Microsoft Uncovers 'Moonstone Sleet' — New North Korean Hacker Group

A never-before-seen North Korean threat actor codenamed Moonstone Sleet has been attributed as behind cyber attacks targeting individuals and organizations in the software and information technology, education, and defense industrial base sectors with ransomware and bespoke malware previously associated with the infamous Lazarus Group. "Moonstone Sleet is observed to set up fake companies and

NSA, FBI Alert on N. Korean Hackers Spoofing Emails from Trusted Sources

The U.S. government on Thursday published a new cybersecurity advisory warning of North Korean threat actors' attempts to send emails in a manner that makes them appear like they are from legitimate and trusted parties. The joint bulletin was published by the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Department of State. "The

eScan Antivirus Update Mechanism Exploited to Spread Backdoors and Miners

A new malware campaign has been exploiting the updating mechanism of the eScan antivirus software to distribute backdoors and cryptocurrency miners like XMRig through a long-standing threat codenamed GuptiMiner targeting large corporate networks. Cybersecurity firm Avast said the activity is the work of a threat actor with possible connections to a North Korean hacking group dubbed 

Microsoft Warns: North Korean Hackers Turn to AI-Fueled Cyber Espionage

Microsoft has revealed that North Korea-linked state-sponsored cyber actors have begun to use artificial intelligence (AI) to make their operations more effective and efficient. "They are learning to use tools powered by AI large language models (LLM) to make their operations more efficient and effective," the tech giant said in its latest report on East Asia hacking groups. The

Russian Government Software Backdoored to Deploy Konni RAT Malware

An installer for a tool likely used by the Russian Consular Department of the Ministry of Foreign Affairs (MID) has been backdoored to deliver a remote access trojan called Konni RAT (aka UpDog). The findings come from German cybersecurity company DCSO, which linked the activity as originating from the Democratic People's Republic of Korea (DPRK)-nexus actors targeting Russia. The

New Report Reveals North Korean Hackers Targeting Defense Firms Worldwide

North Korean state-sponsored threat actors have been attributed to a cyber espionage campaign targeting the defense sector across the world. In a joint advisory published by Germany's Federal Office for the Protection of the Constitution (BfV) and South Korea's National Intelligence Service (NIS), the agencies said the goal of the attacks is to plunder advanced defense technologies in a "

Kimsuky's New Golang Stealer 'Troll' and 'GoBear' Backdoor Target South Korea

The North Korea-linked nation-state actor known as Kimsuky is suspected of using a previously undocumented Golang-based information stealer called Troll Stealer. The malware steals "SSH, FileZilla, C drive files/directories, browsers, system information, [and] screen captures" from infected systems, South Korean cybersecurity company S2W said in a new technical report. Troll

North Korean Hackers Weaponize Research Lures to Deliver RokRAT Backdoor

Media organizations and high-profile experts in North Korean affairs have been at the receiving end of a new campaign orchestrated by a threat actor known as ScarCruft in December 2023. "ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity

North Korea's Cyber Heist: DPRK Hackers Stole $600 Million in Cryptocurrency in 2023

Threat actors affiliated with the Democratic People's Republic of Korea (also known as North Korea) have plundered at least $600 million in cryptocurrency in 2023. The DPRK "was responsible for almost a third of all funds stolen in crypto attacks last year, despite a 30% reduction from the USD 850 million haul in 2022," blockchain analytics firm TRM Labs said last week. "Hacks

SpectralBlur: New macOS Backdoor Threat from North Korean Hackers

Cybersecurity researchers have discovered a new Apple macOS backdoor called SpectralBlur that overlaps with a known malware family that has been attributed to North Korean threat actors. “SpectralBlur is a moderately capable backdoor that can upload/download files, run a shell, update its configuration, delete files, hibernate, or sleep, based on commands issued from the [

