Trend Micro reports that Void Dokkaebi, also known as Famous Chollima, has migrated InvisibleFerret from readable Python scripts into Cython-compiled `.pyd` modules on Windows and `.so` modules on macOS. The campaign remains focused on software developers…
« Reports in 2026
416 reports
OpenSourceMalware discussed three malicious npm packages tied to the actor behind the March Axios compromise, saying they had quietly harvested developer credentials since early April. The DPRK-linked activity was framed as supporting parallel Contagious …
AhnLab's April 2026 financial-sector review links WGear RCE exploitation to DPRK-relevant activity, noting that Andariel has repeatedly abused the vulnerability. In observed cases, the WGear process launched mshta to retrieve external HTML, download and e…
The episode covers an eleven-hour forensic window into a live adversary server tied to a Lazarus-attributed fake interview campaign. Researchers preserved a contested Windows machine while two password changes were occurring, exposing the operator workben…
EndPoint, formerly known as Midnight, is a Babuk-derived ransomware family that targets Windows, ESXi, and NAS environments and uses double extortion through encryption and data-leak threats. The malware supports argument-controlled encryption scope, dele…
OX Security identified a malicious npm package, terminal-logger-utils, with keylogger, infostealer, and RAT behavior and linked the activity to previously documented North Korean supply-chain campaigns. The package is triggered through a postinstall hook …
Krypt3ia assesses that North Korean cyber operations have shifted from separate espionage, financial theft, and disruptive tracks into an interconnected access-generation ecosystem. The report links fraudulent remote IT-worker schemes, developer-targeting…
Bitso described another suspected North Korean Chollima job applicant who attempted to interview for an engineering role under the claimed identity of Camilo Andrés Pantoja from Colombia. During the call, a Canary Token link exposed that the applicant con…
OpenSourceMalware found three malicious npm packages linked to the March 2026 Axios compromise through the shared XOR key OrDeR_7077, while using separate C2 infrastructure at 18.208.244.120:9999. The packages redeem-onchain-sdk, nicegui, and period-newli…
Attackers are sharpening established methods rather than abandoning them, using offensive tooling, infostealers, ransomware affiliates, social engineering, and trusted-platform abuse with greater speed and resilience. Bridewell highlights adversary infras…
A DPRK-linked TraderTraitor/UNC4899 actor stole 116,500 rsETH, worth about $292 million, from the KelpDAO rsETH bridge on April 18, 2026. The intrusion began with social engineering against a LayerZero Labs developer on March 6, enabling session-key theft…
DPRK-linked Contagious Interview activity is targeting cryptocurrency developers and blockchain companies through fake job interviews, poisoned GitHub repositories, and malicious npm packages. The report describes a multi-stage infection chain that abuses…
Red Asgard identifies OtterCookie as a separate JavaScript and Node.js RAT operating alongside BeaverTail and InvisibleFerret in Lazarus-linked Contagious Interview activity. Unlike BeaverTail’s stored-data theft model, OtterCookie uses Socket.IO over Eng…
Logpresso analyzed four Kimsuky spear-phishing campaigns from early 2026 that used tailored lures against recruiters, business contacts, healthcare and insurance entities, cryptocurrency users and developers, defense-related personnel, and graduate-progra…
The episode examines the operator side of a Lazarus-attributed fake interview credential pipeline. The collection system reportedly captured material from operator workstations as well as targets, exposing social-engineering workflow, persona infrastructu…