All news with #north korea nexus tag

🔍 GitLab research outlines a North Korean campaign that impersonated recruiters in the 'Contagious Interview' scheme and resulted in the banning of 131 attributed accounts. Many GitLab projects served as obfuscated loaders for malware such as BeaverTail and Ottercookie, with payloads hosted outside repositories. Operators used consumer VPNs, VPSs and laptop farms and shifted to invite-only projects, NPM dependency abuse, sandbox detection and AI-generated personas to scale fake IT worker and freelance scams.

🔒 Google links the North Korean actor UNC4899 to a 2025 cloud compromise that leveraged personal-to-corporate file transfers (AirDrop) and malicious code embedded in a shared archive. Attackers pivoted from a compromised developer device into Google Cloud, abused CI/CD and Kubernetes workflows, and manipulated Cloud SQL to extract funds. The campaign employed living-off-the-cloud techniques and persisted by injecting commands into deployment configurations. Recommended mitigations include phishing-resistant MFA, strict secrets management, and restricting P2P file sharing on corporate endpoints.

🔍 Researchers disclosed a new StegaBin iteration of the Contagious Interview campaign in which North Korean actors uploaded 26 malicious packages to the npm registry. The packages masqueraded as developer tools and used text steganography in Pastebin essays to encode Vercel-based C2 addresses, ultimately delivering a credential stealer and a cross-platform RAT. Install-time scripts fetch multi-stage components that enable persistence, credential harvesting, and exfiltration.

🛡️ Zscaler researchers uncovered a toolkit named Ruby Jumper used by North Korea–linked APT37 to bridge internet-connected and air-gapped systems via removable drives. The campaign begins with a malicious LNK that launches a PowerShell script, a decoy document, and the RESTLEAF implant, which fetches encrypted shellcode via Zoho WorkDrive and loads the Ruby-based loader SNAKEDROPPER. The threat persists by installing a Ruby runtime masked as usbspeed.exe and weaponizes USB media to relay commands and exfiltrate data.

🔒 In December 2025, Zscaler ThreatLabz exposed the Ruby Jumper campaign linking North Korea's ScarCruft to a novel multi-stage intrusion that abuses cloud storage and removable media. The attack begins with a malicious LNK that launches PowerShell to extract an embedded decoy document and multiple payloads, including the in-memory loader RESTLEAF. RESTLEAF uniquely leverages Zoho WorkDrive for C2 to fetch shellcode and stage follow-on components, while SNAKEDROPPER, THUMBSBD, and VIRUSTASK enable persistence, surveillance, and propagation to air-gapped systems via USB.

⚠️ Researchers report a new phishing campaign in which North Korean hackers pose as company recruiters and lure developer job candidates with seemingly legitimate coding challenges. When victims run the supplied code, it installs malware on their machines, creating a direct avenue for compromise. Reversing Labs analyzed the samples and BleepingComputer provided additional reporting. Candidates and employers should be cautious about running unvetted code and verify recruiter identities.

🔒A Ukrainian man was sentenced to five years in prison after admitting he helped North Korean IT workers infiltrate US companies using stolen identities. He pleaded guilty in November 2025 to aggravated identity theft and conspiracy to commit fraud and agreed to forfeit over $1.4 million in cash and cryptocurrency. Authorities say he sold hundreds of stolen identities and provided proxy accounts and laptop farms to disguise foreign workers as US-based.

🔒 Broadcom's Symantec and Carbon Black Threat Hunter Team reports the North Korea-linked Lazarus Group used Medusa ransomware in an attack against an unnamed Middle East entity and mounted an unsuccessful attempt against a U.S. healthcare organization. Medusa is a RaaS launched by Spearwing in 2023 and has been tied to hundreds of incidents. Analysts say this reflects a tactical shift toward off-the-shelf ransomware and affiliate operations, with the campaign leveraging tools such as RP_Proxy, Mimikatz, Comebacker, InfoHook, BLINDINGCAN, and ChromeStealer.

🔒 Symantec says a North Korean Lazarus subgroup is using Medusa ransomware to extort U.S. healthcare organizations, marking the first public linkage between Lazarus and Medusa. The attacks combine commodity utilities with custom tools — Comebacker, Blindingcan, ChromeStealer, Infohook, Mimikatz and RP_Proxy — and have hit multiple healthcare and non-profit victims. Symantec published IoCs and warns demands can reach $15 million.

🛡️ A 29-year-old Ukrainian national was sentenced to five years in U.S. prison after pleading guilty to charges tied to a scheme that sold stolen U.S. identities to overseas IT workers, enabling them to secure jobs at roughly 40 American companies and funnel wages back to North Korea. Prosecutors say he operated Upworksell.com, managed hundreds of proxy identities and U.S.-based laptop farms, and was ordered to pay $46,547.28, serve 12 months of supervised release, and forfeit more than $1.4 million.

