All news with #north korea nexus tag

⚠️ Researchers report a new phishing campaign in which North Korean hackers pose as company recruiters and lure developer job candidates with seemingly legitimate coding challenges. When victims run the supplied code, it installs malware on their machines, creating a direct avenue for compromise. Reversing Labs analyzed the samples and BleepingComputer provided additional reporting. Candidates and employers should be cautious about running unvetted code and verify recruiter identities.

🔒A Ukrainian man was sentenced to five years in prison after admitting he helped North Korean IT workers infiltrate US companies using stolen identities. He pleaded guilty in November 2025 to aggravated identity theft and conspiracy to commit fraud and agreed to forfeit over $1.4 million in cash and cryptocurrency. Authorities say he sold hundreds of stolen identities and provided proxy accounts and laptop farms to disguise foreign workers as US-based.

🔒 Broadcom's Symantec and Carbon Black Threat Hunter Team reports the North Korea-linked Lazarus Group used Medusa ransomware in an attack against an unnamed Middle East entity and mounted an unsuccessful attempt against a U.S. healthcare organization. Medusa is a RaaS launched by Spearwing in 2023 and has been tied to hundreds of incidents. Analysts say this reflects a tactical shift toward off-the-shelf ransomware and affiliate operations, with the campaign leveraging tools such as RP_Proxy, Mimikatz, Comebacker, InfoHook, BLINDINGCAN, and ChromeStealer.

🔒 Symantec says a North Korean Lazarus subgroup is using Medusa ransomware to extort U.S. healthcare organizations, marking the first public linkage between Lazarus and Medusa. The attacks combine commodity utilities with custom tools — Comebacker, Blindingcan, ChromeStealer, Infohook, Mimikatz and RP_Proxy — and have hit multiple healthcare and non-profit victims. Symantec published IoCs and warns demands can reach $15 million.

🛡️ A 29-year-old Ukrainian national was sentenced to five years in U.S. prison after pleading guilty to charges tied to a scheme that sold stolen U.S. identities to overseas IT workers, enabling them to secure jobs at roughly 40 American companies and funnel wages back to North Korea. Prosecutors say he operated Upworksell.com, managed hundreds of proxy identities and U.S.-based laptop farms, and was ordered to pay $46,547.28, serve 12 months of supervised release, and forfeit more than $1.4 million.

⚖️ Oleksandr Didenko, a 39-year-old Ukrainian, was sentenced to 60 months in prison and 12 months of supervised release after pleading guilty to aggravated identity theft and wire fraud conspiracy for selling stolen U.S. identities to foreign IT workers. Using the seized platform UpWorkSell, he provided at least 871 proxy identities and accounts that helped applicants secure positions with roughly 40 U.S. companies and supported multiple "laptop farms" that masked device locations. Authorities also seized more than $1.4 million in cash and cryptocurrency tied to the scheme.

⚠️ A new variant of a fake recruiter campaign attributed to North Korean actors is targeting JavaScript and Python developers with cryptocurrency-themed coding tasks. Attackers publish seemingly legitimate job projects and embed malicious dependencies on npm and PyPI that install a remote access trojan reported as Graphalgo. The operation is modular and resilient, with 192 malicious packages identified and tactics such as delayed activation and token‑protected command channels. Affected developers are advised to rotate tokens and passwords and to reinstall compromised systems.

⚠️ Google’s Threat Intelligence Group (GTIG) says the North Korea-linked actor UNC2970 and other state-aligned groups abused Gemini for target profiling, reconnaissance, and campaign planning. GTIG found use cases ranging from synthesizing OSINT and crafting tailored phishing personas to automating vulnerability analysis and debugging exploit code. Researchers identified malware such as HONESTCUE, which queries Gemini’s API to generate C# stage-two loaders compiled in memory, and an AI-built phishing kit called COINBAIT. Google also reported and mitigated large-scale model extraction activity aimed at replicating Gemini’s behavior.

🔴 ReversingLabs attributes a coordinated supply-chain campaign, codenamed graphalgo, to the North Korea–linked Lazarus Group, active since May 2025. Attackers set up a fake recruiting front (Veltrix Capital), staged GitHub coding assessments in Python and JavaScript, and published dozens of malicious dependencies to npm and PyPI to infect candidates. One npm package, bigmathutils, accrued over 10,000 downloads before a malicious update; the payload delivers a token-based RAT that performs reconnaissance and file operations. Researchers also disclosed separate npm threats — duer-js (Bada Stealer) and the extortionist XPACK ATTACK — and urge auditing dependencies and verifying package provenance.

🛡️ Google Threat Intelligence Group warns state-backed actors are abusing Gemini across the full attack lifecycle, from reconnaissance and phishing-lure generation to C2 development and data exfiltration. Groups linked to China, Iran, North Korea, and Russia used the model for target profiling, code generation, translation, vulnerability testing, and troubleshooting. Google says it has disabled abusive accounts and implemented targeted classifier defenses to make misuse harder.