U.S. Treasury Sanctions North Korean Kimsuky Hackers and 8 Foreign-Based Agents

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) on Thursday sanctioned the North Korea-linked adversarial collective known as Kimsuky as well as eight foreign-based agents who are alleged to have facilitated sanctions evasion. The agents, the Treasury said, helped in "revenue generation and missile-related technology procurement that support the DPRK's

N. Korean Hackers 'Mixing' macOS Malware Tactics to Evade Detection

The North Korean threat actors behind macOS malware strains such as RustBucket and KANDYKORN have been observed "mixing and matching" different elements of the two disparate attack chains, leveraging RustBucket droppers to deliver KANDYKORN. The findings come from cybersecurity firm SentinelOne, which also tied a third macOS-specific malware called ObjCShellz to the RustBucket campaign

N. Korean Hackers Distribute Trojanized CyberLink Software in Supply Chain Attack

A North Korean state-sponsored threat actor tracked as Diamond Sleet is distributing a trojanized version of a legitimate application developed by a Taiwanese multimedia software developer called CyberLink to target downstream customers via a supply chain attack. "This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads,

North Korean Hackers Pose as Job Recruiters and Seekers in Malware Campaigns

North Korean threat actors have been linked to two campaigns in which they masquerade as both job recruiters and seekers to distribute malware and obtain unauthorized employment with organizations based in the U.S. and other parts of the world. The activity clusters have been codenamed Contagious Interview and Wagemole, respectively, by Palo Alto Networks Unit 42. While the first set of attacks

N. Korea's BlueNoroff Blamed for Hacking macOS Machines with ObjCShellz Malware

The North Korea-linked nation-state group called BlueNoroff has been attributed to a previously undocumented macOS malware strain dubbed ObjCShellz. Jamf Threat Labs, which disclosed details of the malware, said it's used as part of the RustBucket malware campaign, which came to light earlier this year. "Based on previous attacks performed by BlueNoroff, we suspect that this malware was a late

U.S. DoJ Cracks Down on North Korean IT Scammers Defrauding Global Businesses

The U.S. government has announced the seizure of 17 website domains used by North Korean information technology (IT) workers as part of an illicit scheme to defraud businesses across the world, evade sanctions, and fund the country's ballistic missile program. The Department of Justice (DoJ) said the U.S. confiscated approximately $1.5 million of the revenue that these IT workers collected from

Microsoft Warns of North Korean Attacks Exploiting JetBrains TeamCity Flaw

North Korean threat actors are actively exploiting a critical security flaw in JetBrains TeamCity to opportunistically breach vulnerable servers, according to Microsoft. The attacks, which entail the exploitation of CVE-2023-42793 (CVSS score: 9.8), have been attributed to Diamond Sleet (aka Labyrinth Chollima) and Onyx Sleet (aka Andariel or Silent Chollima). It's worth noting that both the

Lazarus Group Impersonates Recruiter from Meta to Target Spanish Aerospace Firm

The North Korea-linked Lazarus Group has been linked to a cyber espionage attack targeting an unnamed aerospace company in Spain in which employees of the firm were approached by the threat actor posing as a recruiter for Meta. "Employees of the targeted company were contacted by a fake recruiter via LinkedIn and tricked into opening a malicious executable file presenting itself as a coding

North Korea's Lazarus Group Suspected in $31 Million CoinEx Heist

The North Korea-affiliated Lazarus Group has stolen nearly $240 million in cryptocurrency since June 2023, marking a significant escalation of its hacks. According to multiple reports from Certik, Elliptic, and ZachXBT, the infamous hacking group is said to be suspected behind the theft of $31 million in digital assets from the CoinEx exchange on September 12, 2023. The crypto heist aimed at

North Korean Hackers Exploit Zero-Day Bug to Target Cybersecurity Researchers

Threat actors associated with North Korea are continuing to target the cybersecurity community using a zero-day bug in an unspecified software over the past several weeks to infiltrate their machines. The findings come from Google’s Threat Analysis Group (TAG), which found the adversary setting up fake accounts on social media platforms like X (formerly Twitter) and Mastodon to forge

