387 reports
PolySwarm describes a targeted intrusion against a cryptocurrency-sector FinTech entity attributed to UNC1069, a financially motivated threat actor assessed to have a North Korea nexus. The operation began with social engineering through a compromised Tel…
The episode page highlights a discussion of GitLab's research into North Korea's Contagious Interview operation and fake IT-worker activity. The DPRK-related segment centers on malware tradecraft, developer targeting, MetaMask wallet tampering, and the bu…
AhnLab's January 2026 domestic APT trends report says spear phishing dominated observed attacks against Korean targets, with LNK files representing the largest share of activity. One LNK chain runs PowerShell to reach external URLs, copies curl.exe under …
GitLab reports that North Korean nation-state actors used GitLab.com in 2025 for Contagious Interview malware distribution and related fake IT-worker operations. The activity targeted software developers, especially in cryptocurrency, finance, real estate…
The U.S. Attorney's Office reported that Oleksandr Didenko was sentenced to 60 months for helping North Korean IT workers obtain fraudulent remote employment using stolen U.S. identities. Court documents say Didenko operated Upworksell.com, managed as man…
KMSEC documents two accidental operational-security exposures linked to FAMOUS CHOLLIMA npm activity. Several malicious packages published between July and September 2025 included an `ordinary.txt` JavaScript source file that appears to have been a refere…
Recent Contagious Interview activity attributed in the source to North Korean threat actors targets cryptocurrency, Web3, and AI professionals through fake technical assessments and trojanized NPM packages. The updated first-stage JavaScript has been redu…
A FAMOUS CHOLLIMA operator accidentally included a Windows LNK file in multiple malicious npm packages published between May and June 2025. The shortcut metadata points to a VMware-based development setup with a shared host path under \\vmware-host\Shared…
Google Threat Intelligence Group observed government-backed actors, including DPRK-linked threat actors, using large language models in late 2025 to support technical research, targeting, reconnaissance, and phishing-lure development. The report says thes…
The article links DPRK hiring-market abuse to Contagious Interview activity aimed at job seekers, developers, and IT workers affected by layoffs and economic pressure. It describes fake interview assessments and malicious Visual Studio Code workspaces whe…
AhnLab’s January 2026 APT trend report highlights several DPRK-linked activities affecting developer, Web3, public-sector, activist, and supply-chain targets. Lazarus is reported to have replaced blocked Pastebin infrastructure with Polygon NFT contracts …
Group-IB’s 2026 trends material frames supply-chain compromise as a dominant cybercrime pattern in which attackers abuse trusted vendors, SaaS platforms, open-source projects, managed service providers, and identity integrations. In the threat-actor secti…
Rekt describes DPRK fake IT-worker and recruiter operations that weaponize both sides of the employment pipeline against Western companies, crypto firms, and job seekers. In the insider-worker scheme, North Korean operatives use stolen identities, fabrica…
Bybit lost more than $1.5 billion after attackers deceived multisig signers into approving a malicious change to the exchange’s ETH cold wallet logic. QuillAudits says the attack relied on social engineering and likely malware on signer devices, with a fa…
ReversingLabs identifies graphalgo, a Lazarus Group fake-recruiter campaign active from May 2025 that targets JavaScript and Python developers with cryptocurrency-themed interview tasks. The operators used social platforms, Reddit and Facebook job posts, …