Flashpoint details DPRK remote IT worker operations in which North Korean operatives pose as freelance developers, IT staff, and contractors to gain trusted access inside organizations worldwide. The activity relies on long-lived fake personas, “parallel …
« Reports in 2025 »
779 reports
WOO X suffered a $14 million breach after a targeted phishing attack compromised a team member’s device and exposed access to the development environment. The attacker used that access to reach hot-wallet-related systems and coordinate withdrawals across …
TraderTraitor is presented as a North Korean financially motivated activity cluster focused on stealing cryptocurrency and other digital assets from blockchain and cloud-connected organizations. The excerpt ties the cluster to Lazarus Group, APT38, BlueNo…
InvisibleFerret is described as a Python-based backdoor used by Lazarus Group or Famous Chollima in Contagious Interview operations against developers, cryptocurrency workers, finance targets, and other technology professionals. The infection chain relies…
CSIS describes how North Korea uses third countries including China, Russia and Southeast Asian states to support cyber operations, cryptocurrency theft, sanctions evasion and intelligence collection. The report says DPRK operators route activity through …
A Korean analysis examines a suspected Kimsuky-linked Excel malware sample disguised as a bonus calculation spreadsheet. The workbook uses macros to read a download URL from Sheet1 cell A10001, escape command characters, and invoke curl through cmd.exe to…
Christina Marie Chapman was sentenced to 102 months in prison for helping North Korean IT workers obtain remote jobs at more than 300 U.S. companies, generating over $17 million for Chapman and the DPRK. The scheme used stolen, borrowed, and false U.S. id…
OFAC sanctioned Korea Sobaeksu Trading Company and Kim Se Un, Jo Kyong Hun, and Myong Chol Min for supporting DPRK sanctions evasion and revenue generation, including fraudulent IT worker activity. The release says Sobaeksu operates as a front company for…
The source maps suspected North Korean IT-worker GitHub accounts and aliases around the codezs17 cluster. It links Cryptogru, formerly aidenwong812 and alternatively Donald-romeo-1100, to initial commits, then describes codez17 replacing references to cry…
The FBI warns that North Korean IT workers continue targeting U.S. businesses to obtain fraudulent employment, access company networks, and generate revenue for the DPRK in violation of U.S. and U.N. sanctions. The activity relies on identity obfuscation …
ASEC identified RokRAT distribution through malicious Hangul Word Processor documents rather than the malware's more typical LNK-based delivery chain. A North Korea grain-store-themed lure embedded ShellRunas.exe and credui.dll as OLE objects, which the H…
WhoisXML API examined a BlueNoroff attack in which victims received a Calendly-themed meeting invite over Telegram that redirected them from an expected Google Meet flow to an actor-controlled fake Zoom domain. The infection chain triggered a malicious Ap…
Validin describes upgrades to its host-response history and artifact collection, then uses the Bybit heist attributed by the FBI to North Korea's Lazarus Group as TraderTraitor to demonstrate retrospective infrastructure hunting. By searching over eight m…
A Wall Street Journal excerpt says the FBI believes thousands of North Koreans have infiltrated American technology companies by using assumed U.S. identities to win remote jobs. The fragment frames the activity as a workforce fraud problem for U.S. firms…
Rekt attributes the CoinDCX incident to attackers who allegedly prepared the theft over several days, funding activity with 1 ETH from Tornado Cash before routing through FixedFloat, Polygon, deBridge and Solana. The article describes a July 18 drain of a…