north_korean_apts

North Korean APT activity referenced in the content includes exploitation of the React2Shell vulnerability (CVE-2025-55182) in Next.js/React Server Components and the use of common “living off the land” tooling for post-compromise operations. North Korean APTs are specifically noted as using React2Shell to deploy EtherRAT for espionage. Separately, North Korean APTs are mentioned as leveraging SSH-based tradecraft similar to other major actors by abusing the legitimate PuTTY client (e.g., plink.exe, pscp.exe) for stealthy lateral movement and data exfiltration in Windows environments, with forensic traces persisting in the PuTTY registry key HKCU\Software\SimonTatham\PuTTY\SshHostKeys. The content also describes a North Korean operator persona, “Trevor Greer,” exposed after the actor’s own machine was infected with information-stealing malware, revealing operational security failures and a broader ecosystem of fake identities and front companies. This persona is linked to the “Contagious Interview” campaign targeting Web3 developers via fake LinkedIn recruiter profiles, and to activity around the February 2025 ByBit cryptocurrency exchange compromise (reported as a $1.5B cryptocurrency extortion attributed to North Korean actors). Artifacts tied to this persona include trevorgreer9312@gmail[.]com (used to register Bybit-assessment[.]com) and domains associated with the ByBit operation such as getstockprice[.]com. The actor is described as using AI tools (ChatGPT, Quillbot) to support phishing/social engineering, engaging in fake employment/remote IT worker schemes via platforms such as Upwork/Freelancer under aliases (e.g., “Kenneth Debolt,” “Fabian Klein”), creating sham crypto entities (e.g., Block Bounce / blockbounce.xyz), and using legitimate services (e.g., Willo video interview platform) for reconnaissance and potential phishing infrastructure cloning.