How to Get Scammed (by DPRK Hackers)

The write-up documents a developer recruitment scam presented as DPRK-linked activity under DEV#POPPER, Contagious Interview, and the XCTDH technique. A Discord persona posing as a hiring lead for a React developer role approached targets in developer and…

2025 북한 연계 APT 공격 분석 회고 (Lazarus · Kimsuky · APT37 · Konni)

Logpresso's 2025 review links North Korea-related activity across Lazarus, Kimsuky, APT37, and Konni to a common pattern of user execution, staged loaders, scheduled or registry-based persistence, repeated C2 polling, data theft, and remote command execut…

바로가기 악성파일의 구조를 활용한 공격자 프로파일링

Plainbit presents a research project on profiling attackers through structural data embedded in malicious Windows shortcut files rather than relying only on changeable IoCs. The work focuses on the recent rise of malicious LNK-based attacks, explains how …

APT PROFILE – KIMSUKI

CYFIRMA profiles Kimsuki as a North Korea-linked APT active since at least 2012 and aligned with strategic intelligence collection priorities associated with the Reconnaissance General Bureau. The group is described as targeting South Korean and U.S.-base…

2025년 12월 APT 공격 동향 보고서(국내)

AhnLab's December 2025 domestic APT trend report says spear phishing dominated observed attacks against South Korean targets, with LNK files accounting for the largest share that month. One LNK-based pattern executed malicious PowerShell from compressed a…

VS Code Tasks Abuse by Contagious Interview (DPRK)

Security Alliance analyzes a malicious Bitbucket repository tied to the DPRK Contagious Interview campaign that targets developers through fake recruiting and partnership lures. The repository can execute malware when opened as a trusted VS Code workspace…

Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure

Red Asgard maps active Lazarus Group infrastructure discovered while vetting a cryptocurrency Upwork project containing Contagious Interview-style malware. The repository used VS Code auto-execution, a malicious npm dependency, and backend Function.constr…

Unmasking the DPRK Remote Worker Problem

Silent Push describes the DPRK remote worker program as an insider-risk and revenue-generation operation that uses stolen identities, remote hiring, and deceptive network paths to enter Western companies. The report separates long-term infiltrators, who m…

North Korean Kimsuky Actors Leverage Malicious QR Codes in Spearphishing Campaigns Targeting U.S. Entities

The FBI FLASH warns that North Korean Kimsuky actors used malicious QR codes in 2025 spearphishing against NGOs, think tanks, academia, government entities, and foreign policy experts focused on North Korea. The quishing emails impersonated foreign adviso…

Inside the DPRK Fake IT Workers Network: IP Ranges, Proxies, and Internal Coordination

Kudelski Security links mail-dump material, Hudson Rock stealer logs, and public research to DPRK fake IT worker infrastructure and internal coordination. The excerpt maps Russian public IP ranges, a Hong Kong proxy pivot, and a private 192.168.91.x netwo…

We Hacked The North Korean Military!

The excerpt alleges North Korean government and military involvement in scams targeting Americans, but it provides only a YouTube description and timestamps rather than a technical intrusion report. It says anonymous sources provided evidence and material…

The Mac Malware of 2025

Objective-See’s 2025 macOS malware review shows information stealers as the dominant new macOS malware class, with victims’ cookies, passwords, certificates, cryptocurrency wallets, SSH keys, and related sensitive data as primary collection targets. The e…