North Korean IT-worker operators used stolen identities from Bosnia and Serbia to create freelance profiles on platforms such as Guru and GoLance, seeking work with Western companies while hiding their true origin. The activity is tied in an MSMT sanction…
« Reports in 2026
416 reports
APT37 used Microsoft-themed spear phishing to deliver a ZIP archive containing a malicious LNK file that launched a PowerShell and batch-based infection chain. The chain installed an official embedded Python runtime, executed compiled Python bytecode disg…
APT37-linked operators used Microsoft account security-themed spear phishing against Korean users to deliver NarwhalRAT through a ZIP-contained malicious LNK, obfuscated BAT scripts, copied curl execution, and a Python embedded runtime. The malware chain …
Quantstamp attributed the June 8 $H token compromise to tooling and methods characteristic of DPRK hackers. The attacker used stolen director keys to upgrade an Ethereum contract, move about 141.18 million $H, seize a BSC ProxyAdmin contract, and mint new…
DEVIL MARLBORO, also called MARLBORO Group, advertised an alleged 419 GB intelligence package tied to North Korea, Kimsuky, and Lazarus Group, claiming it contains offensive tool source code, vulnerabilities, backdoor and rootkit components, digital certi…
A malicious PR against Egonex-AI/Understand-Anything hid an obfuscated loader inside `homepage/astro.config.mjs`, causing `astro build`, `astro dev`, or `astro preview` to execute the payload on developer and CI systems. The loader restored `require` in a…
The episode describes infrastructure positioned to proxy Google services as part of the identity layer around a DPRK-linked developer compromise campaign. The source is careful about scope: it does not claim Google, a certificate authority, or the deliver…
A phishing email impersonating Bithumb led Humanity Protocol director Chong Yee Wai to download a malicious attachment from an attacker-controlled host, after which a Hancom-signed loader and remote-access tooling gave the attacker control of his Windows …
Google Docs lures tied to FAMOUS CHOLLIMA show how the DPRK-nexus actor advertises fake jobs, targets developers with malicious interview tasks, and recruits proxy interview facilitators. The research pivots on Google Docs titles, resource hashes, outgoin…
Humanity’s H token was attacked from 2026-06-08 to 2026-06-09 through coordinated compromises on Ethereum and BSC. An admin hot wallet private key theft moved 6,045,060 H, while three stolen Ethereum Safe owner keys let the attacker seize the Bridge Proxy…
Kimsuky-linked spear phishing targeted a South Korean company's information-security staff by impersonating a customer asking about a suspected personal-data leak. The attacker built trust through multiple emails, then delivered malicious LNK files disgui…
CrowdStrike observed DPRK-linked FAMOUS CHOLLIMA, LABYRINTH CHOLLIMA, and STARDUST CHOLLIMA targeting the technology sector during the April 2025-March 2026 reporting period. FAMOUS CHOLLIMA accounted for 47% of state-sponsored hands-on-keyboard operation…
OpenSourceMalware reports that Lazarus Group remained a high-confidence DPRK supply-chain threat in early 2026, with cryptocurrency theft-focused activity across npm, PyPI, Go, Cargo, and Packagist ecosystems. The Contagious Interview campaign continued t…
North Korean fraudulent IT workers are using stolen identities, AI-generated or altered personas, and domestic laptop farms to obtain remote IT and engineering roles, then access corporate systems from abroad through KVM or remote management tooling. Once…
Proofpoint observed UNK_DeadDrop, a very likely North Korea-aligned developer phishing cluster, sending more than 250 emails to targets at nearly 100 organizations in April and May 2026, especially across cryptocurrency, finance, technology, education, an…