778 reports
ESET's Q4 2024-Q1 2025 APT activity report notes several North Korea-aligned operations with a strong financial motive. DeceptiveDevelopment expanded targeting across cryptocurrency, blockchain, and finance by using fake job listings, ClickFix techniques,…
Kimsuky is tied to an attack using a malicious SCR file disguised as Korean machinery-research work-plan and completion documents. The sample reportedly carried a CJ OliveNetworks digital signature issued by Sectigo, which CJ OliveNetworks revoked after t…
The report analyzes Lazarus malware disguised as an IP Messenger installer using the filename of a legitimate IPMsg setup package. The malicious installer decrypts and filelessly loads embedded DLL components, then runs a legitimate installer from the use…
Rekt analyzes the May 9, 2025 LNDFi theft as a $1.18 million drain enabled by Pool Admin control over modified Aave-style token contracts. The article notes ZachXBT's DPRK claim but focuses on the on-chain mechanics: a deployer granted Pool Admin rights, …
AhnLab's April 2025 APT trend report summarizes multiple regional threat activities, including North Korean groups exploiting South Korean software ecosystems. It describes Konni spear-phishing campaigns impersonating Korean government agencies and delive…
AhnLab's April 2025 APT trend report highlights two DPRK-relevant campaigns. Konni used spear phishing that impersonated the Korean National Police Agency and National Human Rights Commission, first encouraging replies and then delivering LNK and AutoIT-b…
LND attributed its May 9, 2025 breach to a developer it unknowingly hired who later proved to be an undercover DPRK IT worker. The attacker gained access to administrative keys and drained about $1.27 million through unauthorized transactions, prompting L…
Alyac reports a backdoor distributed with a valid certificate from a well-known Korean company, likely to reduce user suspicion and evade detection. The malware is an SCR executable disguised with a PDF-like icon and extracts a decoy PDF to the user's tem…
CYFIRMA profiles Group123 as a North Korean state-sponsored espionage group active since at least 2012 and tracked as APT37, Reaper, ScarCruft, and related aliases. The report describes targeting in South Korea, Japan, Vietnam, the Middle East, and other …
DTEX characterizes North Korea’s cyber program as a broad ecosystem combining espionage, system intrusions, cryptocurrency theft, fraud, and covert IT-worker activity rather than a set of neatly separated APT groups. The report says DPRK IT workers are em…
WIRED reports that DTEX and allied researchers exposed a large cluster of North Korean IT worker activity, including personas tracked as Naoki Murano and Jenson Collins. The workers allegedly operated from Laos before relocation to Russia, used false deve…
The report covers additional Contagious Interview activity in which North Korean threat actors expanded BeaverTail distribution beyond npm and GitHub to Bitbucket. Malicious npm packages were used to target software developers, sometimes through fake job-…
Strider describes North Korean IT workers using false or stolen identities to obtain freelance and remote developer roles at U.S. and other Western companies. The report links the activity to a state-directed revenue scheme that can expose employers to da…
Elliptic identifies Xinbi Guarantee as a Chinese-language Telegram marketplace that has processed at least $8.4 billion in USDT while selling money laundering services, stolen personal data, technology, and other services to fraud operators. The DPRK-rele…
In February 2025, TA406 began targeting government entities in Ukraine, delivering both credential harvesting and malware in its phishing campaigns. These credential harvesting campaigns took place prior to the attempted malware deployments and targeted s…