All news with #north korea nexus tag

🔒 Drift Protocol says a coordinated, six-month operation led to a $280M+ theft after attackers built "a functioning operational presence" inside the platform and engaged contributors in person and via Telegram. The attackers reportedly hijacked Security Council administrative powers and drained assets in about 12 minutes. Drift suspects two contributors were compromised via a malicious code repository (possible VSCode/Cursor exploit) and a fake TestFlight wallet app. Blockchain firms attribute the campaign to UNC4736, linked to North Korea.

🔒 Fortinet FortiGuard Labs reports DPRK-linked actors using GitHub as command-and-control infrastructure in multi-stage LNK-based phishing attacks targeting South Korea. Obfuscated Windows shortcut files drop a decoy PDF and a silent PowerShell script that performs anti-analysis checks, extracts a VBScript, and creates persistence via a scheduled task running every 30 minutes. The script profiles hosts, exfiltrates the data to a GitHub repo under an account such as 'motoralis' with a hard-coded token, and retrieves additional modules or commands from files in the repository to maintain control.

⚡ This week’s incidents include a supply-chain compromise of the popular Axios npm package by actors attributed to North Korea (UNC1069) and an actively exploited Chrome zero-day (CVE-2026-5281) in the Dawn/WebGPU component. Other notable events include active exploitation of Fortinet FortiClient EMS, a TrueConf update-integrity bypass, and an accidental large code leak from Anthropic’s Claude development. Organizations should treat developer tooling, CI/CD, and dependencies as part of the attack surface and apply patches and integrity checks promptly.

🛡️ Fortinet reports a DPRK-linked espionage campaign leveraging weaponized Windows shortcut (.LNK) files and GitHub repositories as command-and-control channels to target South Korean organizations. The attackers rely on multi-stage PowerShell scripts, progressively embedding decoding functions and encoded payloads inside LNK arguments to evade detection. This approach reflects a living off the land strategy that abuses native Windows utilities and legitimate services.

🔍 Drift says the April 1, 2026 Solana exploit that stole $285 million was a months-long, targeted social-engineering operation attributed with medium confidence to DPRK-linked UNC4736. Attackers cultivated in-person trust at crypto conferences and via Telegram, seeded funds, and shared repositories and tools that embedded malicious code. Investigators suspect a weaponized Visual Studio Code project and an Apple TestFlight wallet were used to compromise contributors, and Drift is working with law enforcement and forensic partners to remediate.

⚠️ The maintainers of Axios report a targeted social engineering attack that allowed threat actors to publish malicious npm releases (1.14.1 and 0.30.4) which added a dependency, plain-crypto-js, that deployed a remote access trojan across macOS, Windows, and Linux. The tainted packages were available for roughly three hours before removal; any systems that installed them should be treated as compromised and have credentials and keys rotated. Google links the operation to North Korea‑aligned UNC1069, while researchers say the same playbook targeted multiple high‑impact Node.js maintainers. Axios maintainers have wiped affected hosts, reset credentials, and are adding safeguards to reduce future supply chain risk.

🔒 The maintainer of Axios confirmed a supply chain compromise caused by a targeted social engineering campaign attributed to North Korean actors tracked as UNC1069. Attackers impersonated a legitimate company's founder, lured the maintainer into a branded Slack workspace and a fraudulent Teams call, then deployed a RAT to steal npm credentials. Two malicious releases (1.14.1 and 0.30.4) carried the WAVESHAPER.V2 implant.

🔐 Drift confirmed that attackers drained about $285 million from its Solana-based decentralized exchange on April 1, 2026, using pre-signed transactions tied to durable nonce accounts. The company says no smart-contract vulnerability or compromised seed phrases were involved; attackers instead obtained multisig approvals through sophisticated social engineering and pre-signed authorizations. Threat intelligence firms TRM Labs and Elliptic report on-chain indicators linking the heist to DPRK-associated actors, noting use of Tornado Cash, cross-chain bridging and rapid laundering. Drift is coordinating with security vendors, bridges, exchanges and law enforcement to trace and attempt to freeze funds.

🔒Drift Protocol lost at least $280 million after an attacker seized administrative control of its Security Council and drained protocol funds. Blockchain intelligence firms Elliptic and TRM Labs linked the operation to North Korean actors, citing on-chain tradecraft such as Tornado Cash use, CarbonVote timing, cross-chain bridging, and rapid laundering. Drift says no smart contract bugs or seed phrases were compromised; core functions are frozen while investigations continue.

🔒 FortiGuard Labs identified a multi-stage campaign using malicious LNK shortcut files that target Microsoft Windows users in South Korea. The attacker embeds decoding routines inside LNK arguments to drop a decoy PDF while executing hidden PowerShell payloads. Those scripts perform anti-analysis checks, establish persistence via Scheduled Tasks and VBScript, and use GitHub API calls as a covert C2 and exfiltration channel. Fortinet signatures detect these components and block the activity.

