387 reports
A Node.js stage-one dropper attributed in the excerpt to Lazarus Group's TraderTraitor sub-cluster uses Solana transaction memos as a dead-drop resolver for rotating C2 infrastructure. The malware queries a specific Solana wallet through the public mainne…
Nisos identified a suspected DPRK IT worker applying for a remote Lead AI Architect role by combining pre-employment OSINT with targeted interview questions. The applicant allegedly used stolen personally identifiable information, a newly created Gmail ac…
Genians Security Center analyzed a Konni APT campaign that used North Korea-themed spear-phishing to gain initial access. The lure impersonated a notice appointing the recipient as a North Korean human-rights lecturer and delivered an archive containing a…
Genians Security Center links the activity to the Konni APT group and describes a spear-phishing campaign that used a North Korean human-rights lecturer appointment lure to gain initial access. Victims were induced to run a malicious LNK file that launche…
KMSEC found two npm packages published by jaime9008 distributing an obfuscated loader for PylangGhost, a RAT the excerpt says Cisco Talos attributed to FAMOUS CHOLLIMA. Malicious versions of react-refresh-update and @jaime9008/math-service used runtime.js…
Kimsuky is reported deploying a five-stage GrimResource loader that begins with a Microsoft Management Console .msc file and ends with roughly 1MB of x86 shellcode executed in memory. The plugin.msc sample embeds an XSL Transform payload in the MMC XML St…
Two samples submitted by the same Hungarian incident responder are presented as linking Lazarus Group to Medusa ransomware activity: gaze.exe, a Medusa encryptor, and TSMSISrv.dll, a Lazarus-detected DLL sideloading loader. The ransomware's XOR-decoded co…
Chainalysis reported that OFAC sanctioned six individuals and two entities tied to DPRK IT worker fraud schemes that generated nearly $800 million in 2024 for North Korea’s weapons programs. The schemes used fraudulent documents, stolen identities, and fa…
OFAC sanctioned six individuals and two entities involved in DPRK government-orchestrated IT worker schemes that defrauded U.S. businesses and generated revenue for North Korea’s WMD programs, including nearly $800 million in 2024. The workers used fraudu…
Microsoft observed Contagious Interview using fake developer recruitment workflows to compromise software developers at enterprise solution providers and media and communications firms. The campaign persuaded victims to clone or execute malicious npm pack…
AhnLab’s February 2026 APT trends report highlighted North Korea-linked activity involving Lazarus, BlueNoroff, UNC1069, and TA-RedAnt/APT37 alongside other global APT operations. The Lazarus section said the group used Medusa ransomware against U.S. heal…
Cyble profiles WageMole as a North Korean state-sponsored group that gains access to Western organizations by placing operatives into remote jobs under fabricated identities. The activity is tied to Operation Contagious Interview, where stolen personal da…
An email sent from a North Korean @star-co.net.kp address exposed how DPRK software developers market domestically built products to overseas commercial partners, distinct from the better-known fraudulent IT worker hiring schemes. The headers showed origi…
SerapHim analyzes the StegaBin wave of the Contagious Interview supply-chain campaign, attributing it to Famous Chollima under the Lazarus Group umbrella with high confidence. The wave used 26 typosquatted npm packages across separate accounts to target s…
Abstract Security tracks continued Contagious Interview abuse of VS Code and Cursor automated tasks to deploy WeaselStore malware, including the Windows PylangGhost and macOS GolangGhost variants. The Windows chain uses a PowerShell script posing as an NV…