387 reports
NICKEL ALLEY is described as a North Korean government-linked threat group focused on espionage and surveillance. The group targets technology-sector professionals by advertising fake job opportunities and moving victims through a fraudulent interview pro…
The U.S. Attorney's Office for the Southern District of Georgia said Alexander Paul Travis, Jason Salazar, and Audricus Phagnasay were sentenced after pleading guilty to a wire-fraud conspiracy that enabled overseas IT workers to use U.S. identities for r…
Cyble says Bitrefill attributed a March 1, 2026 intrusion to actors linked to Lazarus Group, citing malware similarities, reused IP addresses, email patterns, and blockchain tracing. The attackers allegedly entered through a compromised employee laptop, u…
A 1ns0mn1h4ck talk describes an operation that infiltrated a cell of North Korean IT workers seeking remote employment for the DPRK. The speakers say the cell targeted Latin American financial and cryptocurrency sectors and attribute the activity to Famou…
AhnLab observed February 2026 APT activity targeting South Korea, with spear phishing as the dominant delivery method and LNK files the most common attachment type. One LNK chain contacted an external URL through PowerShell, copied curl.exe under another …
Flare Research and IBM X-Force describe North Korean IT worker operations that use false personas, freelance platforms, and full-time remote roles to generate revenue for the DPRK state and sometimes enable espionage, theft, extortion, or cryptocurrency t…
Bitrefill says a March 1, 2026 intrusion showed similarities to past DPRK Lazarus/Bluenoroff attacks on cryptocurrency companies, citing modus operandi, malware, on-chain tracing, and reused IP and email addresses. Initial access came from a compromised e…
Breakglass analyzed two samples from a Hungarian incident as evidence that Lazarus Group operated as a Medusa ransomware-as-a-service affiliate rather than only deploying DPRK-built ransomware. The TSMSISrv.dll loader is attributed to Lazarus-linked trade…
SpiderLabs describes a North Korea-linked remote IT worker attempt in which an organization hired a suspected operative who was detected and terminated within ten days. Cybereason XDR first flagged anomalous Entra ID activity when the new hire logged in f…
IIJ analyzed malware delivered by an LNK file uploaded from Korea and found extensive overlap with a Kimsuky campaign previously reported by AhnLab ASEC. When opened, the LNK extracted XOR-decoded components into C:\PerfLog, deployed www.ps1 and 17.vbs, a…
kmsec.uk reports that Contagious Trader targets cryptocurrency users through malicious GitHub trading bot repositories and npm packages themed around Polymarket, Kalshi, Solana, Raydium, copy trading, and related market activity. The author attributes the…
ANY.RUN promoted an expert panel on 2026 enterprise security risks that included research into a real-world Lazarus Group infiltration case. The preserved source text frames the discussion around AI-driven phishing, modern attacks that blend into business…
NTT Security Japan analyzed StoatWaffle, a newly adopted Node.js malware used by WaterPlum, which the article describes as a North Korea-related group operating the Contagious Interview campaign. The attack uses a blockchain-themed decoy repository whose …
NTT Security Japan analyzed StoatWaffle, a newly observed Node.js malware used by WaterPlum Team 8 in the North Korea-linked Contagious Interview campaign. The attack uses a blockchain-themed malicious VSCode repository whose tasks.json runs on folder ope…
SectorA activity in February 2026 centered on fake recruitment lures against software developers in cryptocurrency, finance, and IT, using trusted platforms such as Vercel, npm, and PyPI to distribute malware. NSHC associated the activity with BeaverTail,…