#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Insider Risk Management

North Korean hackers | Breaking Cybersecurity News | The Hacker News

Andariel Hackers Target South Korean Institutes with New Dora RAT Malware

Andariel Hackers Target South Korean Institutes with New Dora RAT Malware

Jun 03, 2024 Malware / Cyber Attack
The North Korea-linked threat actor known as Andariel has been observed using a new Golang-based backdoor called Dora RAT in its attacks targeting educational institutes, manufacturing firms, and construction businesses in South Korea. "Keylogger, Infostealer, and proxy tools on top of the backdoor were utilized for the attacks," the AhnLab Security Intelligence Center (ASEC) said in a report published last week. "The threat actor probably used these malware strains to control and steal data from the infected systems." The attacks are characterized by the use of a vulnerable Apache Tomcat server to distribute the malware, the South Korean cybersecurity firm added, noting the system in question ran the 2013 version of Apache Tomcat, making it susceptible to several vulnerabilities. Andariel, also known by the names Nickel Hyatt, Onyx Sleet, and Silent Chollima, is an advanced persistent threat (APT) group that operates on behalf of North Korea's strategic
Microsoft Uncovers 'Moonstone Sleet' — New North Korean Hacker Group

Microsoft Uncovers 'Moonstone Sleet' — New North Korean Hacker Group

May 29, 2024 Cyber Espionage / Malware
A never-before-seen North Korean threat actor codenamed Moonstone Sleet has been attributed as behind cyber attacks targeting individuals and organizations in the software and information technology, education, and defense industrial base sectors with ransomware and bespoke malware previously associated with the infamous Lazarus Group. "Moonstone Sleet is observed to set up fake companies and job opportunities to engage with potential targets, employ trojanized versions of legitimate tools, create a malicious game, and deliver a new custom ransomware," the Microsoft Threat Intelligence team said in a new analysis. It also characterized the threat actor as using a combination of tried-and-true techniques used by other North Korean threat actors and unique attack methodologies to meet its strategic objectives. The adversary, hitherto tracked by Redmond under the emerging cluster moniker Storm-1789, is assessed to be a state-aligned group that originally exhibited strong t
NSA, FBI Alert on N. Korean Hackers Spoofing Emails from Trusted Sources

NSA, FBI Alert on N. Korean Hackers Spoofing Emails from Trusted Sources

May 03, 2024 Email Security / Malware
The U.S. government on Thursday published a new cybersecurity advisory warning of North Korean threat actors' attempts to send emails in a manner that makes them appear like they are from legitimate and trusted parties. The joint bulletin was published by the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Department of State. "The DPRK [Democratic People's Republic of Korea] leverages these spear-phishing campaigns to collect intelligence on geopolitical events, adversary foreign policy strategies, and any information affecting DPRK interests by gaining illicit access to targets' private documents, research, and communications," the NSA  said . The technique specifically concerns exploiting improperly configured DNS Domain-based Message Authentication, Reporting, and Conformance ( DMARC ) record policies to conceal social engineering attempts. In doing so, the threat actors can send spoofed emails as if they are from a legit
cyber security

Start With a Free Risk Assessment to Find, Fix, and Fly Through SaaS Security

websiteWing SecuritySaaS Security / Shadow IT
In just minutes, uncover and take action against hidden SaaS threats with Wing's advanced SSPM solution.
Cybersecurity CPEs: Unraveling the What, Why & How

Cybersecurity CPEs: Unraveling the What, Why & How

Jun 10, 2024Cybersecurity / Exposure Management
Staying Sharp: Cybersecurity CPEs Explained Perhaps even more so than in other professional domains, cybersecurity professionals constantly face new threats. To ensure you stay on top of your game, many certification programs require earning Continuing Professional Education (CPE) credits. CPEs are essentially units of measurement used to quantify the time and effort professionals spend on maintaining and enhancing skills and knowledge in the field of cybersecurity, and they act as points that demonstrate a commitment to staying current. CPEs are best understood in terms of other professions: just like medical, legal and even CPA certifications require continuing education to stay up-to-date on advancements and industry changes, cybersecurity professionals need CPEs to stay informed about the latest hacking tactics and defense strategies. CPE credits are crucial for maintaining certifications issued by various cybersecurity credentialing organizations, such as (ISC)², ISACA, and C
eScan Antivirus Update Mechanism Exploited to Spread Backdoors and Miners

