ESET observed multiple North Korea-aligned groups targeting developers, cryptocurrency interests, strategic industries, and ethnic Korean communities from October 2025 through March 2026. Andariel deployed TigerRAT and attempted Rook ransomware against a …
« Reports in 2026
416 reports
Wiz identified JINX-0164, a previously unreported financially motivated actor targeting cryptocurrency organizations and developers through LinkedIn recruitment/business lures, fake conferencing pages, and malicious macOS “fix” scripts. The actor deploys …
ENKI Whitehat identified Kimsuky malware delivery activity through April 2026 against South Korean military and enterprise-related targets. The campaigns used tailored lures, including fake domestic security software installation pages and a fake Webex me…
ENKI Whitehat reported Kimsuky malware delivery cases targeting South Korean military and corporate environments through April 2026. The actor used fake security software installation pages and a Webex-themed lure based on a legitimate meeting schedule, w…
AhnLab observed malicious LNK files distributed as secure email from a well-known Korean card company, with a flow similar to earlier Kimsuky password-file lure activity but with changed initial commands. The LNK launches PowerShell and `mshta` to run an …
Proofpoint observed DPRK-aligned TA406, also known as Opal Sleet, chaining CVE-2026-21509 and CVE-2026-21510 in March and April 2026 email campaigns. The campaigns used visa-processing and diplomatic-initiative lures with RTF attachments that triggered Mi…
Hauri identified a new KimjongRAT variant related to malware previously disguised as a tax notice. The variant preserves earlier information-stealing behavior but expands collection to Telegram and Discord data, indicating broader targeting of user commun…
NK Internet observed 175.45.176.97 in the DPRK IP range returning a 302 redirect to recoshield.com between May 14 and May 17, 2026, with headers showing Apache on Rocky Linux and PHP. Further probing exposed a captive portal-style framework that checked G…
AhnLab observed April 2026 APT activity against South Korean targets, with most infections beginning through spear-phishing emails that used spoofed senders, malicious attachments, and malicious links. The activity relied heavily on LNK files, PowerShell,…
A fake Pulsynk recruiting email targeted a smart-contract security developer with instructions to clone a GitLab repository and open it in VS Code or Cursor. The repository abused a `.vscode/tasks.json` folder-open task to install a malicious VS Code exte…
Fox-IT analyzed a Lazarus subgroup toolset used against financial and cryptocurrency organizations, overlapping with activity linked to AppleJeus, Citrine Sleet, UNC4736, and Gleaming Pisces. The intrusion chain uses DPAPILoader to decrypt victim-bound pa…
Chainalysis tracks how OFAC has increasingly added cryptocurrency identifiers to sanctions designations, with several DPRK-linked cases showing how wallets, exchanges, bridges, DeFi services, and mixers support sanctions evasion. The DPRK-relevant section…
Red Asgard frames Lazarus-attributed fake coding interviews as an execution path into developer workstations rather than a traditional external exploit. The lure asks a developer to clone and run an interview repository on a machine that may already hold …
Red Asgard identifies five trojanized browser extensions tied to a Lazarus/Contagious Interview extension layer, masquerading as Bitwarden, Phantom, TronLink, Trust Wallet, and a Brave/MetaMask-themed wallet. The extensions resolve their command-and-contr…
SANS ISC analyzes an obfuscated Node.js stealer uploaded as `extracted-decoded.js`, with a heavily obfuscated execution wrapper but plain-text embedded payload modules. The malware targets Windows through WSL, macOS, and Linux, stealing Chromium-family br…