778 reports
A Kimsuky-attributed LNK impersonates the United States Studies Centre and a Track 1.5 Australia-Korea-Japan dialogue on future-oriented cooperation. The shortcut locates PowerShell, finds a same-size LNK, extracts and opens an embedded PDF decoy, then XO…
A GitHub contributor using the alias cool-develope contributed to Cosmos Core Stack repositories between summer 2022 and November 2024 while affiliated with a DPRK IT operation. The activity affected cosmos-sdk, iavl, and cosmos-db under a legacy third-pa…
A Konni-attributed campaign used a malicious LNK disguised as a Korean VAT payment notice form with an HWP-style filename and icon. The LNK runs obfuscated PowerShell, searches for the embedded shortcut by size, extracts XOR-encoded payload data, expands …
TRM Labs links eXch to laundering flows tied to Lazarus Group's February 2025 Bybit theft, in which North Korean state-linked actors stole about USD 1.5 billion in Ethereum. The exchange removed public-facing infrastructure around its announced shutdown b…
Kraken identified a North Korea-linked applicant during an engineering hiring process after the candidate joined calls under inconsistent names, appeared coached, and matched an email address shared by industry partners. Kraken's Red Team tied the applica…
Wired describes North Korea's remote IT worker scheme through cases involving startup hiring attempts and US-based laptop-farm facilitators. DPRK workers used false or stolen identities, noisy video interviews, VPNs, AI assistance, and salary-focused appl…
Elliptic reports that about USD 200 million of the USD 1.46 billion stolen from Bybit in February 2025 was routed through eXch, a no-KYC crypto exchange service. The source says eXch had already processed proceeds from other North Korean exploits and broa…
Nisos assessed DPRK IT worker tradecraft from 2022 through 2025, focusing on fabricated developer personas used for freelance and remote employment. The observed personas evolved from cartoon or stock images to AI-manipulated profile photos, portfolio web…
Broadcom described a multi-stage malware campaign potentially linked to the North Korean Konni APT group that targeted entities primarily in South Korea. The intrusion began with a ZIP archive containing a disguised LNK shortcut that launched obfuscated P…
Google Threat Intelligence Group counted 75 zero-day vulnerabilities exploited in the wild in 2024 and noted a continued shift toward enterprise-focused products, especially security and networking technologies. Within attributed exploitation, GTIG says N…
Censys' briefing page centers on BeaverTail malware and North Korea's covert IT worker program. The listed topics include BeaverTail theft of cryptocurrency wallets and credentials, new command and control infrastructure, attacker communications, npm supp…
S2W profiles Lazarus as a North Korean state-backed APT linked to the Reconnaissance General Bureau and active since around 2009 under aliases including BlueNoroff, Andariel, Hidden Cobra, ZINC, and Diamond Sleet. The excerpt says Lazarus targets global o…
SentinelOne says DPRK affiliated IT workers have repeatedly tried to obtain remote jobs at the company, including roles tied to SentinelLabs intelligence engineering. Its team tracked about 360 fake personas and more than 1,000 applications linked to DPRK…
NSFOCUS' March 2025 APT briefing includes several DPRK relevant observations within a broader monthly threat roundup. For East Asia, it notes Konni as one of the more active groups and describes APT37 using Korean military magazine themed phishing files, …
The archived post ties BlockNovas and related Contagious Interview activity to Russian TransTelecom IP infrastructure previously highlighted in Trend Micro's reporting. The author says the relevant public IPs sit in ranges assigned to InvestStroyTrest, a …