North Korea | Breaking Cybersecurity News | The Hacker News

Multiple threat activity clusters with ties to North Korea (aka Democratic People's Republic of Korea or DPRK) have been linked to attacks targeting organizations and individuals in the Web3 and cryptocurrency space. "The focus on Web3 and cryptocurrency appears to be primarily financially motivated due to the heavy sanctions that have been placed on North Korea," Google-owned Mandiant said in its M-Trends report for 2025 shared with The Hacker News. "These activities aim to generate financial gains, reportedly funding North Korea's weapons of mass destruction (WMD) program and other strategic assets." The cybersecurity firm said DPRK-nexus threat actors have developed custom tools written in a variety of languages such as Golang, C++, and Rust, and are capable of infecting Windows, Linux, and macOS operating systems. At least three threat activity clusters it tracks as UNC1069, UNC4899, and UNC5342 have been found to target members of the cryptocurren...

Cybersecurity researchers have flagged a new malicious campaign related to the North Korean state-sponsored threat actor known as Kimsuky that exploits a now-patched vulnerability impacting Microsoft Remote Desktop Services to gain initial access. The activity has been named Larva-24005 by the AhnLab Security Intelligence Center (ASEC). "In some systems, initial access was gained through exploiting the RDP vulnerability (BlueKeep, CVE-2019-0708)," the South Korean cybersecurity company said . "While an RDP vulnerability scanner was found in the compromised system, there is no evidence of its actual use." CVE-2019-0708 (CVSS score: 9.8) is a critical wormable bug in Remote Desktop Services that could enable remote code execution, allowing unauthenticated attackers to install arbitrary programs, access data, and even create new accounts with full user rights. However, in order for an adversary to exploit the flaw, they would need to send a specially crafted...

Intro: Why hack in when you can log in? SaaS applications are the backbone of modern organizations, powering productivity and operational efficiency. But every new app introduces critical security risks through app integrations and multiple users, creating easy access points for threat actors. As a result, SaaS breaches have increased, and according to a May 2024 XM Cyber report, identity and credential misconfigurations caused 80% of security exposures. Subtle signs of a compromise get lost in the noise, and then multi-stage attacks unfold undetected due to siloed solutions. Think of an account takeover in Entra ID, then privilege escalation in GitHub, along with data exfiltration from Slack. Each seems unrelated when viewed in isolation, but in a connected timeline of events, it's a dangerous breach. Wing Security's SaaS platform is a multi-layered solution that combines posture management with real-time identity threat detection and response. This allows organizations to get a ...

The North Korea-linked threat actor assessed to be behind the massive Bybit hack in February 2025 has been linked to a malicious campaign that targets developers to deliver new stealer malware under the guise of a coding assignment. The activity has been attributed by Palo Alto Networks Unit 42 to a hacking group it tracks as Slow Pisces , which is also known as Jade Sleet, PUKCHONG, TraderTraitor, and UNC4899. "Slow Pisces engaged with cryptocurrency developers on LinkedIn, posing as potential employers and sending malware disguised as coding challenges," security researcher Prashil Pattni said . "These challenges require developers to run a compromised project, infecting their systems using malware we have named RN Loader and RN Stealer." Slow Pisces has a history of targeting developers, typically in the cryptocurrency sector, by approaching them on LinkedIn as part of a supposed job opportunity and enticing them into opening a PDF document that details the ...

Safe{Wallet} has revealed that the cybersecurity incident that led to the Bybit $1.5 billion crypto heist is a "highly sophisticated, state-sponsored attack," stating the North Korean threat actors behind the hack took steps to erase traces of the malicious activity in an effort to hamper investigation efforts. The multi-signature (multisig) platform , which has roped in Google Cloud Mandiant to perform a forensic investigation, said the attack is the work of a hacking group dubbed TraderTraitor , which is also known as Jade Sleet, PUKCHONG, and UNC4899 . "The attack involved the compromise of a Safe{Wallet} developer's laptop ('Developer1') and the hijacking of AWS session tokens to bypass multi-factor authentication ('MFA') controls," it said . "This developer was one of the very few personnel that had higher access in order to perform their duties." Further analysis has determined that the threat actors broke into the developer...

