SlowMist’s mid-year 2026 blockchain security and AML report names Lazarus Group as a North Korean state-sponsored actor that remained active in cryptocurrency attacks. The DPRK-focused section says Lazarus used supply chain compromise, social engineering,…
« Reports in 2026
416 reports
Financial Security Institute's DeepChain report analyzes cross-chain digital-asset security through Lazarus-linked bridge incidents and laundering patterns. It says North Korean Lazarus-linked or suspected activity accounts for about 63% of reviewed cross…
North Korean operators are linked to Gaslight, a Rust-based macOS stealer and backdoor analyzed by SentinelOne and covered by Moonlock. The malware collects browser data, Terminal command histories, installed-application and process lists, system profile …
Attackers conducted a record 207 crypto hacks in H1 2026, but total losses fell to USD 972 million from USD 2.3 billion in H1 2025. TRM attributes about USD 643 million, or 66% of all stolen funds, to North Korea-linked activity, driven mainly by April at…
Socket reports that PolinRider, a supply-chain campaign linked to North Korean threat actors in the Contagious Interview / Famous Chollima cluster, has expanded beyond npm into Packagist, Go modules, and a Chrome extension. The research identifies 162 mal…
S2W TALON analyzes laundering infrastructure used in North Korea-linked cryptocurrency theft operations, citing Ronin Bridge, Horizon Bridge, Atomic Wallet, DMM Bitcoin, and Bybit as cases tied by public reporting to Lazarus, TraderTraitor, and related ac…
Kudelski Security tracked a DPRK-linked Contagious Interview operation in which actors posed as recruiters on LinkedIn, WhatsApp, Discord, and CodeMentor to pressure developers into running trojanized interview projects. A fake GitHub repository impersona…
JFrog identified a Lazarus-linked npm supply-chain campaign that hid malicious code in Rollup-themed lookalike packages and SVG utility second stages. The packages fetched a JSONKeeper payload, decrypted a remote stage from 216.126.236.244, and launched N…
Kimsuky-linked malware masqueraded as a Korea Institute for Military Affairs monthly military and security publication, using a document-like LNK file to start a staged infection chain. Hauri observed Dropbox and GitHub being abused to host and deliver VB…
Kimsuky used a Korean-language CHM lure about North Korean food-crisis and right-to-food material to launch hidden PowerShell, decode a VBScript bootstrap, and retrieve staged payloads from DynV6-hosted infrastructure. The retrieved VBScript profiled the …
AhnLab observed May 2026 South Korea-focused APT activity dominated by spear phishing, especially malicious LNK attachments and some CHM files. The attack chains used PowerShell, CMD, XML, JS, VBScript, BAT files, AutoIt, HTA, Python, and legitimate Windo…
AhnLab observed May 2026 domestic APT activity in South Korea dominated by spear-phishing delivery, especially malicious LNK files and some CHM-based attacks. The infection chains used PowerShell, curl, HTA, VBS, BAT, XML, JS, AutoIt, Python, DLL side-loa…
BBC Korea obtained computer recordings and internal messenger logs that show how North Korean IT workers are managed as part of an organized fake-employment operation rather than as isolated freelancers. The material and expert review describe layered rol…
OpenSourceMalware highlights Lazarus Group software supply chain techniques including malicious-version “sandwiching,” reuse of Aptos/Tron/BSC blockchain infrastructure for mutable C2, and embedded campaign-tracking strings in payloads. The episode cites …
IIJ-SECT observed a May 2026 Kimsuky-linked KimJongRAT campaign that redirected targets from emailed shortened links to malicious GitHub Releases ZIP files containing LNK payloads. The infection chain used mshta, obfuscated VBScript, Google Drive-hosted e…