< ciso
brief />
Tag Banner

All news with #north korea nexus tag

114 articles

North Korean campaign publishes malicious packages

🛡️ Researchers observed North Korea–linked actors behind the Contagious Interview campaign publish 108 unique malicious packages and extensions across npm, Packagist, Go, and Chrome under an operation dubbed PolinRider. The releases include obfuscated JavaScript loaders that append code to common project config files and leverage VS Code task auto-run behavior to execute payloads. Attackers appear to acquire or retain registry and maintainer access via repository compromises, domain takeovers, or malicious dependencies. The campaign has been active since at least 2023 and continues to deliver RATs and stealers through multi-stage blockchain-backed payload delivery.
read more →

macOS 'Gaslight' malware targets AI analysis tools

🛡️ Researchers uncovered a macOS malware family named macOS.Gaslight that embeds fabricated error messages and debugging data inside a Rust binary to mislead AI-assisted analysis tools. The 3.5 KB payload contains 38 fake system messages — including memory dumps, token-expiration warnings, and build errors — designed to appear as legitimate developer logs. SentinelOne attributes the sample with high confidence to a North Korean-linked actor and notes the strings aim to prompt-inject LLM pipelines, causing them to abort or distrust their session. The malware retains standard backdoor and data-stealing capabilities alongside the deceptive messaging tactic.
read more →

Gaslight macOS implant uses AI prompt injection

🛡️ A new Rust-based macOS implant named Gaslight embeds a prompt-injection payload aimed at misleading AI-assisted analysis tools into aborting or refusing to analyze the sample. SentinelOne attributes the tool with high confidence to North Korea–aligned actors and notes its Telegram-based C2 implements an interactive shell with commands like shell, upload, and kill. The implant uses a LaunchAgent for persistence and includes a Base64-encoded Python stealer that harvests browser data, Terminal histories, Keychain contents, and system profiles before compressing and exfiltrating via Telegram.
read more →

macOS Gaslight backdoor uses prompt injection tactics

🛡️ SentinelLabs uncovered a North Korea-linked macOS backdoor, tracked as macOS.Gaslight, that embeds 38 fabricated system messages to manipulate AI-assisted malware triage. The Rust implant carries an infostealer and interactive backdoor that exfiltrates browser data, terminal histories and the macOS login keychain, using Telegram Bot API with certificate pinning for command and control. Researchers noted novel tradecraft including runtime staging of a standalone Python interpreter and self-scrubbing of the Telegram bot token from logs. SentinelLabs warned analysts to treat sample contents as adversarial input and to isolate hostile content from LLM-based tools.
read more →

North Korean Supply Chain Attack Hits Mastra Packages

🔐 Microsoft attributed a large-scale npm supply chain attack on the open-source Mastra TypeScript project to North Korea’s Sapphire Sleet group. The threat actor abused a compromised npm maintainer account to publish poisoned packages that disabled TLS verification and contacted attacker C2 servers to deploy cross-platform malware. The payload sought cryptocurrency wallet extensions and performed system reconnaissance, posing a significant risk to developers and downstream users. Microsoft advised auditing dependencies, checking for the malicious easy-day-js package and pinning known-good package versions.
read more →

ScarCruft uses fake Microsoft alerts to deploy NarwhalRAT

🛡️ Genians Security Center observed North Korea–linked ScarCruft (APT37) sending spear-phishing emails impersonating Microsoft Account security alerts to trick victims into opening ZIP attachments. The archive contains a malicious LNK that triggers a multi-stage chain: batch scripts download a legitimate Python executable, a CAT file, and install NarwhalRAT. Persistence is achieved via scheduled tasks that launch an in-memory payload, enabling keystroke logging, screenshots, audio capture, file exfiltration, and remote command execution.
read more →

ESET APT Activity Report Q4 2025–Q1 2026

📄 ESET summarizes notable APT activity observed between October 2025 and March 2026, highlighting China-, Iran-, North Korea-, and Russia-aligned operations alongside unattributed clusters. The report illustrates geopolitical drivers behind campaigns, describes new tooling and supply-chain compromises such as a trojanized axios package, and notes destructive incidents impacting critical infrastructure. ESET confirms protections by its products and notes the report reflects a subset of its Threat Intelligence.
read more →

