North Korean operators are linked to Gaslight, a Rust-based macOS stealer and backdoor analyzed by SentinelOne and covered by Moonlock. The malware collects browser data, Terminal command histories, installed-application and process lists, system profile …
« Reports in 2026
414 reports
Attackers conducted a record 207 crypto hacks in H1 2026, but total losses fell to USD 972 million from USD 2.3 billion in H1 2025. TRM attributes about USD 643 million, or 66% of all stolen funds, to North Korea-linked activity, driven mainly by April at…
Socket reports that PolinRider, a supply-chain campaign linked to North Korean threat actors in the Contagious Interview / Famous Chollima cluster, has expanded beyond npm into Packagist, Go modules, and a Chrome extension. The research identifies 162 mal…
S2W TALON analyzes laundering infrastructure used in North Korea-linked cryptocurrency theft operations, citing Ronin Bridge, Horizon Bridge, Atomic Wallet, DMM Bitcoin, and Bybit as cases tied by public reporting to Lazarus, TraderTraitor, and related ac…
Kudelski Security tracked a DPRK-linked Contagious Interview operation in which actors posed as recruiters on LinkedIn, WhatsApp, Discord, and CodeMentor to pressure developers into running trojanized interview projects. A fake GitHub repository impersona…
JFrog identified a Lazarus-linked npm supply-chain campaign that hid malicious code in Rollup-themed lookalike packages and SVG utility second stages. The packages fetched a JSONKeeper payload, decrypted a remote stage from 216.126.236.244, and launched N…
Kimsuky-linked malware masqueraded as a Korea Institute for Military Affairs monthly military and security publication, using a document-like LNK file to start a staged infection chain. Hauri observed Dropbox and GitHub being abused to host and deliver VB…
Kimsuky used a Korean-language CHM lure about North Korean food-crisis and right-to-food material to launch hidden PowerShell, decode a VBScript bootstrap, and retrieve staged payloads from DynV6-hosted infrastructure. The retrieved VBScript profiled the …
AhnLab observed May 2026 South Korea-focused APT activity dominated by spear phishing, especially malicious LNK attachments and some CHM files. The attack chains used PowerShell, CMD, XML, JS, VBScript, BAT files, AutoIt, HTA, Python, and legitimate Windo…
AhnLab observed May 2026 domestic APT activity in South Korea dominated by spear-phishing delivery, especially malicious LNK files and some CHM-based attacks. The infection chains used PowerShell, curl, HTA, VBS, BAT, XML, JS, AutoIt, Python, DLL side-loa…
BBC Korea obtained computer recordings and internal messenger logs that show how North Korean IT workers are managed as part of an organized fake-employment operation rather than as isolated freelancers. The material and expert review describe layered rol…
OpenSourceMalware highlights Lazarus Group software supply chain techniques including malicious-version “sandwiching,” reuse of Aptos/Tron/BSC blockchain infrastructure for mutable C2, and embedded campaign-tracking strings in payloads. The episode cites …
IIJ-SECT observed a May 2026 Kimsuky-linked KimJongRAT campaign that redirected targets from emailed shortened links to malicious GitHub Releases ZIP files containing LNK payloads. The infection chain used mshta, obfuscated VBScript, Google Drive-hosted e…
Moonlock Lab identified a macOS cross-platform RAT masquerading as MicrosoftSystem64, with a JavaScript payload bundled inside a Mach-O binary through `__NODE_SEA_BLOB`. The malware provides full surveillance and remote-control capabilities, including ada…
North Korean APT activity in Q2 2026 combined cryptocurrency theft, supply-chain compromise, cloud-focused intrusions, and strategic espionage. Lazarus targeted cryptocurrency exchanges, DeFi platforms, software vendors, defense contractors, and technolog…