778 reports
Genians identifies a new RoKRAT variant used by APT37 and delivered in South Korea through a compressed archive containing an unusually large malicious LNK file. The shortcut masquerades as a national intelligence and counterintelligence manuscript and em…
Genians analyzes an APT37 RoKRAT campaign in Korea that used oversized LNK files, malicious HWP/OLE content, DLL side-loading, and JPEG steganography to load payloads. One infection chain hides a decoy HWP document, batch script, PowerShell command, and s…
The excerpt presents an adversary simulation modeled on Famous Chollima activity against job seekers and software developers, relying on public reporting about North Korean campaigns targeting job hunters. The attack chain begins with fake online intervie…
KISA warns that SGA Solutions' discontinued TrustPKI Enterprise product contains a vulnerability caused by insufficient verification. The advisory instructs organizations and users to remove the product immediately if it is installed on PCs because the pr…
Google's H2 2025 Cloud Threat Horizons material flags North Korea among state-sponsored actors advancing social engineering tactics in the cloud threat landscape. The excerpt also highlights abuse of trusted cloud storage services for malware delivery and…
BBC reporting based on a rare interview with a defector describes North Korean IT workers using fake or borrowed identities to obtain remote jobs at Western companies. Jin-su said teams abroad in China, Russia, Africa, and elsewhere targeted US and Europe…
A Seoul ADEX 2025-themed LNK is assessed as suspected APT37 activity and likely RoKRAT. The shortcut poses as a PDF for an international UAV and defense exhibition, runs PowerShell through Pester.bat, shows a decoy document, and retrieves staged component…
Veracode identified twelve malicious npm packages tied to a persistent North Korean crypto-stealing campaign that targets developers through interview-style exercises. The packages used typosquatting and cloned legitimate-looking content, then executed ob…
DomainTools details a DPRK remote IT worker ecosystem coordinated around Reconnaissance General Bureau activity, including Andariel-linked Song Kum Hyok and facilitators who helped North Korean workers pose as legitimate remote hires. The scheme uses stol…
Sonatype reports that the North Korea-backed Lazarus Group is abusing open source package ecosystems as part of a strategic software supply-chain campaign. In the first half of 2025, Sonatype’s automated detection identified 234 unique malware packages in…
Plainbit and South Korea's NCSC analyze spear-phishing infrastructure used by suspected North Korea-backed groups in the first half of 2025. The report separates delivery infrastructure from credential-collection and storage infrastructure, noting that at…
The Lazarus Group’s Contagious Interview campaign is described as evolving its payload delivery for BeaverTail, InvisibleFerret, and OtterCookie across multiple malicious projects. The analyzed code uses external requests, URL-splitting, Vercel-hosted lur…
The Korean analysis attributes an electronic tax invoice-themed malware campaign to Kimsuky, using a disguised Windows shortcut named like a PDF invoice to execute hidden PowerShell. The LNK contains Base64-encoded script logic that writes and runs main.p…
Aryaka Threat Research Labs attributes the activity to Kimsuky, also tracked as APT43, Thallium, and Velvet Chollima, and frames it as North Korean cyber-espionage supporting geopolitical, military, and economic intelligence collection. The campaign targe…
Flashpoint details DPRK remote IT worker operations in which North Korean operatives pose as freelance developers, IT staff, and contractors to gain trusted access inside organizations worldwide. The activity relies on long-lived fake personas, “parallel …