387 reports
SEAL attributed 164 blocked domains observed from February to April 2026 to DPRK-nexus UNC1069, also described as BlueNoroff, in campaigns targeting cryptocurrency and Web3 users. The actor conducts patient social engineering over Telegram, LinkedIn, and …
The Korean conference talk by a Zscaler APT researcher focuses on why North Korean cyber attribution is difficult and why analysts should not begin with a fixed actor assumption. The speaker warns that IP addresses, VPNs, reused infrastructure, planted fa…
The Korean KCTI presentation explains how analysts can use OSINT to move beyond lists of Gmail addresses associated with DPRK IT workers and infer who controls or actively uses them. The speaker describes classifying roughly 320 Gmail accounts from a larg…
eSentire reports that two malicious Axios npm versions, 1.14.1 and 0.30.4, were published through a compromised maintainer account and remained live for about three hours. The tampered packages added a malicious dependency that ran a postinstall payload, …
A suspected Kimsuky phishing operation used a Korean Army K-ICTC themed lure to target military, defense, diplomacy, and related research audiences. The victim-facing archive contained a convincing invitation PDF and a PDF-disguised LNK shortcut that down…
A cluster of malicious npm packages published between April 6 and April 9, 2026 delivered OtterCookie variants, described as a credential-theft and backdoor toolchain attributed to North Korean threat actors. The campaign used a two-layer supply-chain pat…
Socket identifies a new cluster in North Korea’s Contagious Interview operation that published malicious packages across npm, PyPI, Go Modules, crates.io, and Packagist. The packages impersonated developer tools while hiding loaders inside ordinary-lookin…
An investigation into the Mentonex GitHub organization found an active npm backdoor chain, fake developer personas, and facilitator-recruitment activity that the author says maps closely to documented DPRK tradecraft. The malicious chain used logkitx, log…
Jason Reaves links NodeJS stealer and backdoor infrastructure to activity resembling DPRK developer-targeting campaigns that use fake interviews or attacker-supplied code repositories. The excerpt shows an npm package, npm-doc-builder, executing a postins…
Zscaler ThreatLabZ frames North Korean cyber attribution as increasingly difficult because Lazarus and Kimsuky have evolved into umbrella structures with specialized sub-clusters, shared tooling, and overlapping infrastructure. The material traces Lazarus…
A compromise of the Axios npm package introduced malicious versions 1.14.1 and 0.30.4 that added a covert dependency and executed a postinstall payload when developers or CI/CD systems installed the package. The excerpt attributes the activity to UNC1069,…
Breakglass Intelligence found an exposed phishing backend at arnptec[.]com after investigating a Vercel-hosted Naver credential-harvesting page, curly-spoon-sigma[.]vercel[.]app. Directory listing revealed ten operator directories, nine campaign themes, r…
Drift describes an April 2026 compromise that followed months of relationship-building by personas posing as a quantitative trading firm seeking protocol integration. The attackers allegedly engaged Drift contributors at conferences, created a Telegram gr…
Resecurity describes a malicious npm supply-chain campaign in which plain-crypto-js was embedded as a dependency in compromised Axios versions and executed through npm's postinstall lifecycle hook. The Node.js dropper used layered obfuscation, including s…
A malicious npm account, gemini-check, published gemini-ai-checker as a fake Google Gemini token verifier and used related packages express-flowlimit and chai-extensions-extras that shared the same Vercel staging infrastructure. The package assembled a re…