778 reports
Famous Chollima, described as a North Korean-aligned actor, deployed the Python-based PylangGhost RAT against cryptocurrency and blockchain professionals, primarily in India. The campaign used fake recruiter personas and counterfeit job-application sites …
The Korean write-up attributes a tax-themed malware lure to Kimsuky and assesses that it was likely intended for email delivery to victims. The archive contained decoy HWP tax documents and a key HWP-themed LNK file that ran obfuscated PowerShell, searche…
NSHC's April 2025 SectorA reporting describes social-engineering operations against cryptocurrency, defense technology, engineering, and broader technology targets. The group used fake recruitment processes, technical tests, fake GitHub projects, BitBucke…
Field Effect investigated a compromise at a Canadian online gambling provider that it says may be associated with BlueNoroff, a financially motivated North Korean Lazarus subgroup. The victim joined a cryptocurrency-related Zoom meeting with an impersonat…
Validin pivots from Huntress-reported BlueNoroff infrastructure tied to a targeted Web3 intrusion that used Telegram and a fake Zoom extension to compromise a cryptocurrency organization. The investigation starts with support[.]us05web-zoom[.]biz, which o…
NSHC's March 2025 SectorA section reports five North Korea-relevant clusters active across South Korea, Taiwan, the Netherlands, Israel, Norway, India, Hong Kong, the United Kingdom, and the United States. SectorA01 is described as stealing $1.5 billion i…
ENKI describes a Kimsuky-linked spearphishing operation that abused GitHub and Dropbox as malware delivery and collection infrastructure. The malware used hardcoded GitHub Personal Access Tokens with repo scope to access private repositories, download RTF…
ENKI links a GitHub-based spearphishing infrastructure cluster to the DPRK-nexus actor Kimsuky through XenoRAT C2 analysis and attacker repository evidence. The campaign targeted South Korean individuals with decoys such as law-firm debt notices, powers o…
The archived thread describes exposed backend code and credentials for a malware delivery operation attributed in the text to generic North Korean threat actors, explicitly not Lazarus. The backend emailed operators when victims interacted with the malwar…
BitoPro says forensic findings from its May 9, 2025 cryptocurrency theft showed no internal personnel involvement and that the tradecraft resembled incidents attributed to North Korea’s Lazarus Group. The attackers socially engineered a cloud operations e…
The Korean analysis examines a phishing email suspected to be linked to Kimsuky that impersonates Naver’s electronic document service and a Korean National Police Agency notice. The message was sent from [email protected] through 89.221.237.155 in Mosc…
Ketman identifies a suspected DPRK IT worker-related GitHub account, AhegaoXXX, with privileged control over the Keeper-Wallet organization tied to Waves Protocol. After nearly two years of inactivity, the account pushed dependency updates, could create r…
Huntress attributes a macOS intrusion against a cryptocurrency foundation employee to TA444/BlueNoroff, a DPRK subgroup also tracked as Sapphire Sleet, COPERNICIUM, STARDUST CHOLLIMA, or CageyChameleon. The attacker used Telegram contact, Calendly and Goo…
Cisco Talos identified PylangGhost, a Python-based Windows RAT used exclusively by the North Korean-aligned Famous Chollima actor, also known as Wagemole. The campaign targets workers with cryptocurrency and blockchain experience through fake recruiter wo…
QiAnXin attributes recent Endoor samples to Kimsuky, tracked internally as APT-Q-2, and notes the group’s historical focus on South Korean defense, education, energy, government, healthcare, and think-tank targets. The Go-based backdoor appears in both DL…