387 reports
Microsoft attributes a macOS intrusion chain to Sapphire Sleet, a North Korean state actor focused on cryptocurrency, finance, venture capital, and blockchain targets. The campaign uses recruiter-style social engineering to make victims run a fake “Zoom S…
A malicious npm package named js-logger-pack evolved from harmless probes into a full multi-platform infostealer and later a HuggingFace-hosted binary dropper. Weaponized versions installed a Linux SSH backdoor, exfiltrated Telegram Desktop sessions, stol…
The Justice Department said Kejia Wang and Zhenxing Wang were sentenced for helping North Korean remote IT workers pose as U.S. residents and obtain jobs at more than 100 U.S. companies. The scheme used stolen identities of at least 80 U.S. persons, shell…
The thread explains why the author assessed the “Taro Aikuchi” applicant as a suspected DPRK fraudulent IT worker rather than a legitimate Japanese candidate. Evidence included fresh and inconsistent online identities, two-word-plus-number Gmail and Teleg…
Zerion says a team member’s device was compromised in an AI-enabled social engineering attack linked to a DPRK threat actor. The attacker gained access to logged-in sessions, credentials, and private keys for internal company hot wallets, leading to about…
Kimsuky is reported to have evolved its malicious LNK delivery by disguising shortcut files as HWP documents and adding XML, VBS, PowerShell, BAT, ZIP, and Python stages before final malware execution. Recent samples create a hidden C:\windirr directory, …
Cisco Talos reports that North Korean cyber operations in 2025 relied heavily on social engineering and insider access for both financial theft and espionage. The North Korea section highlights Contagious Interview activity by Famous Chollima, where fake …
Validin links UNC1069, overlapping with Bluenoroff, to fake meeting operations against cryptocurrency and Web3 professionals for financially motivated theft. Operators use fraudulent venture-capital personas, LinkedIn and Telegram outreach, Calendly-style…
Drift Protocol lost about $285 million after an attacker used pre-signed Solana durable-nonce transactions to take over a 2-of-5 Squads V4 multisig with no timelock. The attacker gained admin control, created fake CVT spot markets with manipulated oracles…
Bitso describes renewed Famous Chollima activity against crypto and financial organizations, including a suspicious job applicant encounter and a macOS malware kit the researchers call Mach-O Man. The infection chain starts with hijacked Telegram accounts…
Open Source Malware reports that the DPRK-linked PolinRider supply-chain campaign expanded from 675 to 1,951 confirmed compromised GitHub repositories across 1,047 owners in five weeks. The campaign injects obfuscated JavaScript into developer configurati…
APT37 used Facebook accounts presenting locations in Pyongyang and Pyongsong to identify targets, build trust through friend requests and Messenger conversations, and move victims toward Telegram delivery. The lure claimed encrypted military-weapons PDF d…
APT37 used Facebook accounts presenting locations in Pyongyang and Pyongsong to identify targets, build trust through friend requests and Messenger conversations, and move victims toward Telegram delivery. The lure claimed encrypted military-weapons PDF d…
Four public GitHub repositories contained the same obfuscated stage-0 JavaScript loader appended after otherwise legitimate framework or build-tool configuration exports. The loader family is aligned with publicly reported XCTDH and DEV#POPPER activity, w…
Breakglass analyzed a live Kimsuky C2 tied to a CHM-based intrusion chain after a MalwareBazaar submission exposed check.nid-log[.]com serving multiple payload stages. The chain uses hh.exe, PowerShell, certutil, and wscript to decode and execute VBScript…