778 reports
Bitso describes a final installment in its Chollima interview series, centered on a suspected North Korean applicant who posed as “Lucas Gabriel,” claimed to be a Senior Full Stack Engineer from Córdoba, refused to use camera, could not speak Spanish, and…
Infostealer logs associated with the Trevor Greer persona provide additional context for suspected DPRK IT worker activity, while the source cautions that the data does not directly connect the persona to the Bybit incident and may be over a year old. The…
Sysdig analyzed EtherRAT, a Node.js implant recovered from a compromised Next.js application shortly after disclosure of CVE-2025-55182 in React Server Components. The malware uses an Ethereum smart contract to resolve command-and-control infrastructure, …
ENKI analyzed recent DOCSWAP Android variants that used phishing websites, QR-code redirection, notification prompts, and delivery-themed decoys to lure mobile users into installing malicious APKs. The report attributes the activity to Kimsuky based on sh…
ENKI analyzed newer DOCSWAP Android malware samples distributed through phishing pages that used delivery-service themes, mobile-only redirects, QR codes, and APK installation prompts to push victims onto smartphones. The malicious SecDelivery.apk decrypt…
The archived thread describes DPRK-linked social-engineering activity that begins with compromised Telegram accounts and uses prior chat history to make fake meeting requests appear legitimate. Victims are steered through Calendly-style scheduling and fak…
The excerpt analyzes a North Korean IT-worker cell targeting Japan's B2B and B2G outsourcing markets while physically operating from China and presenting itself as Japanese or U.S.-based freelancers. Evidence from RedLine Stealer logs exposed fake identit…
Hudson Rock links a Yemeni disinformation operator's RedLine Stealer infection to later Lazarus Group use of the same compromised news infrastructure. The infected Windows machine exposed WordPress and cPanel credentials for domains such as alnagm-press.c…
360 researchers attribute a malicious archive campaign to APT-C-26/Lazarus, reporting exploitation of WinRAR path traversal CVE-2025-8088 through a file named Pharos.rar. The archive is disguised as a Pharos Automation Bot project and abuses NTFS Alternat…
AhnLab's November 2025 domestic APT monitoring found spearphishing remained the main delivery path against South Korean targets, with malicious attachments or links used to trigger payload execution. The observed cases included LNK files carrying PowerShe…
AhnLab's November 2025 APT trend reporting describes continued evolution by suspected North Korea-backed actors, including Lazarus, Famous Chollima, Kimsuky, and a Konni-linked cluster associated with Kimsuky or TA-RedAnt. Lazarus activity is described us…
The Japanese blog examines infostealer logs tied to [email protected] and pivots from saved credentials on that machine to other infected systems and accounts that may be connected to a possible Lazarus-related operator. The excerpt describes comp…
Flashpoint describes how an infostealer infection on a North Korean operator's own machine exposed operational details behind fake personas, remote IT work, and Web3 targeting. The Trevor Greer persona is tied in the excerpt to Contagious Interview activi…
Sysdig recovered EtherRAT from a compromised Next.js application two days after disclosure of CVE-2025-55182, showing exploitation of React Server Components beyond miners and credential theft. The implant uses a four-stage chain that starts with a base64…
The article reconstructs a possible physical fiber topology for North Korea by combining aviation slides, historical reports, Kwangmyong references, railway and road imagery, and latency observations. It highlights known or reported fiber links from Russi…