778 reports
Ketman links multiple suspicious GitHub and Web3 freelance personas to DPRK IT worker activity on open source and pay-for-PR platforms, with onlyDust payments observed for accounts including 0xExp-po, bestselection18, and aidenwong812/cryptogru812. The in…
AhnLab's March 2025 APT trend report states that North Korean APT groups were especially active during the month, using email, community-board postings, malicious documents, fake job interviews, and ClickFix-style techniques. The report describes Kimsuky …
NSHC’s February 2025 intelligence report identified multiple SectorA activity clusters using recruiter impersonation, phishing, malicious documents, and shortcut-file malware in campaigns spanning South Korea, Japan, the United States, Europe, and other r…
South Korea's National Police Agency reported that emails sent in December 2024 impersonating the release of a Defense Counterintelligence Command martial-law document were determined to be North Korean activity. Investigators said the broader campaign se…
The Justice Department said Minh Phuong Ngoc Vong pleaded guilty to wire-fraud conspiracy for letting China-based conspirators use his identity, employment access, and employer-issued laptops to perform remote software-development work for U.S. companies.…
The source discusses cooperation patterns among state-backed intrusion groups and focuses on North Korean operators' use of Windows LNK shortcut malware for initial access. It highlights how LNK file structure, embedded environment artifacts, and repeated…
The FBI attributed the nearly $1.5 billion Bybit cryptocurrency theft to TraderTraitor, a North Korean hacking group also tracked as Jade Sleet, Slow Pisces, and UNC4899. The group is described as a Lazarus-linked, cryptocurrency-focused actor that target…
Slow Pisces, also known as Jade Sleet, TraderTraitor, or PUKCHONG, is described as a North Korean state-sponsored group targeting cryptocurrency developers through recruiter impersonation on LinkedIn. The campaign sent job descriptions and coding challeng…
The Medium analysis examines a Windows 64-bit sample named 875b0cbad25e04a255b13f86ba361b58453b6f3c5cc11aca2db573c656e64e24.exe that the author treats as potentially linked to Lazarus/APT38 based partly on sandbox labels and observed behavior. Static find…
AhnLab attributes Larva-24005 to activity associated with Kimsuky, describing intrusions against software, energy, and financial targets in South Korea and broader infrastructure spanning multiple countries. The report cites RDP exposure and BlueKeep CVE-…
Our analysis reveals that the #NorthKorean #Lazarus group is behind the attack, based on #blockchain analysis behavioral patterns of the stolen funds. On March 21, 2025,@ZOTH protocol’s wallet was compromised and the attacker withdrew over $8.5 million in…
CyberBlade Security expands on Cisco Talos research into MoonPeak, a XenoRAT adaptation, by mapping infrastructure tied to Kimsuky and broader DPRK cyber activity. The excerpt describes shared hosting patterns, reused codebases, response-hash pivots, and …
Bitso’s Quetzal team describes a highly targeted North Korean Chollima/Lazarus social-engineering attempt against fintech and crypto personnel. A fake recruiter using the name “Wilton Santos” asked the researcher to patch a DApp repository, but the appare…