North Korea-Linked Threat Activity and Reporting on Lazarus, IT Worker Schemes, and Related Malware
Multiple reports and threat-intel posts highlighted North Korea-linked cyber activity spanning social engineering, malware, and broader ecosystem analysis. AllSecure described an attempted compromise of a CEO via a fake LinkedIn job interview attributed to Lazarus tradecraft (tagged BeaverTail / Contagious Interview), indicating continued use of recruiter-style lures and developer tooling themes (e.g., VSCode) to gain execution on target systems. Separately, eSentire published technical analysis on the DEV#POPPER remote access trojan and associated OmniStealer activity, framing it as DPRK-linked malware and providing defensive guidance for organizations facing this threat class.
Additional DPRK-focused intelligence covered both strategic and operational dimensions. Google’s Cloud Threat Horizons Report H1 2026 discussed cloud-focused threat activity and tracked DPRK-linked clusters (including UNC4899 and UNC5267), while Logpresso published an OSINT report on DPRK remote IT worker infiltration tactics (fraudulent employment/contractor placement). NKInternet released a catalog-style overview of North Korea’s software export ecosystem, and RedAsgard’s “Hunting Lazarus” series contributed hands-on investigative detail into Lazarus operator artifacts. A separate Lazarus threat-actor profile page aggregated historical reporting and statistics, but did not add a discrete new incident beyond compilation.
Related Entities
Threat Actors
Malware
Affected Products
Sources
4 more from sources like lazarusholic bluesky
Related Stories
North Korea-linked Social Engineering Campaigns Targeting Developers and Defense Supply Chains
North Korea–aligned operators, including **Lazarus** (aka **HIDDEN COBRA**), are running multiple social-engineering-led intrusion campaigns aimed at stealing sensitive technology and establishing durable access. Reporting on **Operation DreamJob** describes fake job-offer lures used to compromise European drone manufacturers and defense contractors, with tooling and infrastructure designed to evade traditional defenses and support cyber-espionage against UAV-related intellectual property. Separately, a developer-focused operation dubbed **“Fake Font”** uses fake recruiter outreach and malicious GitHub repositories to trick engineers into opening projects that abuse *Visual Studio Code* automation (via `.vscode/tasks.json`) and disguised payloads (e.g., `.woff2` “font” files) to execute multi-stage malware that ultimately deploys the **InvisibleFerret** Python backdoor for credential and crypto-wallet theft and long-term access. A distinct DPRK-linked campaign reported by Darktrace targets South Korean users with spear-phishing that delivers a JSE script masquerading as an HWPX document and then abuses **VS Code tunnels** as a covert C2 channel over trusted Microsoft infrastructure, complicating detection in developer-heavy environments. Other items in the set describe unrelated activity: phishing abuse of *Vercel* to deliver remote-access tooling, exploitation of **CVE-2025-51683** (blind SQLi) in the *Mjobtime* time-tracking app to reach MSSQL `xp_cmdshell`, a hospitality-focused **DCRat** campaign using **ClickFix** and `MSBuild.exe`, a generic CSS exfiltration technique write-up, and Trend Micro research on the **PeckBirdy** LOLBins framework used by China-aligned intrusion sets—none of which are part of the DPRK developer/defense recruitment-themed operations above.
1 months ago
North Korean Threat Actors Use AI-Enabled IT Worker Scams and Target Crypto Firms
Microsoft-linked reporting says **North Korean threat actors** are using **AI** to scale and refine long-running “fake IT worker” schemes, where operatives pose as legitimate remote hires to obtain *authorized* access inside victim organizations. The activity is attributed to DPRK-linked clusters **Jasper Sleet** and **Coral Sleet**, with AI used to improve identity fabrication and maintenance (including face/voice manipulation) and to sustain day-to-day communications that help keep fraudulent personas credible, enabling “sustained, large-scale misuse of legitimate access.” Separately, reporting on suspected DPRK-linked intrusions describes a coordinated campaign against **cryptocurrency organizations** spanning staking platforms, exchange software providers, and exchanges, with theft of **source code, private keys, and cloud secrets**. Investigators described two primary access paths: exploitation of `CVE-2025-55182` in the *React2Shell* framework (including mass scanning and WAF-bypass techniques) and the use of **pre-obtained valid AWS access tokens** to move directly into cloud enumeration; researchers also recovered artifacts from attacker infrastructure (e.g., shell history, archived code, and tool configurations) that provided visibility into post-compromise activity and C2 setup.
1 weeks ago
North Korea’s Chollima Threat Actors Evolve and Expand Targeting
Reporting highlighted multiple, **unrelated** threat developments rather than a single cohesive incident. One thread focused on North Korea-linked **Chollima** activity: a targeted spear-phishing operation attributed to **Ricochet Chollima** used Dropbox-hosted lures to deliver archives containing weaponized Windows shortcut (`.LNK`) files, with tradecraft designed to evade detection (including multi-stage execution and fileless, memory-resident behavior). Separately, a CrowdStrike-based report described a strategic reorganization of **LABYRINTH CHOLLIMA** into three operational groupings—**GOLDEN CHOLLIMA** (smaller, steady revenue theft), **PRESSURE CHOLLIMA** (high-payout crypto heists), and a core **espionage** unit—while retaining shared malware “DNA” via frameworks such as **KorDLL** and **Hawup**, indicating continued coordination across DPRK cyber operations. Other items covered distinct, non-DPRK activity and should not be conflated with the Chollima reporting. One article described **infostealer campaigns expanding to macOS**, including Python-based cross-platform stealers and macOS families such as **Atomic macOS Stealer (AMOS)**, using malvertising, fake installers/DMGs, and trusted platforms to harvest credentials, cookies, keychain data, crypto wallets, and developer secrets. Another described a **fake Dropbox phishing** campaign using PDF-based staging (including obfuscation techniques like `FlateDecode` and `AcroForm` objects) hosted on legitimate infrastructure (e.g., Vercel Blob storage) to redirect victims to a counterfeit login page and exfiltrate credentials via **Telegram**—a separate credential-harvesting operation not tied to the Chollima APT reporting.
1 months ago