All news with #north korea nexus tag

🔒 Two US nationals were sentenced after admitting they helped operate a scheme that placed North Korean remote IT workers into roles at more than 100 US organisations, including several Fortune 500 firms. Court filings say Kejia Wang (42) and Zhenxing Wang (39) used the stolen identities of at least 80 Americans, received laptops at their US addresses, provided remote access to DPRK-based operators and set up shell companies to launder payments to DPRK. They received prison terms of 108 and 92 months respectively after pleading guilty to conspiracy charges including wire fraud and money laundering; Zhenxing Wang also pleaded guilty to conspiracy to commit identity theft.

⚠️ Microsoft Threat Intelligence describes a macOS campaign by the North Korea‑linked actor Sapphire Sleet that relies on social engineering instead of software exploits. The actor impersonated a legitimate update and lured victims to open a compiled AppleScript (.scpt) in Script Editor, then used cascading curl | osascript stages to deploy Mach‑O backdoors, harvest credentials, and exfiltrate cryptocurrency and personal data. Apple and Microsoft deployed protections and detections; defenders should block unsigned .scpt files and monitor curl/osascript chains.

🔒 Two U.S. nationals were sentenced to prison for facilitating a scheme that placed North Korean IT workers as faux U.S. employees at more than 100 American companies, including Fortune 500 firms. Between 2021 and October 2024 the pair generated over $5 million for DPRK-linked operations and caused roughly $3 million in corporate losses by using the stolen identities of more than 80 U.S. citizens. They set up shell companies, fake websites, bank accounts, and even hosted company-issued laptops in U.S. homes to mask the remote workers' true locations.

🔒 North Korea–linked APT37 has been observed using Facebook friend requests and Messenger to build trust with targets before moving conversations to Telegram and distributing a ZIP archive containing a trojanized Wondershare PDFelement. The tampered installer executes encrypted shellcode that contacts a compromised legitimate site, japanroom[.]com, to fetch a seemingly benign JPG which stages the RokRAT payload. The malware then leverages Zoho WorkDrive for command-and-control, enabling screenshots, remote command execution via cmd.exe, host reconnaissance, and evasion of security products.

🔒 Socket Security researchers say the North Korea-linked campaign known as Contagious Interview has published more than 1,700 malicious packages across npm, PyPI, Go, Rust and Packagist. The packages impersonate legitimate developer tooling and act as loaders that fetch platform-specific malware with infostealer and RAT capabilities. A Windows variant delivered through license-utils-kit behaves as a full implant, enabling command execution, keystroke logging, browser and wallet theft, file exfiltration and remote access via AnyDesk.

🔒 Drift Protocol says a coordinated, six-month operation led to a $280M+ theft after attackers built "a functioning operational presence" inside the platform and engaged contributors in person and via Telegram. The attackers reportedly hijacked Security Council administrative powers and drained assets in about 12 minutes. Drift suspects two contributors were compromised via a malicious code repository (possible VSCode/Cursor exploit) and a fake TestFlight wallet app. Blockchain firms attribute the campaign to UNC4736, linked to North Korea.

🔒 Fortinet FortiGuard Labs reports DPRK-linked actors using GitHub as command-and-control infrastructure in multi-stage LNK-based phishing attacks targeting South Korea. Obfuscated Windows shortcut files drop a decoy PDF and a silent PowerShell script that performs anti-analysis checks, extracts a VBScript, and creates persistence via a scheduled task running every 30 minutes. The script profiles hosts, exfiltrates the data to a GitHub repo under an account such as 'motoralis' with a hard-coded token, and retrieves additional modules or commands from files in the repository to maintain control.

⚡ This week’s incidents include a supply-chain compromise of the popular Axios npm package by actors attributed to North Korea (UNC1069) and an actively exploited Chrome zero-day (CVE-2026-5281) in the Dawn/WebGPU component. Other notable events include active exploitation of Fortinet FortiClient EMS, a TrueConf update-integrity bypass, and an accidental large code leak from Anthropic’s Claude development. Organizations should treat developer tooling, CI/CD, and dependencies as part of the attack surface and apply patches and integrity checks promptly.

🛡️ Fortinet reports a DPRK-linked espionage campaign leveraging weaponized Windows shortcut (.LNK) files and GitHub repositories as command-and-control channels to target South Korean organizations. The attackers rely on multi-stage PowerShell scripts, progressively embedding decoding functions and encoded payloads inside LNK arguments to evade detection. This approach reflects a living off the land strategy that abuses native Windows utilities and legitimate services.

🔍 Drift says the April 1, 2026 Solana exploit that stole $285 million was a months-long, targeted social-engineering operation attributed with medium confidence to DPRK-linked UNC4736. Attackers cultivated in-person trust at crypto conferences and via Telegram, seeded funds, and shared repositories and tools that embedded malicious code. Investigators suspect a weaponized Visual Studio Code project and an Apple TestFlight wallet were used to compromise contributors, and Drift is working with law enforcement and forensic partners to remediate.

