Microsoft described legal and technical action against Thallium, a North Korea-linked threat group that used a network of domains to support credential theft and malware operations. A U.S. court order enabled Microsoft to take control of 50 domains used by the group, disrupting active attack infrastructure. The report says Thallium targeted government employees, think tanks, university staff, human-rights and peace organizations, and nuclear proliferation specialists, mostly in the United States, Japan, and South Korea. The activity relied on spear phishing, account compromise, and malware such as BabyShark and KimJongRAT for persistence and data theft.