778 reports
The video examines a newly observed DPRK Contagious Interview lure targeting job seekers, primarily in the cryptocurrency sector. The lure uses a related Swift application and leads victims to download a ZIP archive containing a Golang backdoor. The autho…
A DPRK Contagious Interview macOS lure used an “Algorand Hiring Assessment” theme to push a ClickFix-style prompt that told victims to update FFmpeg macOS drivers. The prompt led to execution of a script from /var/tmp that selected an ARM or Intel release…
ENKI attributes an active KimJongRAT-related campaign to Kimsuky, with phishing emails impersonating South Korean public institutions such as the Ministry of Gender Equality and Family and the National Tax Service. The infection chain uses PHPMailer-deliv…
ENKI describes Kimsuky activity around KimJongRAT variants using phishing emails that impersonate South Korean public institutions, including the Ministry of Gender Equality and Family and the National Tax Service. The attack chain uses PHPMailer-delivere…
JFrog found a two-part npm cryptocurrency stealer that paired a benign-looking Ethereum address validation package with a malicious transitive dependency. The visible package exported ordinary address-checking functions, but dynamically imported aes-core-…
The excerpt attributes EPOINT-AES to North Korean state-sponsored activity and describes a multi-stage Windows malware framework recovered from compromised systems. Its attack chain starts with a DLL executed through rundll32, decrypts AES-protected shell…
Validin tracks a DPRK-linked Contagious Interview variant that uses a polished fake hiring platform at lenvny[.]com to target job seekers, including software developers, AI researchers, cryptocurrency professionals, and other technical candidates. The ope…
The Chinese-language article summarizes claims that Kimsuky and Lazarus operate with complementary roles, with Kimsuky focused on intelligence collection and Lazarus focused on cryptocurrency theft. It describes a reported Korean blockchain-company compro…
Orange Cyberdefense investigated an August 2025 intrusion against an Asian subsidiary of a large European manufacturing organization and assessed that it aligned with Operation DreamJob and UNC2970 with medium confidence. Initial access used a targeted Wh…
North Korean IT workers are described as a covert extension of state-sponsored cyber operations, posing as freelance developers and contractors inside legitimate companies. The excerpt says they are often paid in cryptocurrency and generate revenue for No…
Gen researchers identified a possible operational overlap between Russia-aligned Gamaredon and North Korea's Lazarus through shared use of IP address 144.172.112.106. The server was first blocked as part of Gamaredon command-and-control tracking and, four…
BSides Pyongyang 2025 features multiple talks centered on DPRK cyber activity, including cryptocurrency theft, laundering, IT worker schemes, counterintelligence, and malware analysis. The excerpt describes North Korea as a prolific cryptocurrency threat …
Chollima Group uses the MSMT sanctions report to reframe its prior research on DPRK IT worker networks, especially activity tied to Tanzania, Guinea, Nigeria, and other African locations. The article links the Tanzania-based Bells Inter Trading cluster an…
ScoringMathTea is analyzed as a C++ RAT attributed in the text to Lazarus and tied to ESET’s Gotta Fly instance of Operation DreamJob targeting UAV-related know-how from companies supporting Ukraine. The sample is a DLL that starts from DllMain, creates a…