778 reports
ICIJ traced blockchain flows showing that major cryptocurrency exchanges continued receiving funds connected to organized crime, scam operations, and sanctioned or high-risk actors after prior compliance actions. The DPRK-relevant evidence says reporters …
Famous Chollima operators used stolen professional identities, fake resumes, and live AI face filters to impersonate software-engineering candidates during remote hiring. The campaign targeted crypto, Web3, finance, HR consulting, software publishers, and…
AhnLab’s October 2025 South Korea APT trend report says spear phishing remained the dominant initial-access method, with JSE-based attacks increasing and accounting for the largest share that month. The DPRK-relevant material includes LNK lures using Nort…
AhnLab’s October 2025 South Korea APT trend report shows spear phishing as the dominant observed intrusion type, with increased use of JSE files and multiple LNK-based delivery chains. The DPRK-relevant examples include lures about North Korean nuclear po…
Wav3 expands KVM-over-IP detection guidance for investigations involving DPRK and fraudulent IT workers while explicitly stating that the reviewed devices are not confirmed as DPRK-used. The article moves beyond USB artifacts to HDMI, display configuratio…
The Justice Department announced guilty pleas and forfeiture actions targeting DPRK revenue-generation schemes involving remote IT worker fraud and APT38 virtual currency theft. Facilitators in the United States and Ukraine allegedly helped overseas North…
StealthMole revisited identifiers associated with Park Jin Hyok and Lazarus/APT38 by correlating old disclosure data with dark-web, credential, wallet, domain, and IP intelligence. The investigation began with an OFAC-sanctioned Ronin Bridge exploit walle…
Oleksandr Didenko pleaded guilty to wire fraud conspiracy and aggravated identity theft for operating Upworksell.com, a service that sold or rented stolen and borrowed U.S. identities to overseas IT workers including North Koreans. The scheme enabled IT w…
Ransom-ISAC analyzed a cryptocurrency and data theft attempt delivered through a malicious private GitHub repository impersonating the legitimate node-react-e-commerce project. The repository used obfuscated JavaScript in tailwind.config.js and a multi-bl…
NVISO reports that DPRK-aligned Contagious Interview operators are abusing JSON Keeper, JSONsilo, npoint.io, GitLab, and GitHub to host and deliver malware through trojanized interview demo projects. The activity targets software developers across Windows…
The excerpt analyzes a PowerShell loader named shell.ps1 recovered from North Korean APT infrastructure and linked in the text to Kimsuky/APT43. The script uses multi-layer base64 encoding to dynamically compile C# with P/Invoke access to Windows APIs suc…
AhnLab's October 2025 APT trends report highlights North Korea-linked activity involving cryptocurrency theft, credential collection, reconnaissance, and remote-control operations. The DPRK-focused sections describe Famous Chollima campaigns against softw…
Quetzal describes a suspected North Korean applicant using the name Jesús Sebastián and claiming to be from Barranquilla, Colombia during an interview. The account showed signs of routed connectivity across Asia and Europe and remote access activity via A…
OFAC sanctioned eight individuals and two entities accused of helping North Korea raise and move funds through cybercrime, fraudulent IT labor, digital asset theft, and sanctions evasion. SlowMist highlights Ryujong Credit Bank and Korea Mangyongdae Compu…
The article walks through reversing a RokRAT loader sample used in a Malops challenge focused on APT37 activity. The analysis identifies the sample MD5, entry point, a single-byte XOR key of 0x29 used to decrypt embedded shellcode, and use of VirtualAlloc…