The Justice Department said Kejia Wang and Zhenxing Wang were sentenced for helping North Korean remote IT workers pose as U.S. residents and obtain jobs at more than 100 U.S. companies. The scheme used stolen identities of at least 80 U.S. persons, shell…
« Reports in 2026
416 reports
The thread explains why the author assessed the “Taro Aikuchi” applicant as a suspected DPRK fraudulent IT worker rather than a legitimate Japanese candidate. Evidence included fresh and inconsistent online identities, two-word-plus-number Gmail and Teleg…
Zerion says a team member’s device was compromised in an AI-enabled social engineering attack linked to a DPRK threat actor. The attacker gained access to logged-in sessions, credentials, and private keys for internal company hot wallets, leading to about…
Kimsuky is reported to have evolved its malicious LNK delivery by disguising shortcut files as HWP documents and adding XML, VBS, PowerShell, BAT, ZIP, and Python stages before final malware execution. Recent samples create a hidden C:\windirr directory, …
Cisco Talos reports that North Korean cyber operations in 2025 relied heavily on social engineering and insider access for both financial theft and espionage. The North Korea section highlights Contagious Interview activity by Famous Chollima, where fake …
Validin links UNC1069, overlapping with Bluenoroff, to fake meeting operations against cryptocurrency and Web3 professionals for financially motivated theft. Operators use fraudulent venture-capital personas, LinkedIn and Telegram outreach, Calendly-style…
Drift Protocol lost about $285 million after an attacker used pre-signed Solana durable-nonce transactions to take over a 2-of-5 Squads V4 multisig with no timelock. The attacker gained admin control, created fake CVT spot markets with manipulated oracles…
Bitso describes renewed Famous Chollima activity against crypto and financial organizations, including a suspicious job applicant encounter and a macOS malware kit the researchers call Mach-O Man. The infection chain starts with hijacked Telegram accounts…
Open Source Malware reports that the DPRK-linked PolinRider supply-chain campaign expanded from 675 to 1,951 confirmed compromised GitHub repositories across 1,047 owners in five weeks. The campaign injects obfuscated JavaScript into developer configurati…
APT37 used Facebook accounts presenting locations in Pyongyang and Pyongsong to identify targets, build trust through friend requests and Messenger conversations, and move victims toward Telegram delivery. The lure claimed encrypted military-weapons PDF d…
APT37 used Facebook accounts presenting locations in Pyongyang and Pyongsong to identify targets, build trust through friend requests and Messenger conversations, and move victims toward Telegram delivery. The lure claimed encrypted military-weapons PDF d…
Four public GitHub repositories contained the same obfuscated stage-0 JavaScript loader appended after otherwise legitimate framework or build-tool configuration exports. The loader family is aligned with publicly reported XCTDH and DEV#POPPER activity, w…
Breakglass analyzed a live Kimsuky C2 tied to a CHM-based intrusion chain after a MalwareBazaar submission exposed check.nid-log[.]com serving multiple payload stages. The chain uses hh.exe, PowerShell, certutil, and wscript to decode and execute VBScript…
OpenSourceMalware attributes PolinRider to a DPRK-linked actor connected to Lazarus activity, Contagious Interview, and TasksJacker, with confirmed infections across 1,951 public GitHub repositories and 1,047 owners as of April 11, 2026. The campaign appe…
North Korea-linked UNC1069 expanded Contagious Interview supply-chain activity across npm, PyPI, Go, Rust, and PHP, with Socket tracking more than 1,700 malicious packages tied to the operation. The same broader activity included a separate Axios maintain…