778 reports
NSHC’s September 2025 threat actor intelligence notes SectorA activity centered on social engineering and malware against cryptocurrency, retail, national intelligence, and academic targets. The DPRK-relevant section describes BeaverTail and InvisibleFerr…
Lab52 analyzed August 2025 Lazarus DreamJob artifacts and found a modular loader set it calls DreamLoaders, including a trojanized TightVNC client, Webservices.dll, radcui.dll, HideFirstLetter.dll, and TSVIPSrv.dll. The campaign aimed to get administrator…
Famous Chollima is described as merging BeaverTail and OtterCookie capabilities in Contagious Interview operations that lure job seekers into installing trojanized software. In the Sri Lanka incident, a user cloned a Bitbucket repository for a Web3 chess …
Trellix’s October 2025 CyberThreat Report describes a Q2–Q3 2025 threat landscape shaped by rising detections, advanced threats, AI-powered malware, supply-chain exploitation, and attacks on developed economies and critical infrastructure. The excerpt hig…
ESET attributes a new wave of Operation DreamJob activity to North Korea-aligned Lazarus with high confidence, citing fake job-offer social engineering, trojanized open-source projects, DLL side-loading, and the ScoringMathTea RAT. The observed intrusions…
The ISCTürkiye 2025 paper presents an Advanced Variational Autoencoder framework for classifying Ethereum wallets associated with Lazarus-linked activity. The model uses 116 behavioral indicators covering graph topology, temporal dynamics, transaction flo…
The archived thread reviews a DPRK-focused crypto report and argues that several incident attributions in the report were too broad or conflated. It says Swissborg/Kiln was not DPRK-linked, Zoth was not TraderTraitor, BTC Turk 2024 was not DPRK while BTC …
The Multilateral Sanctions Monitoring Team reports that DPRK cyber operations and fraudulent IT worker schemes remain connected to UN-designated entities, including the Reconnaissance General Bureau. The activity described includes cryptocurrency theft, c…
Researchers describe a likely targeted DPRK campaign that begins with a compiled AppleScript disguised as a .docx file named like an OTC collaboration proposal, suggesting a cryptocurrency-related lure. The initial script performs macOS checks for CPU, OS…
Lazarus Group used fake recruiter outreach on LinkedIn and other job platforms to lure developers into running malicious coding-assessment projects. The infection chain hid an obfuscated JavaScript loader and infostealer inside repositories copied from pu…
A DPRK-linked recruiter lure targeted Web3 developers through LinkedIn messages, a Notion assignment, and a public GitLab project that executed a multi-stage Node.js implant when cloned and run locally. The loader fetched attacker-controlled JavaScript fr…
Ransom-ISAC and Bridewell examined infrastructure from a suspected DPRK-linked cryptocurrency and data theft attempt that began with a weaponized private GitHub repository and used blockchain-based command-and-control. The intrusion involved a Python drop…
A fake LinkedIn recruiter persona for DLMind steered developers toward a private GitHub assessment, AI-Healthcare, whose startup path fetched a staged JavaScript payload from loopsoft[.]tech:6168/defy/v8. The BeaverTail-style chain is described as a cross…
AhnLab’s September 2025 APT roundup highlights multiple North Korea-linked operations against South Korean defense, cryptocurrency, retail, and North Korea-focused research communities. Kimsuky used spear-phishing with MSC files disguised as Word document…
Contagious Interview is described as a North Korea-aligned threat group active since 2023 that conducts cyberespionage and financially motivated operations, including cryptocurrency and credential theft. The group targets Windows, Linux, and macOS users, …