⚠️ The maintainers of Axios report a targeted social engineering attack that allowed threat actors to publish malicious npm releases (1.14.1 and 0.30.4) which added a dependency, plain-crypto-js, that deployed a remote access trojan across macOS, Windows, and Linux. The tainted packages were available for roughly three hours before removal; any systems that installed them should be treated as compromised and have credentials and keys rotated. Google links the operation to North Korea‑aligned UNC1069, while researchers say the same playbook targeted multiple high‑impact Node.js maintainers. Axios maintainers have wiped affected hosts, reset credentials, and are adding safeguards to reduce future supply chain risk.

🔒 The maintainer of Axios confirmed a supply chain compromise caused by a targeted social engineering campaign attributed to North Korean actors tracked as UNC1069. Attackers impersonated a legitimate company's founder, lured the maintainer into a branded Slack workspace and a fraudulent Teams call, then deployed a RAT to steal npm credentials. Two malicious releases (1.14.1 and 0.30.4) carried the WAVESHAPER.V2 implant.

🔐 Drift confirmed that attackers drained about $285 million from its Solana-based decentralized exchange on April 1, 2026, using pre-signed transactions tied to durable nonce accounts. The company says no smart-contract vulnerability or compromised seed phrases were involved; attackers instead obtained multisig approvals through sophisticated social engineering and pre-signed authorizations. Threat intelligence firms TRM Labs and Elliptic report on-chain indicators linking the heist to DPRK-associated actors, noting use of Tornado Cash, cross-chain bridging and rapid laundering. Drift is coordinating with security vendors, bridges, exchanges and law enforcement to trace and attempt to freeze funds.

🔒Drift Protocol lost at least $280 million after an attacker seized administrative control of its Security Council and drained protocol funds. Blockchain intelligence firms Elliptic and TRM Labs linked the operation to North Korean actors, citing on-chain tradecraft such as Tornado Cash use, CarbonVote timing, cross-chain bridging, and rapid laundering. Drift says no smart contract bugs or seed phrases were compromised; core functions are frozen while investigations continue.

🔒 FortiGuard Labs identified a multi-stage campaign using malicious LNK shortcut files that target Microsoft Windows users in South Korea. The attacker embeds decoding routines inside LNK arguments to drop a decoy PDF while executing hidden PowerShell payloads. Those scripts perform anti-analysis checks, establish persistence via Scheduled Tasks and VBScript, and use GitHub API calls as a covert C2 and exfiltration channel. Fortinet signatures detect these components and block the activity.

🛡️ Google's Threat Intelligence Group has attributed a supply chain compromise of the popular Axios npm package to a suspected North Korean cluster tracked as UNC1069. Attackers seized a maintainer npm account and pushed trojanized releases (1.14.1 and 0.30.4) that added a malicious dependency, plain-crypto-js. That dependency used a postinstall hook to deploy an obfuscated dropper (SILKBELL) which fetched OS-specific payloads and ultimately installed the WAVESHAPER.V2 backdoor. Organizations should audit dependency trees, search node_modules for plain-crypto-js, isolate affected hosts, block the C2 domain sfrclak[.]com, and rotate credentials.

🚫 The UK’s Foreign, Commonwealth and Development Office has sanctioned Xinbi, a Chinese-language marketplace accused of selling stolen personal data and satellite internet equipment to Southeast Asian scam networks and assisting North Korean actors with cryptocurrency laundering. Chainalysis links Xinbi to over $19.9 billion in transactions from 2021–2025. The measures also target #8 Park and operator Legend Innovation Co, aiming to sever Xinbi from legitimate crypto services and disrupt payments to scam centers.

🛡️ The North Korean-linked group Contagious Interview (aka WaterPlum) is abusing Visual Studio Code auto-run tasks to distribute a Node.js-based malware family called StoatWaffle. Malicious projects use tasks.json with runOn: folderOpen to automatically fetch and install Node.js, then execute a downloader that chains to next-stage modules. StoatWaffle includes a browser credential stealer and a RAT capable of file operations, command execution, and data exfiltration.

🔎 Behavioral analytics and threat intelligence combined to identify a suspected North Korea-linked fake IT worker within 10 days of hire. LevelBlue SpiderLabs and Cybereason XDR flagged geolocation anomalies, unmanaged device access, and use of Astrill VPN, triggering a high-severity alert and timely account revocation. Organizations should enforce EntraID Conditional Access, manage endpoints, and maintain software baselines to detect such insider threats.

🚨 The U.S. Department of the Treasury's Office of Foreign Assets Control has sanctioned six individuals and two entities tied to a DPRK-run IT worker scheme that secured remote jobs, stole data, and funneled salaries back to North Korea to finance weapons programs. The operation—tracked as Coral Sleet/Jasper Sleet (also called PurpleDelta/Wagemole)—used stolen identities, fabricated personas, VPN services, and AI-enabled tools to conceal origins, launder funds, and deploy malware or extort victims. OFAC named Amnokgang Technology Development Company and several facilitators, currency converters, and account enablers; security firms and Microsoft warn the campaign leverages Astrill VPN, AI faceswaps, agentic LLM misuse, and offshore operations to maintain persistent, low-cost access.