387 reports
Logpresso analyzed 1,045,645 infostealer telemetry records collected since 2024 against 1,879 known DPRK remote IT worker account patterns to study fraudulent remote employment operations. The research correlated email accounts, IP addresses, hardware IDs…
Google Cloud’s H1 2026 Threat Horizons report includes a DPRK-relevant case where North Korean actors used living-off-the-cloud techniques after social engineering created a personal-to-corporate access path. The actors bypassed traditional network perime…
OpenSourceMalware attributes the PolinRider campaign to DPRK activity and says the actor implanted obfuscated JavaScript payloads in 675 public GitHub repositories across 352 owners by March 8, 2026. The injected code was appended after legitimate content…
OpenSourceMalware reports that DPRK threat actors compromised four Neutralinojs GitHub organization repositories in a 132-second automated burst on March 2, 2026. The attacker used the alphagamer7 account to force-push backdated malicious commits, spoof m…
Microsoft Threat Intelligence reports that North Korean clusters including Jasper Sleet, Coral Sleet, Sapphire Sleet, and Emerald Sleet are using AI as an operational accelerator across reconnaissance, persona building, infrastructure setup, and social en…
A fake LinkedIn recruiter posing as a 0G Labs representative targeted a crypto/Web3 CEO with a technical assessment that required cloning a Bitbucket repository and opening it in VS Code or Cursor. The repository hid three independent execution paths: a V…
eSentire TRU observed DEV#POPPER on an Energy, Utilities, and Waste customer machine in February 2026 and attributes the activity with high confidence to a North Korean state-sponsored APT based on shared TTPs with related campaigns. The intrusion began w…
Quetzal Team analyzes a Famous Chollima campaign that targets cryptocurrency-themed job or training lures with ClickFix-style social engineering. The infection chain starts with a faux LinkedIn invite to a crypto training site, then a fake webcam driver i…
Cloudflare's 2026 threat report describes a shift toward high-trust exploitation, where adversaries favor stolen tokens, legitimate cloud services, SaaS integrations, and automation over bespoke exploits. The DPRK-relevant sections highlight North Korea's…
RUSI assesses the UK-Republic of Korea Strategic Cyber Partnership as a vehicle for improving joint cyber resilience, deterrence, information sharing, and technology cooperation. The paper recommends expanding government, academic, research, and commercia…
Moonlock Lab tracks a campaign targeting cryptocurrency and Web3 professionals through LinkedIn outreach, fabricated venture capital firms, and fake Zoom or Google Meet links. The attack flow uses recruiter or investor personas tied to fronts such as Soli…
Hudson Rock analyzes a suspected DPRK IT worker machine infected with LummaC2, using the stolen telemetry to expose an Indonesian proxy node tied to fake IT-worker and fraud activity. The investigation began with Funnull CDN credentials in the log, then f…
Ctrl-Alt-Intel observed suspected DPRK-linked intrusions against cryptocurrency organizations, including staking platforms, exchange software providers, and exchange cloud tenants. The activity combined React2Shell scanning and exploitation with separate …
Know Your Adversary describes APT37 activity tracked as Squid Werewolf using the RESTLEAF implant with abuse of Zoho WorkDrive, a legitimate cloud file-management and collaboration platform. The excerpt focuses on proactive hunting for communications to w…
Red Asgard examined an active Lazarus Group operator VPS tied to the Contagious Interview campaign, which targets cryptocurrency and Web3 developers through fake job interviews, fabricated company identities, and malicious repositories. The Windows Server…