Kimsuky has expanded its PebbleDash and AppleSeed-related operations with newly documented tooling, including the Rust-based HelloDoor backdoor, httpMalice, MemLoad/httpTroy, AppleSeed, HappyDoor, VSCode Remote Tunneling, and DWAgent. The campaigns use sp…
« Reports in 2026
416 reports
Krypt3ia assesses that enterprise AI systems are becoming high-value operational infrastructure because they ingest sensitive data, connect to internal workflows, and increasingly act with delegated authority. The North Korea-focused section argues that D…
CrowdStrike reports that DPRK-nexus actors drove a 51% year-over-year increase in digital asset theft in 2025, stealing a reported $2.02 billion across the financial sector. PRESSURE CHOLLIMA allegedly conducted the largest reported financial theft, takin…
Hybrid Analysis identified a VELVET CHOLLIMA-assessed infostealer operation distributing a signed Windows MSI that masquerades as the Tralert FX cryptocurrency trading application. The installer exposed live credentials and GitLab access tokens, revealing…
OpenSourceMalware shows how malicious packages and repositories abuse legitimate developer automation so payloads can run during `npm install` or when a repository is opened in VS Code. The DPRK-relevant section notes Lazarus-linked Contagious Interview a…
Kimsuky, also tracked as APT-C-55 and BabyShark, is described as an espionage-focused actor that targets government, diplomatic, think tank, media, and academic organizations tied to the Korean Peninsula and other regions. The observed campaign begins wit…
APT45 used AI at scale to recursively analyze CVEs and validate proof-of-concept exploits, showing DPRK-linked interest in AI-augmented vulnerability research and exploit development. GTIG also observed PRC and DPRK-associated clusters using persona-drive…
Arkham describes Lazarus Group as a North Korean state-sponsored hacking unit under the Reconnaissance General Bureau with a long record of major cyber operations, including Operation Troy, Sony Pictures, WannaCry, bank thefts, and cryptocurrency exchange…
A recruiter attributed to North Korea offered $300 per month for a US citizen, or $150 for an EU citizen, to create an Upwork account for his use. The pitch included follow-on compensation of 15% of monthly income after four months, with payment offered i…
An attacker attributed by LayerZero to the DPRK drained about $292 million in rsETH from KelpDAO's LayerZero-powered OFT bridge on April 18, 2026. The excerpt says the attacker compromised Unichain RPC infrastructure used by LayerZero Labs' Gasolina DVN s…
A suspected DPRK IT worker allegedly gained employment at THORSwap and submitted eight pull requests to the official swapkit/SwapKit repository between July and September 2024, with at least three merged. The merged PRs changed wallet integration code for…
Genians links this campaign to suspected APT37 activity, describing spearphishing emails that deliver ZIP archives containing malicious LNK files. The lures include airline e-tickets, North Korea research event invitations, and impersonation of defense or…
Genians links this campaign to suspected APT37 activity using spear-phishing emails that deliver ZIP archives containing malicious LNK files. The lures included airline e-ticket confirmations, North Korea research event invitations, and impersonation of d…
LayerZero said the Lazarus Group attacked internal RPCs used by the LayerZero Labs DVN and poisoned their source of truth while an external RPC provider was simultaneously DDoS’d. The protocol itself was described as unaffected, but the incident impacted …
Lazarus Group's Contagious Interview / TaskJacker activity has shifted part of its persistence chain into Git hooks while still using VS Code `task.json` loaders. The episode says observed variants use concatenated Git commands to create `pre-commit` and …