All news with #lazarus group tag

Five Plead Guilty to Enabling DPRK Remote IT and Hacks

🔒 Five individuals have pleaded guilty to serving as facilitators for North Korean cyber operations, the US Department of Justice said. They used false or stolen identities and hosted employer laptops in US residences to create the appearance of domestic remote IT workers, aiding APT38-linked efforts. The DoJ said the activity impacted more than 136 US organizations, generated over $2.2m for Pyongyang and compromised the identities of 18 US residents, and authorities seized $15m in Tether tied to related heists.

BlueNoroff Returns with GhostCall and GhostHire Campaigns

🚨 BlueNoroff, a North Korea–linked subgroup of the Lazarus Group, has reemerged with two focused campaigns—GhostCall and GhostHire—targeting executives, Web3 developers and blockchain professionals. Operators use social engineering on Telegram and LinkedIn to stage fake investor meetings and recruiter coding tests, then deliver multi-stage, cross-platform malware. Samples were found written in Go, Rust, Nim and AppleScript and deploy implants such as DownTroy, CosmicDoor and Rootroy to harvest crypto keys, credentials and project assets.

Lazarus Targets European Drone Makers in Espionage

📡 ESET researchers have uncovered a new Lazarus Group espionage campaign targeting European defense contractors, with a focus on companies involved in unmanned aerial vehicle (UAV) development since March 2025. The attackers used spear-phishing with fake job offers and trojanized open-source tools such as WinMerge and Notepad++ to deliver loaders and the custom RAT ScoringMathTea. The intrusion chain relied on DLL side-loading, reflective loading, and process injection to maintain persistence and exfiltrate design and supply-chain data. ESET has published IoCs and MITRE ATT&CK mappings to help defenders respond.

North Korean Hackers Target European Defense Firms

🛡️ European defense and aerospace firms are being targeted in a renewed Operation Dream Job campaign attributed to North Korean-linked Lazarus actors, ESET reports. Active since March 2025, attackers use social-engineering job lures and trojanized documents to deploy ScoringMathTea and MISTPEN-like downloaders such as BinMergeLoader that abuse Microsoft Graph API. The goal is theft of proprietary UAV manufacturing know‑how and related intellectual property.

Lazarus Group's Operation DreamJob Hits EU Drone Firms

🛡️ ESET attributes a March 2025 wave of cyber-espionage against three European defense firms to the North Korea-aligned Lazarus Group, describing it as a renewed phase of Operation DreamJob. Targets tied to UAV development were lured with convincing fake job offers that delivered trojanized PDF readers and chained loaders. The primary payload, ScoringMathTea, is a remote access Trojan that provides attackers full control, and researchers found malicious components disguised as legitimate open-source tools.

Lazarus Operation DreamJob Targets European Defense

🔍 North Korean-linked Lazarus actors ran an Operation DreamJob campaign in late March that targeted three European defense companies involved in UAV technology. Using fake recruitment lures, victims were tricked into installing trojanized open-source applications and plugins which loaded malicious payloads via DLL sideloading. Final-stage malware included the ScoringMathTea RAT, while an alternate chain used the BinMergeLoader (MISTPEN) to abuse Microsoft Graph API tokens. ESET published extensive IoCs to aid detection.

North Korea-Linked Actors Target Cyber Threat Intel

🔍 Cybersecurity firm SentinelLabs and internet intelligence company Validin uncovered a coordinated effort by a North Korea-aligned cluster, tracked as Contagious Interview, to exploit CTI platforms between March and June 2025. The actors repeatedly created accounts on Validin’s portal, reused Gmail addresses tied to prior operations and registered new domains after takedowns. Investigators observed team-based coordination, probable Slack use, and operational slip-ups that exposed logs and directory structures. The probe also identified ContagiousDrop malware delivery applications that harvested details from more than 230 mostly cryptocurrency-sector victims, underscoring the campaign’s revenue-driven motive and the need for vigilance from job seekers and infrastructure providers.

Lazarus Group Expands Cross-Platform RATs Against DeFi

🔍 Researchers link a social engineering campaign to the North Korea–linked Lazarus Group that distributed three cross-platform RATs — PondRAT, ThemeForestRAT, and RemotePE — against a decentralized finance (DeFi) organization. Fox-IT observed the actors impersonating an employee on Telegram and using fake Calendly/Picktime pages to arrange meetings and gain a foothold via a loader named PerfhLoader. The intrusion delivered multiple tools (screenshotter, keylogger, credential stealers, Mimikatz, proxy programs) and saw an operational progression from the primitive PondRAT to the in-memory ThemeForestRAT, culminating in the more advanced RemotePE for high-value access.