778 reports
NSHC’s May 2025 threat-actor roundup notes SectorA activity against macOS and Windows systems, with a particular focus on cryptocurrency targets. The SectorA section describes fake recruitment lures using LinkedIn, GitHub, and interview sites to deliver m…
A U.S. Justice Department indictment charges four North Korean nationals with posing as remote IT workers, gaining developer roles at blockchain-related companies, and stealing more than $900,000 in virtual currency. The alleged scheme used stolen or frau…
Microsoft tracks North Korean remote IT worker activity as Jasper Sleet and says the operation has evolved since 2024 through wider use of AI, fraudulent identities, and remote-access tooling. The workers seek software, web development, and administrator …
The Justice Department announced coordinated U.S. actions against DPRK remote IT worker revenue schemes, including two indictments, one arrest, searches of 29 suspected laptop farms across 16 states, and seizures of 29 financial accounts and 21 fraudulent…
The excerpt describes an incident-response exercise for a high-severity alert labeled SOC337, “Lazarus Phishing Campaign Detected (APT38).” The alert involved an allowed email from [email protected] to [email protected] with the subject “Invitat…
A blockchain investigation links recent exploits against Matt Furie and ChainSaw NFT projects and Favrr to a cluster of suspected DPRK IT workers who may have been hired as developers. The ChainSaw-related activity involved transferring contract ownership…
TradeTraitor is described as a DPRK-nexus actor linked to North Korea's Reconnaissance General Bureau and focused on revenue generation through cryptocurrency theft. The excerpt highlights attacks against AWS environments, cryptocurrency firms, and adjace…
APT37/Reaper is linked in the source to a malicious LNK file disguised as a fundraising campaign for a North Korean defector organization, using the health situation of a Free North Korea Radio representative as the lure. The LNK searches for a specific o…
Bitso’s Quetzal Team describes an attempted DPRK IT worker infiltration in which a suspicious applicant using a Mexican identity moved through engineering interviews before being rejected. The team links the activity to “Famous Chollima” style wage-mole o…
Greg Sinclair of Google Cloud Security’s FLARE team discusses reverse-engineering work behind identifying, naming, and attributing North Korean cyber activity associated with Lazarus Group. The episode emphasizes binary-similarity analysis as a method for…
The video description presents North Korean IT workers as using fake identities, polished resumes, professional headshots, and deceptive video-call setups to obtain remote technology jobs. It says thousands of workers have targeted companies in the United…
Socket attributes a continuing North Korean Contagious Interview supply-chain campaign to 35 malicious npm packages published across 24 accounts, including six packages that remained live and had more than 4,000 downloads. The packages target developers a…
The archived thread describes North Korean phishers hijacking a known contact’s account and using the existing relationship to re-engage a target after an earlier in-person meeting. The attackers sent Zoom-themed links that appeared to be legitimate subdo…
Ketman analyzes DPRK IT worker activity across GitHub, Telegram, freelance job boards, open-source communities, and Web3 projects, where actors build fabricated developer personas to obtain work and evade sanctions controls. The investigation centers on t…
Dark Atlas frames Bluenoroff, also known as APT38, as a financially motivated North Korean Lazarus subgroup linked to the Reconnaissance General Bureau and focused on banks, SWIFT endpoints, casinos, ATMs, and cryptocurrency platforms. The hunt starts fro…