⚖️ Oleksandr Didenko, a 39-year-old Ukrainian, was sentenced to 60 months in prison and 12 months of supervised release after pleading guilty to aggravated identity theft and wire fraud conspiracy for selling stolen U.S. identities to foreign IT workers. Using the seized platform UpWorkSell, he provided at least 871 proxy identities and accounts that helped applicants secure positions with roughly 40 U.S. companies and supported multiple "laptop farms" that masked device locations. Authorities also seized more than $1.4 million in cash and cryptocurrency tied to the scheme.

⚠️ A new variant of a fake recruiter campaign attributed to North Korean actors is targeting JavaScript and Python developers with cryptocurrency-themed coding tasks. Attackers publish seemingly legitimate job projects and embed malicious dependencies on npm and PyPI that install a remote access trojan reported as Graphalgo. The operation is modular and resilient, with 192 malicious packages identified and tactics such as delayed activation and token‑protected command channels. Affected developers are advised to rotate tokens and passwords and to reinstall compromised systems.

⚠️ Google’s Threat Intelligence Group (GTIG) says the North Korea-linked actor UNC2970 and other state-aligned groups abused Gemini for target profiling, reconnaissance, and campaign planning. GTIG found use cases ranging from synthesizing OSINT and crafting tailored phishing personas to automating vulnerability analysis and debugging exploit code. Researchers identified malware such as HONESTCUE, which queries Gemini’s API to generate C# stage-two loaders compiled in memory, and an AI-built phishing kit called COINBAIT. Google also reported and mitigated large-scale model extraction activity aimed at replicating Gemini’s behavior.

🔴 ReversingLabs attributes a coordinated supply-chain campaign, codenamed graphalgo, to the North Korea–linked Lazarus Group, active since May 2025. Attackers set up a fake recruiting front (Veltrix Capital), staged GitHub coding assessments in Python and JavaScript, and published dozens of malicious dependencies to npm and PyPI to infect candidates. One npm package, bigmathutils, accrued over 10,000 downloads before a malicious update; the payload delivers a token-based RAT that performs reconnaissance and file operations. Researchers also disclosed separate npm threats — duer-js (Bada Stealer) and the extortionist XPACK ATTACK — and urge auditing dependencies and verifying package provenance.

🛡️ Google Threat Intelligence Group warns state-backed actors are abusing Gemini across the full attack lifecycle, from reconnaissance and phishing-lure generation to C2 development and data exfiltration. Groups linked to China, Iran, North Korea, and Russia used the model for target profiling, code generation, translation, vulnerability testing, and troubleshooting. Google says it has disabled abusive accounts and implemented targeted classifier defenses to make misuse harder.

🛡️ Mandiant attributes a targeted campaign to North Korean financially motivated group UNC1069, which combines social engineering, deepfake video and macOS malware to steal cryptocurrency and credentials. The attackers hijacked a cryptocurrency executive’s Telegram account to build trust, then sent a calendar invite to a faux Zoom meeting hosted on attacker infrastructure. During the call a purported deepfake of the executive appeared and a ClickFix ruse persuaded victims to run commands, enabling deployment of backdoors and information-stealers.

🔐UNC1069-linked actors used a ClickFix-style social engineering chain to compromise a macOS user at a cryptocurrency/DeFi company. Attackers hijacked a Telegram account, staged a fake Zoom meeting (reportedly using AI-generated video), and instructed the victim to paste curl | zsh commands into Terminal. The resulting infection deployed a multi-stage macOS toolkit—WAVESHAPER, HYPERCALL, HIDDENCALL, DEEPBREATH, and CHROMEPUSH—enabling remote access and data theft. Mandiant provided IOCs and YARA rules to aid detection.

🛡️ UNC1069, a North Korea-linked threat actor, has used AI-generated video lures and compromised Telegram accounts to target cryptocurrency firms and personnel. According to Google Mandiant, attackers staged fake Zoom meetings via Calendly invites and delivered a ClickFix-style troubleshooting vector that dropped multiple payloads on Windows and macOS. The intrusion employed at least seven malware families — including WAVESHAPER, HYPERCALL, HIDDENCALL, DEEPBREATH, CHROMEPUSH and SILENCELIFT — to harvest credentials, browser data and session tokens to facilitate financial theft.

🔒 North Korean-linked UNC1069 ran tailored campaigns using AI-generated deepfake video and a ClickFix-style pretext to deliver macOS and Windows malware against cryptocurrency targets. During a Mandiant response to a fintech compromise, attackers used a compromised Telegram account and a spoofed Calendly/Zoom meeting to coerce the victim into executing troubleshooting commands that launched AppleScript and malicious Mach-O binaries. Mandiant identified seven distinct macOS families—WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT, DEEPBREATH, SUGARLOADER, and CHROMEPUSH—deployed to steal credentials, browser and Telegram data, and to enable future social-engineering operations.

🔍 DPRK-linked IT operatives are escalating a long-running fraud by applying to remote positions using genuine LinkedIn profiles they impersonate, often including verified workplace emails and identity badges. Security Alliance and other researchers warn this helps attackers bypass basic vetting and gain administrative access to sensitive codebases. Parallel social engineering