All news with #north korea nexus tag

🛡️ CrowdStrike reports that the long-running North Korean-linked operator Labyrinth Chollima has fragmented into three distinct teams: Labyrinth Chollima, Golden Chollima and Pressure Chollima. All three trace their roots to the legacy KorDLL framework but now employ separate evolved frameworks (Hoplight, Jeus, MataNet/TwoPence) and divergent toolsets. CrowdStrike assesses with high confidence that Labyrinth remains focused on espionage while Golden and Pressure have largely shifted to cryptocurrency-targeted activity, though shared code and infrastructure indicate ongoing centralized coordination.

🔍 CrowdStrike details that LABYRINTH CHOLLIMA has diverged into three distinct DPRK-linked adversaries — GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and a narrowed espionage-focused LABYRINTH CHOLLIMA. Each subgroup maintains dedicated malware families and targeting priorities: GOLDEN and PRESSURE focus on cryptocurrency and fintech thefts while core LABYRINTH targets industrial, defense, and logistics sectors. Despite operational separation, shared tools and infrastructure point to centralized coordination within the DPRK cyber ecosystem.

🐞 Check Point Research is tracking an active phishing campaign by KONNI, a North Korea–linked actor that has shifted from geopolitical targets to software developers and engineering teams. The campaign specifically targets blockchain and cryptocurrency projects and uses lures crafted to resemble legitimate project documentation. Attackers deliver malicious attachments and payloads intended to compromise developer credentials and infrastructure, and the activity displays expanded geographic reach and sophisticated social-engineering techniques.

🔍 Recorded Future's Insikt Group attributes a widespread North Korean campaign, dubbed PurpleBravo, with targeting of 3,136 individual IP addresses via fraudulent job interviews that prompted candidates to run malicious code. The activity, observed from August 2024 to September 2025, affected 20 organizations across AI, crypto, finance, IT services, marketing, and software development in Europe, South Asia, the Middle East, and Central America. Security firms including Jamf Threat Labs reported abuse of VS Code projects, malicious GitHub repos and fake LinkedIn personas to deliver malware such as BeaverTail and a Go-based backdoor, increasing supply-chain and corporate-device risks.

⚠️ Threat actors tied to DPRK-backed Contagious Interview are weaponizing Visual Studio Code project configurations to execute malicious payloads when developers open and trust cloned repositories. Jamf Threat Labs observed attackers embedding commands in tasks.json that spawn shell processes to fetch and run obfuscated JavaScript via Node.js, establishing a persistent backdoor that can survive closing the IDE. Users should vet unfamiliar repos, inspect task and package files, and avoid running npm install without review.

🚨 Jamf Threat Labs and other researchers observed DPRK-linked actors using malicious Visual Studio Code project repositories to deliver a multi-stage backdoor enabling remote code execution. The campaign abuses VS Code task configuration files (runOn: folderOpen) to fetch obfuscated JavaScript from Vercel and deploy implants named BeaverTail and InvisibleFerret. Targets are lured to clone and open repository-based job assessments, and on macOS the chain uses nohup/curl to run Node.js payloads that persist beyond the IDE.

🔒The FBI has issued an alert about ongoing North Korean QR code phishing campaigns conducted by the Kimsuky APT, which targeted think tanks, academic institutions and government entities in May–June 2025. Attackers embedded QR codes in spear-phishing emails to redirect victims to mobile-optimized credential-harvesting pages, evading typical email security controls. The FBI recommends heightened user training, deployment of mobile device management, phishing-resistant MFA, and enhanced logging and monitoring to detect and mitigate these quishing attacks.

🚨 The FBI warns that North Korean state-sponsored actors, tracked as Kimsuky, have embedded malicious QR codes in targeted spear-phishing (quishing) campaigns observed in May–June 2025. Attackers spoofed advisors, embassy staff, and think-tank employees to trick recipients into scanning QR codes that redirect mobile devices to attacker-controlled infrastructure or fake login pages. Because scans take victims off enterprise-managed machines to unmanaged phones outside EDR and network inspection, adversaries can harvest session tokens, replay credentials to bypass MFA, establish persistence, and launch secondary spear-phishing from compromised mailboxes.

🔒 The FBI warns that North Korean state-sponsored group Kimsuky is using malicious QR codes in spearphishing campaigns targeting U.S. organizations involved in North Korea policy, research, and analysis. These quishing campaigns route victims to attacker-controlled sites that fingerprint devices and serve fake Microsoft 365, Okta, Google, or VPN login pages to steal credentials and session tokens. Because they require mobile interaction and can originate from compromised inboxes, the attacks can bypass email security and enable MFA-resistant cloud account hijacking; the FBI urges training, QR verification, mobile device management, strong MFA, and immediate reporting.

🛡️ Amazon's chief security officer Stephen Schmidt says the company has blocked more than 1,800 job applications since April 2024 that are suspected to originate from North Korean agents, with linked submissions increasing roughly 27% per quarter in 2025. Amazon combines AI-based analysis with manual review—searching for links to at-risk institutions, application anomalies, and geographic inconsistencies—and verifies identities via background checks, references, and structured interviews. Recurring trends include increasingly sophisticated identity theft, hijacked LinkedIn profiles, fake U.S. educational credentials, and the use of "laptop farms" to simulate local presence; even phone numbers formatted with a country code of "1" can be a red flag. Amazon says the purpose appears to be securing remote employment to funnel income to North Korea's weapons program and urges industry peers to tighten identity verification and report suspicious activity to authorities such as the FBI.