AI-Enabled Sanctions Evasion Raises Governance Risks

🛡️ New RUSI research warns that adversaries, notably North Korea and Iran, are moving from AI-assisted to AI-enabled sanctions evasion and proliferation financing. The report highlights AI’s ability to mass-produce fraudulent documents, automate shell-company administration, and analyze blockchain flows to evade detection. Experts urge enterprises to adopt behavior-based analytics, defensive AI, stronger identity verification and updated training to counter these evolving threats.
read more →

Developer Workstations: The New High‑Value Beachhead

🔐 Three separate April reports describe unrelated threat actors independently targeting developer machines as the preferred initial-access vector. The incidents include a North Korean campaign that trojanized packages across five ecosystems, a Zig-compiled native binary that infects IDEs, and a cascading compromise chaining developer tools into credential theft. Together they illustrate how developer workstations function as credential stores, pipeline controllers and trust anchors, and why traditional endpoint controls are insufficient. Organizations must improve visibility, isolate build environments, enforce stricter controls on IDE extensions and package installs, and assign clear ownership for this distinct attack surface.
read more →

Americans Sentenced for Running Laptop Farms for DPRK

🔒 Two U.S. nationals, Matthew Isaac Knoot and Erick Ntekereze Prince, were each sentenced to 18 months in prison for operating laptop farms that enabled North Korean IT workers to fraudulently obtain remote employment at nearly 70 U.S. companies. Authorities say the defendants used stolen identities and remote desktop software to mask foreign workers as U.S.-based employees, resulting in substantial payroll fraud and remediation costs. Courts imposed prison terms, forfeitures, and restitution as part of a broader federal effort to disrupt North Korea's illicit revenue operations.
read more →

Supply-Chain Attacks Target AI Coding Agents in Registries

⚠️ ReversingLabs researchers describe an ongoing supply‑chain campaign called PromptMink that manipulates AI coding agents into installing malicious dependencies. Attackers publish bait packages with persuasive READMEs and LLM‑optimized documentation on registries like NPM and PyPI to increase discovery by autonomous agents and developers. The operation, attributed to North Korea’s Famous Chollima, paired legitimate‑looking SDKs with second‑layer packages carrying infostealers, later evolving to compiled Rust add‑ons, SEAs, SSH backdoors, and project exfiltration.
read more →

North Korean APT Trojanizes Yanbian Gaming Platform

🔎 A North Korea-aligned espionage group has trojanized Windows and Android clients on a regional Yanbian gaming site, according to ESET. The campaign, attributed to ScarCruft (APT37), delivered an Android port of the BirdCall backdoor (internally named zhuagou) and a trojanized mono.dll on Windows to deploy RokRAT and BirdCall. The malware harvests contacts, SMS, files, screenshots and audio, and routes command-and-control through cloud storage accounts.
read more →

ScarCruft Supply-Chain Delivers BirdCall to Android, Windows

⚠️ ESET reports that the North Korea‑aligned threat group ScarCruft compromised the sqgame[.]net gaming platform in a targeted supply‑chain operation to deploy the BirdCall backdoor to Android and Windows users. The compromise, active since late 2024, trojanized Android APKs for two games and delivered a malicious Windows update DLL that used RokRAT as a loader. BirdCall — an evolution of RokRAT — harvests contacts, SMS, call logs, media, screenshots, keystrokes and ambient audio, and leverages legitimate cloud services for command‑and‑control.
read more →

ScarCruft Delivers BirdCall Android Spyware via Game Site

📱 ESET researchers report that North Korean-linked APT37 (ScarCruft) developed an Android variant of the BirdCall backdoor and distributed it through trojanized APKs on the sqgame.net game platform. The Android implant, first seen around October 2024 and produced in at least seven variants, collects contacts, call logs, SMS, device identifiers, location and system metrics, takes periodic screenshots, records audio during evening hours, and exfiltrates targeted files to a C2. The campaign focused on users in the Yanbian region and underscores ScarCruft’s continued use of supply-chain tactics; users are advised to download apps only from official marketplaces and trusted publishers.
read more →

