Tag: dprk

12 Attack Reports | 0 Vulnerabilities

Attack reports

Inside DPRK Operations: New Infrastructure Uncovered Across Global Campaigns

North Korean state-sponsored threat actors, including Lazarus and Kimsuky, continue to conduct widespread hacking operations for intelligence gathering, financial gain, and access. The investigation uncovered previously unconnected operational assets, revealing active tool-staging servers, credenti…
quasar rat
dprk
vps
blindingcan
2025-12-18
badcall
mailpassview
Published: December 18, 2025
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 20

Kimsuky Distributing Malicious Mobile App via QR Code

A new campaign by Kimsuky involves distributing malicious mobile apps through QR codes and phishing websites. The apps, masquerading as delivery services, VPNs, and cryptocurrency tools, decrypt an embedded APK to deploy a RAT with extensive capabilities. The malware uses a native decryption functi…
rat
phishing
keylogging
apk
dprk
mobile malware
decryption
qr code
docswap
2025-12-16
Published: December 16, 2025
Downloadable IOCs: 12

Lazarus Group targets Aerospace and Defense with new Comebacker variant

This analysis details a recent espionage campaign by the DPRK-nexus threat actor Lazarus Group targeting the aerospace and defense sectors. The campaign employs a new variant of the Comebacker backdoor, showcasing the actor's ongoing refinement of their malware arsenal. The attackers use highly spe…
backdoor
north korea
defense
aerospace
comebacker
dprk
c2 communication
spear phishing
decryption
2025-11-10
Published: November 10, 2025
Downloadable IOCs: 15

DPRK's Playbook: HttpTroy and New BLINDINGCAN Variant

Recent investigations have uncovered two new toolsets from North Korean threat actors. Kimsuky deployed a new backdoor called HttpTroy, targeting a victim in South Korea through a VPN invoice-themed attack. The attack chain involves a dropper, a loader called MemLoad, and the HttpTroy backdoor, whi…
backdoor
obfuscation
espionage
comebacker
dprk
stealth
remote access tool
2025-11-03
blindingcan
httptroy
Published: November 3, 2025
Downloadable IOCs: 15

Inside the BlueNoroff Web3 macOS Intrusion Analysis

A detailed analysis of a sophisticated intrusion targeting a cryptocurrency foundation employee is presented. The attack, attributed to the North Korean APT group BlueNoroff, began with a social engineering lure via Telegram, leading to the installation of malicious software disguised as a Zoom ext…
apt
social engineering
cryptocurrency
stealer
macos
dprk
process injection
web3
2025-06-19
root troy v4
injectwithdyld
xscreen
cryptobot
telegram 2
Published: June 19, 2025
Downloadable IOCs: 18

Inside the DPRK: Spotting Malicious Remote IT Applicants

The Democratic People’s Republic of Korea (DPRK) deploys skilled IT workers remotely to organizations globally funding its weapons of mass destruction (WMD) and missile programs, violating sanctions. In recent weeks, the techniques leveraged to evade detection have evolved, reducing reliance on tra…
dprk
it workers
2025-05-15
Published: May 15, 2025
Downloadable IOCs: 376

Astrill VPN and DPRK Remote Worker Fraud

Spur Engineering is releasing a comprehensive list of IP addresses associated with the Astrill VPN service to help companies protect against fraud and abuse from the Democratic Republic of Korea (DPRK) in the future.
north korea
fraud
vpn
dprk
infrastructure
astrill vpn
2025-03-05
Published: March 5, 2025
Downloadable IOCs: 2360

macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed

This intelligence analysis describes newly discovered variants of the DPRK-attributed macOS Ferret malware family, labeled as 'FlexibleFerret'. The malware is part of the ongoing 'Contagious Interview' campaign targeting developers and job seekers. The new variants include a dropper package contain…
persistence
developers
macos
dropper
github
dprk
contagious interview
2025-02-04
friendlyferret_secd
flexibleferret
frostyferret_ui
chromeupdate
multi_frostyferret_cmdcodes
Published: February 4, 2025
Downloadable IOCs: 2

New threat targeting macOS discovered

Jamf Threat Labs uncovered malware samples linked to North Korea, built using Flutter, which provides inherent obfuscation. The malware, discovered in late October, includes Go, Python, and Flutter variants. The Flutter-built application presents a minesweeper game while making network requests to …
obfuscation
python
macos
golang
dprk
2024-11-13
applescript
stage-one-payload
flutter
Published: November 13, 2024
Downloadable IOCs: 0

Suspected DPRK Phishing Campaign Targets Naver; Separate Apple Domain Spoofing Cluster Identified

Researchers discovered a potential North Korean phishing campaign targeting Naver, a major South Korean tech platform. The investigation revealed an exposed directory containing phishing pages designed to steal Naver user credentials. Separately, an infrastructure cluster was identified using domai…
phishing
apple
credential theft
dprk
infrastructure analysis
domain spoofing
2024-10-30
naver
tls certificates
Published: October 30, 2024
Downloadable IOCs: 0

Tenacious Pungsan: A DPRK threat actor linked to Contagious Interview

Datadog Security Research discovered three malicious npm packages: passports-js, bcrypts-js, and blockscan-api, containing BeaverTail malware associated with North Korean threat actors. The packages, downloaded 323 times, targeted job-seekers in the US tech industry through a campaign named Contagi…
infostealer
cryptocurrency
npm
dprk
beavertail
contagious interview
2024-10-25
invisibleferret
software supply chain
namesquatting
Published: October 25, 2024
Downloadable IOCs: 1

APT45: North Korea’s Digital Military Machine

Mandiant provides an overview of the activities of APT45, a cyber threat group attributed with high confidence to North Korea. The report details APT45's transition from traditional espionage campaigns against government and defense sectors to financially motivated operations, including suspected r…
3proxy
andariel
2024-07-26
dprk
maui ransomware
onyx sleet
apt45
stonefly
silent chollima
rifle
shatteredglass
rogueye
Published: July 26, 2024
Downloadable IOCs: 37
Click here to see more Attack Reports