🚨Chainalysis reports North Korea's crypto thefts surged in 2025, exceeding $2bn and pushing the regime's cumulative haul to over $6.7bn. The firm says DPRK actors accounted for 60% of funds stolen this year, with the Bybit breach alone yielding an unprecedented $1.5bn; attackers are increasingly embedding IT workers inside exchanges and custodians to gain privileged access. They favor Chinese-language services, cross-chain bridges and mixers for laundering, while personal wallet thefts tripled in incidents but fell in average value to $713m overall.

🛡️ Darktrace links a newly observed, heavily obfuscated BeaverTail JavaScript variant to DPRK-associated Lazarus clusters, targeting cryptocurrency traders, developers and retail staff. The cross-platform loader and stealer harvests host details and retrieves follow-on payloads, with recent samples using layered Base64 and XOR encoding. Delivery has expanded via trojanized npm packages, fake interview platforms and command-injection lures.

💰 Threat actors linked to North Korea stole at least $2.02 billion in cryptocurrency during 2025, a 51% increase year‑over‑year that made DPRK actors the leading source of global crypto theft. Chainalysis attributes much of the total to a February compromise of Bybit, estimated at $1.5 billion and linked to the cluster TraderTraitor. The report details systematic laundering across DeFi, mixers, bridges and OTC services, and an expanded use of IT infiltration schemes such as Wagemole to gain privileged access and facilitate high‑impact thefts.

🔍 Microsoft Incident Response details a real-world intrusion where operatives posed as legitimate remote hires to gain trusted access. Attackers used low-cost PiKVM hardware to create persistent, out-of-band control of employer-issued workstations and bypassed normal EDR and onboarding controls. DART used telemetry from Microsoft Entra ID, Microsoft Defender, and bespoke forensic tools to trace activity to the North Korean group Jasper Sleet, contain the compromise, and restore affected systems. The report emphasizes strengthening vetting, enforcing least privilege, and monitoring for unauthorized IT devices.

🛡️ Threat actors tied to North Korea have been observed exploiting the critical React Server Components vulnerability (React2Shell, CVE-2025-55182) to deliver a new remote access trojan named EtherRAT. The implant downloads a Node.js runtime, decrypts and spawns a JavaScript payload, and resolves command-and-control via Ethereum smart contracts using a multi-endpoint consensus method. EtherRAT persists on Linux with five distinct mechanisms and supports self-updating obfuscated payloads, enabling long-term stealthy access and making remediation difficult.

🔐 Security researchers at Sysdig report new campaigns exploiting React2Shell (CVE-2025-55182), resulting in a novel implant that delivers EtherRAT and demonstrates advanced persistence and evasion. The exploit targets React v19 and many related frameworks, using a base64 shell command to fetch a downloader that installs Node.js, decrypts an obfuscated JavaScript dropper, and executes a blockchain-based C2-capable payload. Sysdig observed tooling overlaps with North Korea-associated campaigns, though firm attribution remains unconfirmed.

🔒 Researchers at Sysdig uncovered a new malware implant, EtherRAT, delivered via exploitation of the React2Shell deserialization flaw in Next.js just days after the vulnerability disclosure. The implant bundles a full Node.js runtime, uses an encrypted loader, and employs Ethereum smart contracts for resilient C2 while supporting five Linux persistence mechanisms. Operators can self-update the payload and execute arbitrary JavaScript, complicating detection and response.

🔍 A joint investigation by Mauro Eldritch (BCA LTD), NorthScan, and ANY.RUN captured operators from North Korea's Lazarus Group Famous Chollima working through a network of remote IT contractors. Analysts used long-running sandbox VMs that mimicked real developer laptops to observe live activity without alerting the intruders, recording credential collection, AI-assisted interview tooling, OTP handling, and persistent access via Google Remote Desktop. The study found identity and workstation takeover — not traditional malware — as the primary intrusion method, underscoring significant risks in remote hiring and contractor vetting.

🔍 Security researchers revealed a North Korean scheme in which Lazarus-linked Famous Chollima recruits developers to rent their identities and act as frontmen for remote jobs to enable espionage and illicit fundraising. The actors spam GitHub and other platforms, use AI-assisted tools and deepfake techniques, and request identity data and remote-access to engineers' machines. Analysts deployed a sandboxed ANY.RUN honeypot and observed use of AnyDesk, Astrill VPN, OTP extensions, and AI interview assistants to conceal origin and streamline infiltration.

🛡️ North Korean threat actors tied to the Contagious Interview campaign have uploaded 197 malicious npm packages designed to deliver a variant of OtterCookie that incorporates features of BeaverTail. Socket reports the packages have been downloaded over 31,000 times and include loader names such as bcryptjs-node, cross-sessions, json-oauth and tailwind-magic. The payload evades sandboxes and virtual machines, profiles hosts, fetches a cross-platform binary via a hard-coded Vercel URL, opens a C2 remote shell, and can steal clipboard contents, keystrokes, screenshots, browser credentials, documents and cryptocurrency seed phrases.