ScarCruft Supply-Chain Compromise Targets Yanbian Gamers

🕵️ ESET researchers uncovered a supply‑chain attack by North Korea‑aligned APT ScarCruft that trojanized a Yanbian‑focused gaming platform. The operation used a malicious Windows update to deploy RokRAT and ultimately the sophisticated BirdCall backdoor, while repackaged Android APKs contained a newly identified Android port of BirdCall. The backdoor harvests files, contacts, screenshots and ambient audio for targeted espionage.
read more →

DPRK Supply-Chain Campaign Uses AI-Inserted npm Malware

🛡️ Researchers identified an AI-assisted supply-chain campaign that injected malicious code into npm packages — notably @validate-sdk/v2 — after a dependency was introduced by Anthropic's Claude Opus LLM. ReversingLabs named the operation PromptMink and attributed it to DPRK-aligned actor Famous Chollima (aka Shifty Corsair). The tainted packages siphon crypto credentials and secrets through layered transitive dependencies and have evolved into multi-platform RATs and information stealers.
read more →

AI-Assisted Malicious npm Dependency Steals Crypto

🔍 Researchers at ReversingLabs uncovered a malicious npm dependency, @validate-sdk/v2, that exfiltrated secrets and enabled attackers to access cryptocurrency wallets after being added to an autonomous trading agent in February 2026. The commit is reported to have been co-authored by Claude Opus, and attribution points to the North Korean state-sponsored group Famous Chollima. The campaign, tracked as PromptMink, used a two-layer package strategy—public-facing Web3 utilities to attract users while secondary dependencies delivered evolving malware that scanned environment files, collected system information, compressed project data, and installed SSH keys for persistence across Linux and Windows environments.
read more →

ThreatsDay: $290M KelpDAO Heist and Supply Chain Surge

🔔 LayerZero-linked infrastructure poisoning likely enabled a North Korean-linked group (TraderTraitor/TraderTraiter) to steal $290M from KelpDAO by compromising RPC nodes and exploiting a quorum while a DDoS distracted a third node, prompting an Arbitrum Security Council freeze. At the same time, active RCE attacks, malicious npm packages delivering credential stealers and SSH backdoors, and indirect AI prompt injection payloads are accelerating breaches. The bulletin also flags covert browser access by desktop AI apps, a surge in commodified malware, SIM-farm services, and persistent exploitation of long-known weaknesses; the practical remedies remain patch early, verify dependencies, and restrict implicit trust.
read more →

Detecting Cloud Identity Infiltration via Fake Hires

🔍 Microsoft observed North Korea-aligned actors posing as legitimate hires—using stolen or fabricated identities and generative AI—to gain trusted access to corporate SaaS. They target external career sites and Workday Recruiting APIs (hrrecruiting/*) to submit convincing applications, complete onboarding, then use legitimate accounts to access Teams, SharePoint, OneDrive, and Exchange Online. Defenders should correlate multi-source telemetry, enable Microsoft Defender for Cloud Apps connectors, and monitor behavioral anomalies in candidates and new hires.
read more →

North Korea-Linked Lazarus Suspected in $290M KelpDAO Heist

🔒 State-backed North Korean actors are the primary suspects in a roughly $293m theft from KelpDAO, which paused operations after detecting suspicious cross-chain activity involving rsETH. Attackers exploited LayerZero verifier infrastructure by poisoning downstream RPCs, swapping op-geth binaries and executing an RPC‑spoofing attack to forge a cross-chain message. They routed stolen funds through Tornado Cash, while Arbitrum's Security Council has frozen about 30,766 ETH (~$71m). LayerZero contends KelpDAO ran a single-DVN configuration against best practices; KelpDAO blames LayerZero's infrastructure.
read more →