387 reports
Okta Threat Intelligence examines DPRK IT-worker fraud through two tracked personas drawn from a larger dataset of more than 130 actors and 6,500 interviews across 500 companies. The examples show actors using free webmail accounts, job and coding platfor…
Google Threat Intelligence describes a cryptocurrency-sector intrusion attributed to UNC1069, a financially motivated actor suspected with high confidence to have a North Korea nexus. The operation began through a compromised Telegram account, a Calendly …
CrowdStrike’s tracking separates Labyrinth Chollima activity into core Labyrinth Chollima for espionage and the Golden Chollima and Pressure Chollima clusters for cryptocurrency theft, with shared origins in Kordll, Hawup, and related tooling. Golden Chol…
ScarCruft is reported shifting recent ROKRAT delivery from its earlier LNK-based chain to Hangul HWP documents carrying OLE-embedded droppers, loaders, or downloaders. The cases described use DLL side-loading, hardcoded payload retrieval, steganographic s…
APT-C-28, also tracked as ScarCruft or Konni, is reported targeting cryptocurrency and Web3 job or investment contexts with spear-phishing ZIP archives containing LNK files disguised as PDFs. The LNK launches obfuscated CMD, PowerShell, and dynamically co…
NSHC observed SectorA activity targeting developers, financial institutions, government agencies, and human rights organizations through compromised repositories, spear phishing, malicious LNK files, and social-engineering lures impersonating recruiters o…
Step Finance lost roughly 261,854 to 261,932 SOL after compromised executive devices enabled an attacker to transfer stake authorization and withdraw treasury funds. The article frames the incident as likely social engineering or phishing-driven key compr…
Unit 42 reports that North Korean actors continued Contagious Interview activity into December 2025, using fake recruiter personas against people seeking crypto and technology jobs. The campaign lures targets to attacker-created GitHub repositories during…
The analyzed Kimsuky-linked JSE file acts as a multi-stage Windows script dropper that embeds a twice-base64-decoded PE executable and writes it to disk for execution. The script abuses Windows Script Host components including FileSystemObject, ADODB Stre…
S2W reports that ScarCruft is using a newer HWP OLE-based delivery chain to distribute ROKRAT, moving beyond earlier LNK, BAT, and shellcode-heavy infection paths. The observed cases use malicious DLLs such as mpr.dll, credui.dll, and version.dll, likely …
Red Asgard's follow-up investigation into the Contagious Interview campaign found that the suspected C2 infrastructure was operational rather than a honeypot, exposing 241,764 stolen credentials from 857 victims across 90 countries. The victim set centere…
Step Finance’s January 2026 treasury breach drained roughly $27 million after attackers obtained wallet-level control over treasury and fee accounts. The attack sequence involved transferring Solana stake authorization, unstaking about 261,854 SOL, withdr…
Red Asgard’s Contagious Interview follow-up identifies OtterCookie as a second malware family operating alongside BeaverTail/InvisibleFerret in the same campaign infrastructure. The payload from tetrismic.vercel.app used C2 172.86.105.40:5918 and supporte…
The 2025 global APT review describes a broader rise in state-sponsored cyber activity across government, defense, technology, finance, education, and research targets. Its DPRK-relevant sections cite APT-C-26, identified as Lazarus, in fake interview oper…
Daylight Security investigated a macOS intrusion attributed in the source to BlueNoroff, a financially motivated subgroup of North Korea’s Lazarus Group, and aligned it with the GhostCall campaign pattern. The attacker began with a Telegram business-prosp…