eScan Antivirus Update Mechanism Exploited to Spread Backdoors and Miners

Apr 24, 2024 Cryptocurrency / Threat Intelligence
A new malware campaign has been exploiting the updating mechanism of the eScan antivirus software to distribute backdoors and cryptocurrency miners like XMRig through a long-standing threat codenamed GuptiMiner targeting large corporate networks. Cybersecurity firm Avast said the activity is the work of a threat actor with possible connections to a North Korean hacking group dubbed  Kimsuky , which is also known as Black Banshee, Emerald Sleet, and TA427. "GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker's DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others," Avast  said . The intricate and elaborate infection chain, at its core, leverages a security shortcoming in the update mechanism of Indian antivirus vendor eScan to
Microsoft Warns: North Korean Hackers Turn to AI-Fueled Cyber Espionage

Microsoft Warns: North Korean Hackers Turn to AI-Fueled Cyber Espionage

Apr 22, 2024 Cryptocurrency / Artificial Intelligence
Microsoft has revealed that North Korea-linked state-sponsored cyber actors have begun to use artificial intelligence (AI) to make their operations more effective and efficient. "They are learning to use tools powered by AI large language models (LLM) to make their operations more efficient and effective," the tech giant  said  in its latest report on East Asia hacking groups. The company specifically highlighted a group named  Emerald Sleet  (aka Kimusky or TA427), which has been observed using LLMs to bolster spear-phishing efforts aimed at Korean Peninsula experts. The adversary is also said to have relied on the latest advancements in AI to research vulnerabilities and conduct reconnaissance on organizations and experts focused on North Korea, joining  hacking crews from China , who have turned to AI-generated content for influence operations. It further employed LLMs to troubleshoot technical issues, conduct basic scripting tasks, and draft content for spear-phishi
Russian Government Software Backdoored to Deploy Konni RAT Malware

Russian Government Software Backdoored to Deploy Konni RAT Malware

Feb 22, 2024 Malware / Cyber Espionage
An installer for a tool likely used by the Russian Consular Department of the Ministry of Foreign Affairs (MID) has been backdoored to deliver a remote access trojan called  Konni RAT  (aka  UpDog ). The findings come from German cybersecurity company DCSO, which linked the activity as originating from the Democratic People's Republic of Korea (DPRK)-nexus actors targeting Russia. The Konni (aka Opal Sleet, Osmium, or  TA406 ) activity cluster has an established pattern of deploying Konni RAT against Russian entities, with the threat actor also linked to  attacks directed against MID  at least since October 2021. In November 2023, Fortinet FortiGuard Labs  revealed  the use of Russian-language Microsoft Word documents to deliver malware capable of harvesting sensitive information from compromised Windows hosts. DCSO said the packaging of Konni RAT within software installers is a technique  previously adopted  by the group in October 2023, when it was found to leverage a backd
Kimsuky's New Golang Stealer 'Troll' and 'GoBear' Backdoor Target South Korea

Kimsuky's New Golang Stealer 'Troll' and 'GoBear' Backdoor Target South Korea

Feb 08, 2024 Cyber Espionage / Malware
The North Korea-linked nation-state actor known as Kimsuky is suspected of using a previously undocumented Golang-based information stealer called  Troll Stealer . The malware steals "SSH, FileZilla, C drive files/directories, browsers, system information, [and] screen captures" from infected systems, South Korean cybersecurity company S2W  said  in a new technical report. Troll Stealer's links to Kimsuky stem from its similarities to known malware families, such as AppleSeed and AlphaSeed malware that have been attributed to the group. Kimsuky, also tracked under the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima, is well known for its propensity to steal sensitive, confidential information in offensive cyber operations. In late November 2023, the threat actors were  sanctioned  by the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) for gathering intelligence to further North
North Korean Hackers Weaponize Research Lures to Deliver RokRAT Backdoor

