387 reports
CrowdStrike reassesses LABYRINTH CHOLLIMA as having evolved into three specialized DPRK-nexus adversaries: GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and a narrower core LABYRINTH CHOLLIMA espionage group. GOLDEN CHOLLIMA focuses on sustained cryptocurrency and …
OpenSourceMalware identified a Lazarus Group variation of the Contagious Interview campaign that targets software engineers through fake recruiter outreach and GitHub coding assessments. The attack abuses VS Code task automation with runOn: folderOpen to …
TRM estimates that illicit cryptocurrency wallets received USD 158 billion in 2025, a 145% increase from 2024 and the highest level observed in five years, even as illicit activity fell slightly as a share of total attributed on-chain volume. The largest …
A Ricochet Chollima adversary simulation recreates Operation ToyBox Story, a March 2025 spear-phishing campaign against activists focused on North Korea. The lure impersonated a South Korea-based North Korea expert and used a Hangul-themed message about N…
The Medium post presents an adversary simulation of Silent Chollima activity based on details attributed to Volexity reporting. The simulated campaign targets organizations and users in North America, Asia, and Europe through spear-phishing emails that em…
Public reconnaissance of North Korean mail infrastructure found reachable Postfix SMTP services for star-co.net.kp and silibank.net.kp on typical mail ports. The Star-CO servers presented a self-managed certificate issued by a North Korean StarJV Certific…
OpenSourceMalware reported an ongoing campaign in which at least 21 small open-source maintainers had repositories modified with malicious .vscode/tasks.json files over 72 hours. The actor is listed as unknown, but the task files are described as closely …
A freelance code-review lure on LinkedIn led to a trojanized GitLab real-estate application that hid malware inside an otherwise functional React, Express, MongoDB, and SendGrid project. The infection chain abused npm lifecycle behavior by making `postins…
Red Asgard links a new Contagious Interview sample to Lazarus Group and reports a shift from Pastebin dead drops to Polygon NFT contracts used as a blockchain-based dead drop resolver. The campaign impersonated the real cryptocurrency betting company Betf…
LAC analyzed a Konni campaign linked to North Korean activity in which Japanese financial institutions were targeted through spear-phishing and malicious archive delivery. The intrusion chain used email links to WordPress-hosted ZIP files, malicious LNK e…
Konni, described as a North Korea-related APT actor active since at least 2014, used a May 2025 spear-phishing campaign against organizations associated with Japanese financial interests to deploy a new AutoIt-based RAT named GSRAT. The infection chain us…
Check Point Research associates an ongoing phishing campaign with KONNI, a North Korean-linked actor historically focused on South Korea but now observed targeting software developers and engineering teams with blockchain and crypto-themed lures. The infe…
WithSecure attributed a breach of a European public/legal-sector customer to Andariel with high confidence, citing TigerRAT use, command-execution patterns, infrastructure links, and overlaps with prior Andariel activity. The intrusion appeared focused on…
IIJ observed a malicious LNK file likely used against Korean users that executed MoonPeak, a XenoRAT variant attributed in the source to DPRK-linked activity. The lure opened a Korean investment-themed decoy PDF while hidden PowerShell checked for analysi…
A suspicious developer coding test used VS Code task definitions to pipe OS-specific commands from Vercel-hosted endpoints into shell or cmd, creating a likely script-execution risk for job applicants. Repository history showed several infrastructure vari…