North Korea
-
Okta says North Korean ‘IT worker’ scam is targeting healthcare, finance and AI hiring
Okta Threat Intelligence reported that nearly half of companies targeted by a North Korean-linked fake remote-worker scheme are outside IT, with rising activity in healthcare, finance and AI hiring; the firm tracked over 130 identities tied to more than 6,500 interviews from 2021 to mid-2025 and warned the sample likely understates the full scale.
-
North Korea-linked hackers used AI-generated fake military ID in espionage campaign, researchers say
Researchers say North Korea’s Kimsuky used a deepfaked image of a military ID generated with ChatGPT to launch a July spear-phishing campaign against a South Korean defense-related institution, highlighting AI-assisted espionage tactics and the ongoing challenges of AI misuse.
-
ScarCruft Uses RokRAT in HanKook Phantom Campaign Targeting South Korea
Researchers have uncovered a targeted phishing campaign by North Korea-linked ScarCruft (APT37), dubbed Operation HanKook Phantom, delivering RokRAT to South Korean academics, former officials, and researchers via a manipulated LNK attack chain and PowerShell-based payloads, with exfiltration to multiple cloud services and a willingness to use decoy documents tied to high-profile statements.
-
State-sponsored XenoRAT campaign targets South Korean embassies, researchers say
A Trellix-led analysis describes a multi-phase, state-sponsored XenoRAT espionage campaign targeting South Korean embassies, with links to North Korea’s Kimsuky and indications of possible China-based sponsorship. The operation has conducted at least 19 spearphishing attacks since March, delivering XenoRAT via password-protected ZIP archives and complex, multilingual lures.
-
9GB Data Leak From Alleged North Korean Hacker Surfaces at DEF CON
Two hackers released a 9GB archive reportedly from a North Korean operator during DEF CON, with the material—including logs, credentials, and scripts—made available via DDoSecrets and published on Phrack; the data has been indexed and deemed authentic by researchers, though attribution remains uncertain.
-
U.S. Sanctions North Korean Hacker Linked to Remote IT Worker Fraud Scheme
The U.S. Treasury has sanctioned North Korean hacker Song Kum Hyok for facilitating a fraudulent IT worker scheme targeting American companies. This move highlights concerns over North Korea’s cyber operations as key to generating revenue under international sanctions.
-
North Korean Hackers Target Web3 and Crypto Businesses with Nim-based Malware
North Korean hackers are increasingly targeting Web3 and cryptocurrency sectors with sophisticated Nim-based malware, employing advanced tactics including social engineering and remote process injection techniques to extract sensitive information from compromised systems.
-
U.S. Disrupts North Korean IT Worker Scams Targeting American Firms
The U.S. Department of Justice has successfully disrupted North Korean scams involving fake IT workers who infiltrated over 100 American companies, embezzling significant amounts of money and stealing sensitive data intended for Pyongyang.
-
North Korea-Linked Malicious npm Packages Expose Developers to Security Risks
Cybersecurity researchers have uncovered a new wave of malicious npm packages linked to North Korean threat actors, raising significant concerns for software developers. The covert operation targets job seekers and developers, exposing them to sophisticated supply chain attacks designed to steal sensitive information and compromise systems.
-
North Korean Hackers Target Crypto Job Seekers with Sophisticated Malware Scam
Recent research from Cisco Talos reveals a rise in cyber attacks targeting crypto job seekers, attributed to a North Korea-aligned group known as Famous Chollima, using sophisticated malware disguised as video drivers.