North Korean Hackers Weaponize Research Lures to Deliver RokRAT Backdoor

Jan 22, 2024 Cyber Attack / Hacking
Media organizations and high-profile experts in North Korean affairs have been at the receiving end of a new campaign orchestrated by a threat actor known as  ScarCruft  in December 2023. "ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity professionals," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel  said  in a report shared with The Hacker News. The North Korea-linked adversary, also known by the name APT37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet, is  assessed  to be part of the Ministry of State Security (MSS), placing it apart from Lazarus Group and Kimsuky, which are elements within the Reconnaissance General Bureau (RGB). The group is  known  for its targeting of governments and defectors, leveraging  spear-phishing lures  to deliver  RokRAT and other backdoors  with the ultimate goal of  cove
North Korea's Cyber Heist: DPRK Hackers Stole $600 Million in Cryptocurrency in 2023

North Korea's Cyber Heist: DPRK Hackers Stole $600 Million in Cryptocurrency in 2023

Jan 08, 2024 Cryptocurrency / Financial Crime
Threat actors affiliated with the Democratic People's Republic of Korea (also known as North Korea) have plundered at least $600 million in cryptocurrency in 2023. The DPRK "was responsible for almost a third of all funds stolen in crypto attacks last year, despite a 30% reduction from the USD 850 million haul in 2022," blockchain analytics firm TRM Labs  said  last week. "Hacks perpetrated by the DPRK were on average ten times as damaging as those not linked to North Korea." There are indications that  additional breaches  targeting the crypto sector towards the end of 2023 could push this figure higher to around $700 million. The targeting of cryptocurrency companies is not new for North Korean state-sponsored actors, who have  stolen about $3 billion  since 2017. These financially motivated attacks are seen as a crucial revenue-generation mechanism for the sanctions-hit nation, funding its weapons of mass destruction (WMD) and ballistic missile program
SpectralBlur: New macOS Backdoor Threat from North Korean Hackers

SpectralBlur: New macOS Backdoor Threat from North Korean Hackers

Jan 05, 2024 Endpoint Security / Malware
Cybersecurity researchers have discovered a new Apple macOS backdoor called  SpectralBlur  that overlaps with a known malware family that has been attributed to North Korean threat actors. "SpectralBlur is a moderately capable backdoor that can upload/download files, run a shell, update its configuration, delete files, hibernate, or sleep, based on commands issued from the [command-and-control server]," security researcher Greg Lesnewich  said . The malware shares similarities with  KANDYKORN  (aka SockRacket), an advanced implant that functions as a remote access trojan capable of taking control of a compromised host. It's worth noting that the KANDYKORN activity also intersects with another campaign orchestrated by the Lazarus sub-group known as BlueNoroff (aka TA444) which culminates in the deployment of a backdoor referred to as  RustBucket  and a late-stage payload dubbed  ObjCShellz . In recent months, the threat actor has been observed  combining disparate pieces of t
U.S. Treasury Sanctions North Korean Kimsuky Hackers and 8 Foreign-Based Agents

U.S. Treasury Sanctions North Korean Kimsuky Hackers and 8 Foreign-Based Agents

Dec 01, 2023 Cyber Espionage / Cryptocurrency
The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) on Thursday sanctioned the North Korea-linked adversarial collective known as Kimsuky as well as eight foreign-based agents who are alleged to have facilitated sanctions evasion. The agents, the Treasury  said , helped in " revenue generation  and missile-related technology procurement that support the DPRK's weapons of mass destruction (WMD) programs." The sanctions against Kimsuky, which have been levied for gathering intelligence to support the regime's strategic objectives, come more than four years after the OFAC  imposed   similar measures  against the Lazarus Group and its offshoots  Andariel  and  BlueNoroff  in September 2019. The actions are in  response  to North Korea's launch of a military reconnaissance satellite late last month, the Treasury added. They also arrive a day after a virtual currency mixer service called Sinbad was  sanctioned  for processing stolen as
N. Korean Hackers 'Mixing' macOS Malware Tactics to Evade Detection

