778 reports
NSHC’s July 2025 threat actor roundup says SectorA was active against the software supply chain and developer ecosystem. The SectorA section describes typosquatted npm packages that deliver a malicious loader, collect system details, credentials, and cryp…
Sandfly analyzes a leaked Linux loadable kernel module rootkit from a suspected North Korean hacking-group data dump, noting that the broader Phrack material includes activity against South Korea and Taiwan with some overlap to Kimsuky tactics. The 2025 r…
DRATzarus, also tracked as ThreatNeedle, is described as a Lazarus Group remote access trojan used since at least mid-2020 against defense and aerospace organizations. The excerpt says delivery commonly relies on targeted spear-phishing with COVID-19 or f…
AhnLab observed July 2025 domestic APT activity in South Korea dominated by spear-phishing, with LNK-file delivery making up the largest share and watering-hole activity also noted. The LNK chains used embedded PowerShell to extract CAB files and decoy do…
A compromised DPRK IT worker device exposed a five-person operation managing more than 30 fraudulent identities to obtain developer jobs through purchased Upwork and LinkedIn accounts, government IDs, phone numbers, AI subscriptions, rented computers, VPN…
CYFIRMA profiles Lazarus Group as a North Korean state-sponsored threat actor active since at least 2009, combining espionage, political objectives, and financially motivated cybercrime. The excerpt lists a broad alias set including Hidden Cobra, APT38, A…
SlowMist analyzed a Web3 interview lure in which a self-proclaimed Ukrainian team asked a target to clone the EvaCodes-Community/UltraX GitHub repository. The project replaced a previously removed malicious dependency, [email protected], with [email protected]…
A Korean malware analysis attributes a malicious HWP document named “250615_Grain Sales Office Operations Status.hwp” to APT37/Reaper and describes it as RokRAT-themed activity. The lure content concerns grain sales and distribution in Pyongyang, indicati…
Seongsu Park’s DEF CON material examines how North Korean cyber operations have evolved from broad umbrella labels into multiple specialized clusters with overlapping tools, infrastructure, and mission sets. The slides describe Lazarus-linked history, Kim…
Leaked material attributed in the excerpt to Kimsuky shows recent phishing against South Korea's Defense Counterintelligence Command, with auth logs containing dcc.mil.kr users and other Korean services including spo.go.kr, korea.kr, Daum, Kakao, and Nave…
A Bybit hack case study attributes a $1.46 billion cryptocurrency theft to North Korea’s Lazarus Group and uses it to explain modern crypto laundering workflows. The excerpt describes two intrusion paths: malicious JavaScript injected into a third-party w…
North Korean fake-interview operations are described as delivery paths for BeaverTail, InvisibleFerret, OtterCookie, and ChaoticCapybara. The presentation analyzes those malware families, reverse-engineers their techniques, and modifies samples to expose …
The DEF CON material uses the February 2025 Bybit theft as a case study for tracing large-scale cryptocurrency laundering after a manipulated transaction changed the Safe wallet execution path and enabled attacker-controlled transfers. It describes rapid …
Moonlock links North Korean fake IT worker operations to the growth of macOS stealer malware used to obtain identities, credentials, and crypto-related data. The report says stolen personal information helps DPRK operatives pose as legitimate job applican…
A Stardust Chollima adversary simulation recreates the 2018 compromise of Chilean interbank network Redbanc, where PowerRatankba was delivered through a fake job-application lure. The attack chain centers on social engineering over LinkedIn/Skype, a GUI d…