The U.S. Federal Bureau of Investigation (FBI) formally linked the record-breaking $1.5 billion Bybit hack to North Korean threat actors, as the company's CEO Ben Zhou declared a "war against Lazarus." The agency said the Democratic People's Republic of Korea (North Korea) was responsible for the theft of the virtual assets from the cryptocurrency exchange, attributing it to a specific cluster it tracks as TraderTraitor, which is also referred to as Jade Sleet, Slow Pisces, and UNC4899. "TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains," the FBI said . "It is expected these assets will be further laundered and eventually converted to fiat currency." It's worth noting that the TraderTraitor cluster was previously implicated by Japanese and U.S. authorities in the theft of cryptocurrency worth $308 mil...

Cryptocurrency exchange Bybit on Friday revealed that a "sophisticated" attack led to the theft of over $1.5 billion worth of cryptocurrency from one of its Ethereum cold (offline) wallets, making it the largest ever single crypto heist in history. "The incident occurred when our ETH multisig cold wallet executed a transfer to our warm wallet. Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic," Bybit said in a post on X. "As a result, the attacker was able to gain control of the affected ETH cold wallet and transfer its holdings to an unidentified address." In a separate statement posted on the social media platform, Bybit's CEO Ben Zhou emphasized that all other cold wallets are secure. The company further said it has reported the case to the appropriate authorities. While there is no official conf...

Freelance software developers are the target of an ongoing campaign that leverages job interview-themed lures to deliver cross-platform malware families known as BeaverTail and InvisibleFerret. The activity, linked to North Korea, has been codenamed DeceptiveDevelopment, which overlaps with clusters tracked under the names Contagious Interview (aka CL-STA-0240 ), DEV#POPPER, Famous Chollima, PurpleBravo, and Tenacious Pungsan. The campaign has been ongoing since at least late 2023. "DeceptiveDevelopment targets freelance software developers through spear-phishing on job-hunting and freelancing sites, aiming to steal cryptocurrency wallets and login information from browsers and password managers," cybersecurity company ESET said in a report shared with The Hacker News. In November 2024, ESET confirmed to The Hacker News the overlaps between DeceptiveDevelopment and Contagious Interview, classifying it as a new Lazarus Group activity that operates with an aim to conduc...

The North Korean threat actor known as the Lazarus Group has been linked to a previously undocumented JavaScript implant named Marstech1 as part of limited targeted attacks against developers. The active operation has been dubbed Marstech Mayhem by SecurityScorecard, with the malware delivered by means of an open-source repository hosted on GitHub that's associated with a profile named "SuccessFriend." The profile, active since July 2024, is no longer accessible on the code hosting platform. The implant is designed to collect system information, and can be embedded within websites and NPM packages, posing a supply chain risk. Evidence shows that the malware first emerged in late December 2024. The attack has amassed 233 confirmed victims across the U.S., Europe, and Asia. "The profile mentioned web dev skills and learning blockchain which is in alignment to the interests of Lazarus," SecurityScorecard said . "The threat actor was committing both pre-o...

The North Korea-linked threat actor known as Kimsuky has been observed using a new tactic that involves deceiving targets into running PowerShell as an administrator and then instructing them to paste and run malicious code provided by them. "To execute this tactic, the threat actor masquerades as a South Korean government official and over time builds rapport with a target before sending a spear-phishing email with an [sic] PDF attachment," the Microsoft Threat Intelligence team said in a series of posts shared on X. To read the purported PDF document, victims are persuaded to click a URL containing a list of steps to register their Windows system. The registration link urges them to launch PowerShell as an administrator and copy/paste the displayed code snippet into the terminal, and execute it. Should the victim follow through, the malicious code downloads and installs a browser-based remote desktop tool, along with a certificate file with a hardcoded PIN from a rem...

The North Korea-linked nation-state hacking group known as Kimsuky has been observed conducting spear-phishing attacks to deliver an information stealer malware named forceCopy, according to new findings from the AhnLab Security Intelligence Center (ASEC). The attacks commence with phishing emails containing a Windows shortcut (LNK) file that's disguised as a Microsoft Office or PDF document. Opening this attachment triggers the execution of PowerShell or mshta.exe, a legitimate Microsoft binary designed to run HTML Application (HTA) files, that are responsible for downloading and running next-stage payloads from an external source. The South Korean cybersecurity company said the attacks culminated in the deployment of a known trojan dubbed PEBBLEDASH and a custom version of an open-source Remote Desktop utility named RDP Wrapper . Also delivered as part of the attacks is a proxy malware that allows the threat actors to establish persistent communications with an external ...