🛡️ Mandiant attributes a targeted campaign to North Korean financially motivated group UNC1069, which combines social engineering, deepfake video and macOS malware to steal cryptocurrency and credentials. The attackers hijacked a cryptocurrency executive’s Telegram account to build trust, then sent a calendar invite to a faux Zoom meeting hosted on attacker infrastructure. During the call a purported deepfake of the executive appeared and a ClickFix ruse persuaded victims to run commands, enabling deployment of backdoors and information-stealers.

🔐UNC1069-linked actors used a ClickFix-style social engineering chain to compromise a macOS user at a cryptocurrency/DeFi company. Attackers hijacked a Telegram account, staged a fake Zoom meeting (reportedly using AI-generated video), and instructed the victim to paste curl | zsh commands into Terminal. The resulting infection deployed a multi-stage macOS toolkit—WAVESHAPER, HYPERCALL, HIDDENCALL, DEEPBREATH, and CHROMEPUSH—enabling remote access and data theft. Mandiant provided IOCs and YARA rules to aid detection.

🛡️ UNC1069, a North Korea-linked threat actor, has used AI-generated video lures and compromised Telegram accounts to target cryptocurrency firms and personnel. According to Google Mandiant, attackers staged fake Zoom meetings via Calendly invites and delivered a ClickFix-style troubleshooting vector that dropped multiple payloads on Windows and macOS. The intrusion employed at least seven malware families — including WAVESHAPER, HYPERCALL, HIDDENCALL, DEEPBREATH, CHROMEPUSH and SILENCELIFT — to harvest credentials, browser data and session tokens to facilitate financial theft.

🔒 North Korean-linked UNC1069 ran tailored campaigns using AI-generated deepfake video and a ClickFix-style pretext to deliver macOS and Windows malware against cryptocurrency targets. During a Mandiant response to a fintech compromise, attackers used a compromised Telegram account and a spoofed Calendly/Zoom meeting to coerce the victim into executing troubleshooting commands that launched AppleScript and malicious Mach-O binaries. Mandiant identified seven distinct macOS families—WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT, DEEPBREATH, SUGARLOADER, and CHROMEPUSH—deployed to steal credentials, browser and Telegram data, and to enable future social-engineering operations.

🔍 DPRK-linked IT operatives are escalating a long-running fraud by applying to remote positions using genuine LinkedIn profiles they impersonate, often including verified workplace emails and identity badges. Security Alliance and other researchers warn this helps attackers bypass basic vetting and gain administrative access to sensitive codebases. Parallel social engineering

🛡️ CrowdStrike reports that the long-running North Korean-linked operator Labyrinth Chollima has fragmented into three distinct teams: Labyrinth Chollima, Golden Chollima and Pressure Chollima. All three trace their roots to the legacy KorDLL framework but now employ separate evolved frameworks (Hoplight, Jeus, MataNet/TwoPence) and divergent toolsets. CrowdStrike assesses with high confidence that Labyrinth remains focused on espionage while Golden and Pressure have largely shifted to cryptocurrency-targeted activity, though shared code and infrastructure indicate ongoing centralized coordination.

🔍 CrowdStrike details that LABYRINTH CHOLLIMA has diverged into three distinct DPRK-linked adversaries — GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and a narrowed espionage-focused LABYRINTH CHOLLIMA. Each subgroup maintains dedicated malware families and targeting priorities: GOLDEN and PRESSURE focus on cryptocurrency and fintech thefts while core LABYRINTH targets industrial, defense, and logistics sectors. Despite operational separation, shared tools and infrastructure point to centralized coordination within the DPRK cyber ecosystem.

🐞 Check Point Research is tracking an active phishing campaign by KONNI, a North Korea–linked actor that has shifted from geopolitical targets to software developers and engineering teams. The campaign specifically targets blockchain and cryptocurrency projects and uses lures crafted to resemble legitimate project documentation. Attackers deliver malicious attachments and payloads intended to compromise developer credentials and infrastructure, and the activity displays expanded geographic reach and sophisticated social-engineering techniques.

🔍 Recorded Future's Insikt Group attributes a widespread North Korean campaign, dubbed PurpleBravo, with targeting of 3,136 individual IP addresses via fraudulent job interviews that prompted candidates to run malicious code. The activity, observed from August 2024 to September 2025, affected 20 organizations across AI, crypto, finance, IT services, marketing, and software development in Europe, South Asia, the Middle East, and Central America. Security firms including Jamf Threat Labs reported abuse of VS Code projects, malicious GitHub repos and fake LinkedIn personas to deliver malware such as BeaverTail and a Go-based backdoor, increasing supply-chain and corporate-device risks.

⚠️ Threat actors tied to DPRK-backed Contagious Interview are weaponizing Visual Studio Code project configurations to execute malicious payloads when developers open and trust cloned repositories. Jamf Threat Labs observed attackers embedding commands in tasks.json that spawn shell processes to fetch and run obfuscated JavaScript via Node.js, establishing a persistent backdoor that can survive closing the IDE. Users should vet unfamiliar repos, inspect task and package files, and avoid running npm install without review.