778 reports
Minh Phuong Ngoc Vong was sentenced for helping foreign IT workers pose as U.S. citizens and obtain remote software-development jobs at more than a dozen U.S. companies. Court documents say Vong allowed a conspirator known as John Doe, based in Shenyang, …
ANY.RUN, BCA LTD, and NorthScan documented a Famous Chollima operation attributed to Lazarus that sought to place North Korean remote IT workers into American financial and crypto/Web3 companies. The operators relied on social engineering rather than adva…
A macOS campaign described as consistent with DPRK recruitment and crypto-targeting activity used a fake “Microsoft Teams Update” AppleScript loader named Microsoft Teams Update.scpt. The script was branded as a Microsoft Teams Live SDK update and opened …
Trusted security software in South Korea evolved from mandatory ActiveX controls for banking and e-government into non-ActiveX plugins and centralized management systems. The excerpt links this trusted endpoint ecosystem to repeated abuse, including Dark …
NSHC's November 2025 threat actor intelligence report summarizes activity from 82 observed groups between 21 October and 20 November 2025, with SectorA among the most active tracked clusters. The SectorA section describes targeting of technology, defense,…
Hudson Rock analyzed a LummaC2 infostealer log from a machine it identifies as a high-level North Korean threat actor malware development rig. The stolen credentials included [email protected], which Silent Push linked to registration of bybit-ass…
BlueNorroff's GhostCall operation targeted technology executives and venture capitalists on macOS by using Telegram-style investment lures and fake Zoom meetings that pushed victims to run a malicious update script. The script downloaded a ZIP payload and…
OpenSourceMalware reports a Contagious Interview campaign linked in the text to North Korean DPRK activity that targets software engineers through recruiter and freelance-work lures, including victims connected to cryptocurrency work. Instead of the more …
The researcher attributes DredSoftLabs to WageMole, a DPRK state-sponsored remote-employment operation that uses fake identities, social engineering, job platforms, and stolen personal data to pursue Western remote work. A GitHub search pivot on an encode…
ESRC observed KimJongRAT, a RAT associated in the source with the Kimsuky threat cluster, being distributed through phishing email carrying a tax-notice-themed ZIP file. The archive contains an LNK disguised as a PDF; when opened, it decodes a Base64 URL,…
Socket tracks North Korea’s Contagious Interview operation expanding its npm supply-chain activity with at least 197 additional malicious packages and more than 31,000 downloads, targeting blockchain and Web3 developers through fake interviews and test as…
Jamf Threat Labs analyzes a recent FlexibleFerret macOS variant attributed to DPRK-aligned operators and tied to Contagious Interview fake recruitment lures. Victims are led through fake hiring assessment sites such as evaluza[.]com and proficiencycert[.]…
NSHC ThreatRecon analyzes SectorA01, identified as Lazarus, using malware disguised as cryptocurrency transaction software in activity observed in May 2025. The lure abuses Deriv branding to persuade cryptocurrency-related targets to install a fake Window…
MSMT’s findings, summarized by SlowMist, state that the DPRK used cyber operations, cryptocurrency theft, overseas IT workers, front companies, and intermediaries to evade UN sanctions and raise funds for weapons programs. The excerpt says DPRK-linked cry…
Bitdefender identifies a sudden ransomware spike in South Korea, where Qilin claimed 25 victims in one month and concentrated almost entirely on financial services, especially asset management firms. The Korean Leaks campaign involved 33 total victims, 28…