Researchers Warn of Cyber Weapons Used by Lazarus Group's Andariel Cluster

The North Korean threat actor known as Andariel has been observed employing an arsenal of malicious tools in its cyber assaults against corporations and organizations in the southern counterpart. “One characteristic of the attacks identified in 2023 is that there are numerous malware strains developed in the Go language,” the AhnLab Security Emergency Response Center (ASEC) said in a deep dive

New SuperBear Trojan Emerges in Targeted Phishing Attack on South Korean Activists

A new phishing attack likely targeting civil society groups in South Korea has led to the discovery of a novel remote access trojan called SuperBear. The intrusion singled out an unnamed activist, who was contacted in late August 2023 and received a malicious LNK file from an address impersonating a member of the organization, non-profit entity Interlabs said in a new report. The LNK file, upon

North Korean Hackers Deploy New Malicious Python Packages in PyPI Repository

Three additional rogue Python packages have been discovered in the Package Index (PyPI) repository as part of an ongoing malicious software supply chain campaign called VMConnect, with signs pointing to the involvement of North Korean state-sponsored threat actors. The findings come from ReversingLabs, which detected the packages tablediter, request-plus, and requestspro. First disclosed at the

Lazarus Group Exploits Critical Zoho ManageEngine Flaw to Deploy Stealthy QuiteRAT Malware

The North Korea-linked threat actor known as Lazarus Group has been observed exploiting a now-patched critical security flaw impacting Zoho ManageEngine ServiceDesk Plus to distribute a remote access trojan called such as QuiteRAT. Targets include internet backbone infrastructure and healthcare entities in Europe and the U.S., cybersecurity company Cisco Talos said in a two-part analysis 

North Korean Hackers Suspected in New Wave of Malicious npm Packages

The npm package registry has emerged as the target of yet another highly targeted attack campaign that aims to entice developers into downloading malevolent modules. Software supply chain security firm Phylum told The Hacker News the activity exhibits similar behaviors to that of a previous attack wave uncovered in June, which has since been linked to North Korean threat actors. As many as nine

North Korean Hackers Targets Russian Missile Engineering Firm

Two different North Korean nation-state actors have been linked to a cyber intrusion against NPO Mashinostroyeniya, a major Russian missile engineering company. Cybersecurity firm SentinelOne said it identified "two instances of North Korea related compromise of sensitive internal IT infrastructure," including a case of an email server compromise and the deployment of a Windows backdoor dubbed

North Korean Nation-State Actors Exposed in JumpCloud Hack After OPSEC Blunder

North Korean nation-state actors affiliated with the Reconnaissance General Bureau (RGB) have been attributed to the JumpCloud hack following an operational security (OPSEC) blunder that exposed their actual IP address. Google-owned threat intelligence firm Mandiant attributed the activity to a threat actor it tracks under the name UNC4899, which likely shares overlaps with clusters already

Kimsuky Targets Think Tanks and News Media with Social Engineering Attacks

The North Korean nation-state threat actor known as Kimsuky has been linked to a social engineering campaign targeting experts in North Korean affairs with the goal of stealing Google credentials and delivering reconnaissance malware. "Further, Kimsuky's objective extends to the theft of subscription credentials from NK News," cybersecurity firm SentinelOne said in a report shared with The

North Korea's Kimsuky Group Mimics Key Figures in Targeted Cyber Attacks

U.S. and South Korean intelligence agencies have issued a new alert warning of North Korean cyber actors' use of social engineering tactics to strike think tanks, academia, and news media sectors. The "sustained information gathering efforts" have been attributed to a state-sponsored cluster dubbed Kimsuky, which is also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (

N. Korean ScarCruft Hackers Exploit LNK Files to Spread RokRAT

Cybersecurity researchers have offered a closer look at the RokRAT remote access trojan that's employed by the North Korean state-sponsored actor known as ScarCruft. "RokRAT is a sophisticated remote access trojan (RAT) that has been observed as a critical component within the attack chain, enabling the threat actors to gain unauthorized access, exfiltrate sensitive information, and potentially