N. Korean Hackers 'Mixing' macOS Malware Tactics to Evade Detection

Nov 28, 2023 Malware / Cyber Espionage
The North Korean threat actors behind macOS malware strains such as RustBucket and KANDYKORN have been observed "mixing and matching" different elements of the two disparate attack chains, leveraging RustBucket droppers to deliver KANDYKORN. The  findings  come from cybersecurity firm SentinelOne, which also tied a third macOS-specific malware called ObjCShellz to the RustBucket campaign. RustBucket  refers to an  activity cluster  linked to the Lazarus Group in which a backdoored version of a PDF reader app, dubbed SwiftLoader, is used as a conduit to load a next-stage malware written in Rust upon viewing a specially crafted lure document. The  KANDYKORN campaign , on the other hand, refers to a malicious cyber operation in which blockchain engineers of an unnamed crypto exchange platform were targeted via Discord to initiate a sophisticated multi-stage attack sequence that led to the deployment of the eponymous full-featured memory resident remote access trojan. The t
N. Korean Hackers Distribute Trojanized CyberLink Software in Supply Chain Attack

N. Korean Hackers Distribute Trojanized CyberLink Software in Supply Chain Attack

Nov 23, 2023 Software Supply Chain Attack
A North Korean state-sponsored threat actor tracked as  Diamond Sleet  is distributing a trojanized version of a legitimate application developed by a Taiwanese multimedia software developer called CyberLink to target downstream customers via a supply chain attack. "This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload," the Microsoft Threat Intelligence team  said  in an analysis on Wednesday. The poisoned file, the tech giant said, is hosted on the update infrastructure owned by the company while also including checks to limit the time window for execution and bypass detection by security products. The campaign is estimated to have impacted over 100 devices across Japan, Taiwan, Canada, and the U.S. Suspicious activity associated with the modified CyberLink installer file was observed as early as October 20, 2023. The links to North Korea stem from
North Korean Hackers Pose as Job Recruiters and Seekers in Malware Campaigns

North Korean Hackers Pose as Job Recruiters and Seekers in Malware Campaigns

Nov 22, 2023 Cyber Espionage / Social Engineering
North Korean threat actors have been linked to two campaigns in which they masquerade as both job recruiters and seekers to distribute malware and obtain unauthorized employment with organizations based in the U.S. and other parts of the world. The activity clusters have been codenamed Contagious Interview and Wagemole, respectively, by Palo Alto Networks Unit 42. While the first set of attacks aims to "infect software developers with malware through a fictitious job interview," the latter is designed for financial gain and espionage. "The first campaign's objective is likely cryptocurrency theft and using compromised targets as a staging environment for additional attacks," the cybersecurity company  said . The fraudulent job-seeking activity, on the other hand, involves the use of a GitHub repository to host resumes with forged identities that impersonate individuals of various nationalities. The Contagious Interview attacks pave the way for two hitherto undocumented cross-plat
North Korean Hackers Exploit Zero-Day Bug to Target Cybersecurity Researchers

North Korean Hackers Exploit Zero-Day Bug to Target Cybersecurity Researchers

Sep 08, 2023 Zero Day / Cyber Attack
Threat actors associated with North Korea are  continuing  to  target  the cybersecurity community using a zero-day bug in an unspecified software over the past several weeks to infiltrate their machines. The findings come from Google's Threat Analysis Group (TAG), which found the adversary setting up fake accounts on social media platforms like  X  (formerly Twitter) and  Mastodon  to forge relationships with potential targets and build trust. "In one case, they carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest," security researchers Clement Lecigne and Maddie Stone  said . "After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp, or Wire." The social engineering exercise ultimately paved the way for a malicious file containing at least one zero-day in a popular software package. The vulnerability is currently in the process of being fixed. The payload, for its part, perf
Expert Insights
Cybersecurity Resources