778 reports
Picus profiles Lazarus Group, also known as APT38 or Hidden Cobra, as a North Korea-linked threat group active since at least 2009 across espionage, sabotage, and financial theft operations. The overview ties the group to major activity including the Sony…
South Korea’s National Intelligence Service reported unauthorized access to Onnara and related public-sector administrative systems after obtaining advance intelligence about compromises affecting government and private organizations. The attacker appears…
Microsoft frames the 2025 cyber defense landscape as a period of accelerating speed, scale, and sophistication driven by digital transformation and AI. The excerpt highlights hybrid ransomware and phishing, cybercrime-as-a-service, and the expanding role …
Google Threat Intelligence Group observed DPRK actor UNC5342 adopting EtherHiding in the Contagious Interview social engineering campaign to deliver malware and support cryptocurrency theft. The campaign targets developers, especially in cryptocurrency an…
Cisco Talos linked a new intrusion to Famous Chollima, a DPRK-aligned subgroup of Lazarus that uses fake hiring activity to compromise job seekers and steal credentials and cryptocurrency. A system in a Sri Lanka-headquartered organization was likely infe…
The provided markdown excerpt for Bluenoroff's Clues does not contain readable CTI analysis beyond the title and source URL. The body appears to be binary export data beginning with a ZIP-style PK header and embedded media/file content rather than extract…
NTT analyzed OtterCandy, a Node.js RAT and information stealer used by WaterPlum Cluster B, also described as the BlockNovas cluster, in ClickFake Interview activity linked in the source to North Korea. The cluster previously used shared WaterPlum tooling…
NTT analyzed OtterCandy, a Node.js RAT and information stealer used by WaterPlum Cluster B, commonly referred to as the BlockNovas cluster, in the ClickFake Interview campaign. The group is described as associated with North Korea and has used WaterPlum t…
AhnLab's September 2025 domestic APT monitoring found that spear phishing was the dominant intrusion method against South Korean targets, with LNK-based delivery accounting for the largest share of observed cases. One LNK cluster used embedded PowerShell …
A Korean malware analysis attributes a malicious shortcut file themed as an undeclared funding-source explanation notice to Kimsuky activity against South Korean users. The LNK launches obfuscated PowerShell that searches for a 35,265-byte shortcut, extra…
Logpresso attributes a September 2025 Lazarus campaign to malware disguised as Nvidia updates, arm64-fixer, and mac_camera.driver for Windows and macOS systems. Victims are prompted to install Node.js and run main.js, which contacts C2 infrastructure, dow…
CYFIRMA links the weakening of UN sanctions monitoring after the April 2024 termination of the DPRK Panel of Experts to continued North Korean cyber-enabled sanctions evasion. The report says North Korean actors stole about $1.34 billion across 47 cryptoc…
Socket tracks North Korea’s Contagious Interview operation as a weekly, wave-based abuse of npm, identifying more than 338 malicious packages with over 50,000 downloads and 25 still live at publication time. The campaign uses fake recruiter personas, Link…
KELA links a large North Korean remote-worker operation to fake identities used to obtain freelance and full-time roles across technology, cryptocurrency, transportation, critical infrastructure, architecture, and industrial design. The workers rely on st…
38 North examines how DPRK IT workers obtain remote jobs under fabricated or stolen identities to generate revenue and create insider-risk exposure for global employers. The report describes facilitators who supply false documents, procure laptops, run la…