778 reports
HiSolutions linked a fall 2024 cryptocurrency theft against a software developer environment to the North Korea linked Contagious Interview campaign. Initial access chained a malicious BeaverTail loader from a private GitHub repository through api.npoint.…
The article describes THORChain as a major laundering venue after the February 2025 Bybit theft, with nearly $1.2 billion in stolen funds allegedly routed through the protocol. It ties the activity to TraiderTraitor, a DPRK APT associated with the Bybit h…
Okta Threat Intelligence found that DPRK IT worker facilitators use generative AI services throughout remote job fraud operations. The observed services help manage many personas and communications accounts, translate and summarize messages, generate or c…
Silent Push attributes a Contagious Interview campaign to DPRK aligned operators using three fake cryptocurrency consulting companies: BlockNovas, Angeloper Agency and SoftGlide. The campaign uses job interview lures, GitHub and freelancer or recruitment …
Lazarus targeted at least six South Korean organizations in software, IT, finance, semiconductor manufacturing, and telecommunications through Operation SyncHole, combining watering-hole delivery with exploitation of South Korea-specific security software…
Google's M-Trends 2025 is a broad incident-response trends report, but its DPRK-relevant sections flag North Korean citizens working as remote IT contractors under false identities to generate revenue for national interests. The report also notes increase…
The Korean analysis attributes a proposal-themed LNK sample to North Korea's Konni group and provides MD5, SHA-1, and SHA-256 hashes for the malware. The shortcut launches cmd.exe to find PowerShell, locate a specially sized .lnk carrier, XOR-decode embed…
The excerpt outlines a hunting method for identifying suspected North Korean IT worker accounts on GitHub by pivoting from an Upwork-account marketplace post to a Telegram handle and then to an active GitHub profile. The example centers on the handle athe…
Huntabil.IT describes an April 2025 incident response case that exposed a likely North Korea directed campaign against Web3 and crypto organizations. The operators impersonated a trusted Telegram contact, pushed the target through Calendly to a fake Zoom …
Trend Micro links Void Dokkaebi, also tracked as Famous Chollima, to North Korea aligned cybercrime activity routed through Russian IP ranges assigned around Khasan and Khabarovsk. The infrastructure is hidden behind VPN, proxy, VPS and RDP layers and is …
Unit 42's ransomware trend report highlights North Korean participation in ransomware ecosystems as one of several changes in early 2025 extortion activity. It says Jumpy Pisces, a North Korean state-sponsored group associated with the Korean People's Arm…
This report provides a comparative analysis of ransomware use by groups linked to four states: Russia, China, North Korea, and Iran. Meanwhile, the evolution of North Korean activity reflects a focus on strategic and tactical financial gain. Iranian actor…
ASEC reports malicious LNK files distributed to Korean users under notice-themed names such as local tax bill and sex-offender information PDFs. Execution downloads and runs an HTA from attacker infrastructure, which contains a ZIP archive and bait PDF; t…
AhnLab reports that Kimsuky has continued distributing PebbleDash, a backdoor previously associated with Lazarus/Hidden Cobra, against individual targets through spear-phishing emails carrying disguised LNK shortcut files. The infection chain uses the LNK…
A suspicious ZIP archive delivered a Korean-named LNK file disguised as a PDF proposal, and the source assesses its TTPs as similar to prior operations linked to DPRK's Konni group. The infection chain uses a double-extension LNK with a PDF icon to run ob…