The North Korean threat actors behind the Contagious Interview campaign have been observed delivering a collection of Apple macOS malware strains dubbed FERRET as part of a supposed job interview process. "Targets are typically asked to communicate with an interviewer through a link that throws an error message and a request to install or update some required piece of software such as VCam or CameraAccess for virtual meetings," SentinelOne researchers Phil Stokes and Tom Hegel said in a new report. Contagious Interview, first uncovered in late 2023, is a persistent effort undertaken by the hacking crew to deliver malware to prospective targets through bogus npm packages and native apps masquerading as videoconferencing software. It's also tracked as DeceptiveDevelopment and DEV#POPPER. These attack chains are designed to drop a JavaScript-based malware known as BeaverTail, which, besides harvesting sensitive data from web browsers and crypto wallets, is capable of d...

The North Korean threat actor known as the Lazarus Group has been observed leveraging a "web-based administrative platform" to oversee its command-and-control (C2) infrastructure, giving the adversary the ability to centrally supervise all aspects of their campaigns. "Each C2 server hosted a web-based administrative platform, built with a React application and a Node.js API," SecurityScorecard's STRIKE team said in a new report shared with The Hacker News. "This administrative layer was consistent across all the C2 servers analyzed, even as the attackers varied their payloads and obfuscation techniques to evade detection." The hidden framework has been described as a comprehensive system and a hub that allows attackers to organize and manage exfiltrated data, maintain oversight of their compromised hosts, and handle payload delivery. The web-based admin panel has been identified in connection with a supply chain attack campaign dubbed Operation ...

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned two individuals and four entities for their alleged involvement in illicit revenue generation schemes for the Democratic People's Republic of Korea (DPRK) by dispatching IT workers around the world to obtain employment and draw a steady source of income for the regime in violation of international sanctions. "These IT workers obfuscate their identities and locations to fraudulently obtain freelance employment contracts from clients around the world for IT projects, such as software and mobile application development," the Treasury Department said . "The DPRK government withholds up to 90% of the wages earned by these overseas workers, thereby generating annual revenues of hundreds of millions of dollars for the Kim regime's weapons programs to include weapons of mass destruction (WMD) and ballistic missile programs." The action represents the latest salvo in the U.S. g...

Cybersecurity researchers have identified infrastructure links between the North Korean threat actors behind the fraudulent IT worker schemes and a 2016 crowdfunding scam. The new evidence suggests that Pyongyang-based threamoret groups may have pulled off illicit money-making scams that predate the use of IT workers, SecureWorks Counter Threat Unit (CTU) said in a report shared with The Hacker News. The IT worker fraud scheme , which came to light in late 2023, involves North Korean actors infiltrating companies in the West and other parts of the world by surreptitiously seeking employment under fake identities to generate revenue for the sanctions-hit nation. It's also tracked under the names Famous Chollima, Nickel Tapestry, UNC5267, and Wagemole. The IT personnel, per South Korea's Ministry of Foreign Affairs (MoFA), have been assessed to be part of the 313th General Bureau, an organization under the Munitions Industry Department of the Workers' Party of Korea. ...

North Korean threat actors behind the ongoing Contagious Interview campaign have been observed dropping a new JavaScript malware called OtterCookie . Contagious Interview (aka DeceptiveDevelopment ) refers to a persistent attack campaign that employs social engineering lures, with the hacking crew often posing as recruiters to trick individuals looking for potential job opportunities into downloading malware under the guise of an interview process. This involves distributing malware-laced videoconferencing apps or npm packages either hosted on GitHub or the official package registry, paving the way for the deployment of malware such as BeaverTail and InvisibleFerret. Palo Alto Networks Unit 42, which first exposed the activity in November 2023, is tracking the cluster under the moniker CL-STA-0240. It's also referred to as Famous Chollima and Tenacious Pungsan. In September 2024, Singaporean cybersecurity company Group-IB documented the first major revision to the attack c...