🛡️ Google's Threat Intelligence Group has attributed a supply chain compromise of the popular Axios npm package to a suspected North Korean cluster tracked as UNC1069. Attackers seized a maintainer npm account and pushed trojanized releases (1.14.1 and 0.30.4) that added a malicious dependency, plain-crypto-js. That dependency used a postinstall hook to deploy an obfuscated dropper (SILKBELL) which fetched OS-specific payloads and ultimately installed the WAVESHAPER.V2 backdoor. Organizations should audit dependency trees, search node_modules for plain-crypto-js, isolate affected hosts, block the C2 domain sfrclak[.]com, and rotate credentials.

🚫 The UK’s Foreign, Commonwealth and Development Office has sanctioned Xinbi, a Chinese-language marketplace accused of selling stolen personal data and satellite internet equipment to Southeast Asian scam networks and assisting North Korean actors with cryptocurrency laundering. Chainalysis links Xinbi to over $19.9 billion in transactions from 2021–2025. The measures also target #8 Park and operator Legend Innovation Co, aiming to sever Xinbi from legitimate crypto services and disrupt payments to scam centers.

🛡️ The North Korean-linked group Contagious Interview (aka WaterPlum) is abusing Visual Studio Code auto-run tasks to distribute a Node.js-based malware family called StoatWaffle. Malicious projects use tasks.json with runOn: folderOpen to automatically fetch and install Node.js, then execute a downloader that chains to next-stage modules. StoatWaffle includes a browser credential stealer and a RAT capable of file operations, command execution, and data exfiltration.

🔎 Behavioral analytics and threat intelligence combined to identify a suspected North Korea-linked fake IT worker within 10 days of hire. LevelBlue SpiderLabs and Cybereason XDR flagged geolocation anomalies, unmanaged device access, and use of Astrill VPN, triggering a high-severity alert and timely account revocation. Organizations should enforce EntraID Conditional Access, manage endpoints, and maintain software baselines to detect such insider threats.

🚨 The U.S. Department of the Treasury's Office of Foreign Assets Control has sanctioned six individuals and two entities tied to a DPRK-run IT worker scheme that secured remote jobs, stole data, and funneled salaries back to North Korea to finance weapons programs. The operation—tracked as Coral Sleet/Jasper Sleet (also called PurpleDelta/Wagemole)—used stolen identities, fabricated personas, VPN services, and AI-enabled tools to conceal origins, launder funds, and deploy malware or extort victims. OFAC named Amnokgang Technology Development Company and several facilitators, currency converters, and account enablers; security firms and Microsoft warn the campaign leverages Astrill VPN, AI faceswaps, agentic LLM misuse, and offshore operations to maintain persistent, low-cost access.

🔍 GitLab research outlines a North Korean campaign that impersonated recruiters in the 'Contagious Interview' scheme and resulted in the banning of 131 attributed accounts. Many GitLab projects served as obfuscated loaders for malware such as BeaverTail and Ottercookie, with payloads hosted outside repositories. Operators used consumer VPNs, VPSs and laptop farms and shifted to invite-only projects, NPM dependency abuse, sandbox detection and AI-generated personas to scale fake IT worker and freelance scams.

🔒 Google links the North Korean actor UNC4899 to a 2025 cloud compromise that leveraged personal-to-corporate file transfers (AirDrop) and malicious code embedded in a shared archive. Attackers pivoted from a compromised developer device into Google Cloud, abused CI/CD and Kubernetes workflows, and manipulated Cloud SQL to extract funds. The campaign employed living-off-the-cloud techniques and persisted by injecting commands into deployment configurations. Recommended mitigations include phishing-resistant MFA, strict secrets management, and restricting P2P file sharing on corporate endpoints.

🔍 Researchers disclosed a new StegaBin iteration of the Contagious Interview campaign in which North Korean actors uploaded 26 malicious packages to the npm registry. The packages masqueraded as developer tools and used text steganography in Pastebin essays to encode Vercel-based C2 addresses, ultimately delivering a credential stealer and a cross-platform RAT. Install-time scripts fetch multi-stage components that enable persistence, credential harvesting, and exfiltration.

🛡️ Zscaler researchers uncovered a toolkit named Ruby Jumper used by North Korea–linked APT37 to bridge internet-connected and air-gapped systems via removable drives. The campaign begins with a malicious LNK that launches a PowerShell script, a decoy document, and the RESTLEAF implant, which fetches encrypted shellcode via Zoho WorkDrive and loads the Ruby-based loader SNAKEDROPPER. The threat persists by installing a Ruby runtime masked as usbspeed.exe and weaponizes USB media to relay commands and exfiltrate data.

🔒 In December 2025, Zscaler ThreatLabz exposed the Ruby Jumper campaign linking North Korea's ScarCruft to a novel multi-stage intrusion that abuses cloud storage and removable media. The attack begins with a malicious LNK that launches PowerShell to extract an embedded decoy document and multiple payloads, including the in-memory loader RESTLEAF. RESTLEAF uniquely leverages Zoho WorkDrive for C2 to fetch shellcode and stage follow-on components, while SNAKEDROPPER, THUMBSBD, and VIRUSTASK enable persistence, surveillance, and propagation to air-gapped systems via USB.