778 reports
Qi An Xin reports suspected Kimsuky, tracked internally as APT-Q-2, targeting Korean organizations in sectors including defense, education, energy, government, healthcare, and think tanks. The observed malware set includes a Go dropper, DLL backdoors, and…
Zoth's April 2025 incident report says attackers used social engineering against a service provider to gain access to the Zoth deployer wallet and perform an unauthorized contract upgrade against the ZeUSD platform. The malicious upgrade used upgradeToAnd…
A Konni-linked Windows shortcut sample named ECRM.M.M.hwp.lnk uses mshta.exe to build and run an obfuscated PowerShell command. The script searches for an LNK file of exactly 0x17cb bytes, falls back to the user's TEMP subdirectories if needed, skips the …
A developer analyzed a crypto job scam in which an impersonated recruiter pushed a technical assessment that required downloading and running a code repository. Review of the dependencies found a suspicious Go package, github.com/TedCollin/uniroute/v2, co…
Veracode describes a renewed North Korean npm malware campaign that targets developers with malicious packages disguised as logging, validation, React, or utility libraries. The packages appear designed for social-engineering workflows in which a target r…
Fortune reports that North Korean IT workers have obtained jobs at major companies by posing as US or other Western developers with stolen or fake identities. The article cites estimates that the scheme has generated hundreds of millions of dollars annual…
Springtail, also identified as Kimsuky, targeted South Korean government entities with government-themed malspam using topics such as tax matters and policy around sex offenders. The campaign delivered malicious LNK attachments that downloaded and execute…
Ketman follows up on Nisos reporting about North Korean IT worker GitHub accounts and identifies additional connected personas with unusual Russian military imagery. Two linked accounts used Kinzhal hypersonic-missile related avatars traced to Russian for…
Rekt News describes the alleged exposure of the Nick Franklin persona as part of a North Korea-linked social-engineering network targeting Web3 security researchers and protocols. The article says Anton Bukev's warning about a malicious macOS app led inve…
Socket identifies 11 additional malicious npm packages tied to North Korea’s Contagious Interview operation and Lazarus-linked infrastructure, expanding earlier BeaverTail activity with new RAT loader behavior. The packages impersonated developer utilitie…
Seqrite Labs links two South Korea-focused campaigns to Kimsuky, also known as Black Banshee, using government-themed PDF/LNK lures sent by email to government entities, local offices, and residential recipients. The infection chain begins with a maliciou…
SpyCloud used infostealer malware logs and identity matching to investigate fraudulent DPRK remote IT worker activity, estimating that roughly 10% of Fortune 500 companies have interacted with or potentially hired such workers. The schemes involve North K…
Rewterz summarizes active indicators tied to the North Korea-linked Konni APT, a cyber-espionage group active since at least 2014. The source describes Konni RAT delivery through phishing messages or emails, with weaponized files leading to implants that …
AhnLab links a recruitment-themed phishing case to BeaverTail malware and a car.dll downloader shared through a Bitbucket project. The files included tailwind.config.js as BeaverTail and downloader DLLs such as car.dll and img_layer_generate.dll, with Kor…
AhnLab analyzes a recruitment-themed phishing case distributing BeaverTail and Tropidoor-related malware through project files shared as a Bitbucket link. The archive describes a JavaScript BeaverTail component, downloader DLLs such as car.dll, and behavi…