsuky ClickFix activity against South Korean diplomacy, security, international politics, defense, portal, research, and expert targets. The Kimsuky…
S2W TALON analyzed leaked material distributed with Phrack’s “APT Down: The North Korea Files” and found evidence of operations against Korean government entities and domestic companies, including webmail-related source code, Ministry of Foreign Affairs-r…