All news with #lazarus group tag

🛡️ A Kaspersky GReAT analysis describes two BlueNoroff campaigns—GhostCall and GhostHire—linked to the Lazarus threat actor and focused on the cryptocurrency sector. GhostCall targets executives, often on macOS, using investor-themed social engineering and fake meeting portals that prompt malicious updates and downloads. GhostHire lures blockchain developers with job offers and Telegram bots that point to GitHub test tasks or archived files with tight deadlines; performing the tasks leads to infection. The campaigns share a common management infrastructure and multiple infection chains; technical details and indicators of compromise are published on Securelist.

📡 ESET researchers have uncovered a new Lazarus Group espionage campaign targeting European defense contractors, with a focus on companies involved in unmanned aerial vehicle (UAV) development since March 2025. The attackers used spear-phishing with fake job offers and trojanized open-source tools such as WinMerge and Notepad++ to deliver loaders and the custom RAT ScoringMathTea. The intrusion chain relied on DLL side-loading, reflective loading, and process injection to maintain persistence and exfiltrate design and supply-chain data. ESET has published IoCs and MITRE ATT&CK mappings to help defenders respond.

🛡️ European defense and aerospace firms are being targeted in a renewed Operation Dream Job campaign attributed to North Korean-linked Lazarus actors, ESET reports. Active since March 2025, attackers use social-engineering job lures and trojanized documents to deploy ScoringMathTea and MISTPEN-like downloaders such as BinMergeLoader that abuse Microsoft Graph API. The goal is theft of proprietary UAV manufacturing know‑how and related intellectual property.

🛡️ ESET attributes a March 2025 wave of cyber-espionage against three European defense firms to the North Korea-aligned Lazarus Group, describing it as a renewed phase of Operation DreamJob. Targets tied to UAV development were lured with convincing fake job offers that delivered trojanized PDF readers and chained loaders. The primary payload, ScoringMathTea, is a remote access Trojan that provides attackers full control, and researchers found malicious components disguised as legitimate open-source tools.

🔍 North Korean-linked Lazarus actors ran an Operation DreamJob campaign in late March that targeted three European defense companies involved in UAV technology. Using fake recruitment lures, victims were tricked into installing trojanized open-source applications and plugins which loaded malicious payloads via DLL sideloading. Final-stage malware included the ScoringMathTea RAT, while an alternate chain used the BinMergeLoader (MISTPEN) to abuse Microsoft Graph API tokens. ESET published extensive IoCs to aid detection.

🛩️ ESET researchers observed a renewed Operation DreamJob campaign that targeted European defense and UAV-related companies and has been linked to the North Korea-aligned Lazarus group. Attackers used social-engineering lures and trojanized open-source projects on GitHub to deliver loaders and the ScoringMathTea RAT. Techniques included DLL side-loading, reflective in-memory loading and encrypted C2 channels. The apparent objective was theft of proprietary UAV designs and manufacturing know-how.

🔍 Researchers link a social engineering campaign to the North Korea–linked Lazarus Group that distributed three cross-platform RATs — PondRAT, ThemeForestRAT, and RemotePE — against a decentralized finance (DeFi) organization. Fox-IT observed the actors impersonating an employee on Telegram and using fake Calendly/Picktime pages to arrange meetings and gain a foothold via a loader named PerfhLoader. The intrusion delivered multiple tools (screenshotter, keylogger, credential stealers, Mimikatz, proxy programs) and saw an operational progression from the primitive PondRAT to the in-memory ThemeForestRAT, culminating in the more advanced RemotePE for high-value access.

🚨Seqrite Labs has uncovered a spear-phishing campaign named Operation HanKook Phantom attributed to North Korea–linked ScarCruft (APT37). The attacks use ZIP attachments containing malicious Windows LNK shortcuts that masquerade as PDFs and drop a RokRAT backdoor while displaying decoy documents. RokRAT can collect system information, execute commands, enumerate files, capture screenshots, and download further payloads, exfiltrating data via cloud services such as Dropbox, Google Cloud, pCloud, and Yandex Cloud. A second observed variant leverages fileless PowerShell and obfuscated batch scripts to deploy additional droppers and conceal network traffic as browser file uploads.