North Korean Kimsuky Hackers Strike Again with Advanced Reconnaissance Malware

The North Korean advanced persistent threat (APT) group known as Kimsuky has been observed using a piece of custom malware called RandomQuery as part of a reconnaissance and information exfiltration operation. "Lately, Kimsuky has been consistently distributing custom malware as part of reconnaissance campaigns to enable subsequent attacks," SentinelOne researchers Aleksandar Milenkoski and Tom

N. Korean Kimsuky Hackers Using New Recon Tool ReconShark in Latest Cyberattacks

The North Korean state-sponsored threat actor known as Kimsuky has been discovered using a new reconnaissance tool called ReconShark as part of an ongoing global campaign. "[ReconShark] is actively delivered to specifically targeted individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros," SentinelOne researchers Tom Hegel

North Korea's ScarCruft Deploys RokRAT Malware via LNK File Infection Chains

The North Korean threat actor known as ScarCruft started experimenting with oversized LNK files as a delivery route for RokRAT malware as early as July 2022, the same month Microsoft began blocking macros across Office documents by default. "RokRAT has not changed significantly over the years, but its deployment methods have evolved, now utilizing archives containing LNK files that initiate

Lazarus Subgroup Targeting Apple Devices with New RustBucket macOS Malware

A financially-motivated North Korean threat actor is suspected to be behind a new Apple macOS malware strain called RustBucket. "[RustBucket] communicates with command and control (C2) servers to download and execute various payloads," Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley said in a technical report published last week.  The Apple device management company attributed it

Lazarus X_TRADER Hack Impacts Critical Infrastructure Beyond 3CX Breach

Lazarus, the prolific North Korean hacking group behind the cascading supply chain attack targeting 3CX, also breached two critical infrastructure organizations in the power and energy sector and two other businesses involved in financial trading using the trojanized X_TRADER application. The new findings, which come courtesy of Symantec's Threat Hunter Team, confirm earlier suspicions that the

N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX

The supply chain attack targeting 3CX was the result of a prior supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors. Google-owned Mandiant, which is tracking the attack event under the moniker UNC4736, said the incident marks the first time it has seen a "software supply chain attack lead to another software

North Korean APT43 Group Uses Cybercrime to Fund Espionage Operations

A new North Korean nation-state cyber operator has been attributed to a series of campaigns orchestrated to gather strategic intelligence that aligns with Pyongyang's geopolitical interests since 2018. Google-owned Mandiant, which is tracking the activity cluster under the moniker APT43, said the group's motives are both espionage- and financially-motivated, leveraging techniques like credential

German and South Korean Agencies Warn of Kimsuky's Expanding Cyber Attack Tactics

German and South Korean government agencies have warned about cyber attacks mounted by a threat actor tracked as Kimsuky using rogue browser extensions to steal users' Gmail inboxes. The joint advisory comes from Germany's domestic intelligence apparatus, the Federal Office for the Protection of the Constitution (BfV), and South Korea's National Intelligence Service (NIS). The intrusions are

North Korean UNC2970 Hackers Expands Operations with New Malware Families

A North Korean espionage group tracked as UNC2970 has been observed employing previously undocumented malware families as part of a spear-phishing campaign targeting U.S. and European media and technology organizations since June 2022. Google-owned Mandiant said the threat cluster shares "multiple overlaps" with a long-running operation dubbed "Dream Job" that employs job recruitment lures in

Lazarus Group Exploits Zero-Day Vulnerability to Hack South Korean Financial Entity

The North Korea-linked Lazarus Group has been observed weaponizing flaws in an undisclosed software to breach a financial business entity in South Korea twice within a span of a year. While the first attack in May 2022 entailed the use of a vulnerable version of a certificate software that's widely used by public institutions and universities, the re-infiltration in October 2022 involved the