North Korea
-
Two US nationals sentenced for helping North Korea run laptop farms
Two U.S. nationals were sentenced to 18 months in prison for hosting laptops that helped North Korea’s remote IT worker scheme, which affected nearly 70 U.S. companies and generated about $1.2 million.
-
North Korean hackers use AI to hide npm malware in Web3 supply chain
North Korean-linked hackers are using AI-generated code and layered npm packages to spread malware that steals cryptocurrency wallets and developer data, according to a technical analysis from ReversingLabs. The campaign has also expanded beyond npm to other platforms.
-
North Korea-linked campaign spreads across five open-source ecosystems
A North Korea-linked campaign has spread malicious packages across five open-source ecosystems, with a technical analysis saying more than 1,700 packages have been linked to the activity since January 2025.
-
GitLab analysis exposes North Korean fake IT worker tradecraft
A technical analysis by GitLab found North Korean operators used code repositories to deliver obfuscated malware loaders and that 131 accounts were removed last year. The report lists tradecraft and more than 600 indicators.
-
Lazarus Group uses Medusa ransomware in Middle East attack
A technical report by Broadcom’s Symantec and Carbon Black Threat Hunter Team reported that the Lazarus Group used Medusa ransomware in a Middle East attack and attempted an unsuccessful strike against a U.S. healthcare organization.
-
North Korea-linked actors exploit React2Shell flaw to deploy EtherRAT using Ethereum-based C2
Sysdig reported that actors tied to North Korea exploited a critical React Server Components flaw to deploy EtherRAT, a Node.js-based remote access trojan that uses Ethereum smart contracts and RPC consensus for C2 resolution and multiple Linux persistence mechanisms.
-
Researchers expose North Korean scheme to rent engineer identities for remote jobs
Security researchers say North Korean recruiters tied to Famous Chollima have been soliciting software engineers to rent their identities, using stolen identities, deepfakes and remote access to secure jobs at Western firms and route activity through compromised machines.
-
North Korean actors push 197 malicious packages to npm to deploy OtterCookie variant
Researchers say North Korean actors uploaded 197 malicious npm packages, downloaded over 31,000 times, to deploy an OtterCookie variant that evades sandboxes, establishes C2 access and steals credentials and crypto data; delivery used a Vercel URL and a now-unavailable GitHub account, and the campaign has also employed fake job-assessment lures to distribute Go-based backdoors.
-
North Korean-linked group used Google device service to wipe South Korean Android phones
South Korean researchers say the North Korean-linked KONNI group abused Google’s device-management features to remotely factory-reset Android phones, using stolen credentials harvested via phishing and RATs spread over KakaoTalk.
-
U.S. Treasury sanctions eight people and two firms tied to North Korean money‑laundering and cybercrime
The U.S. Treasury has sanctioned eight individuals and two entities alleged to have laundered proceeds from North Korean cybercrime and fraudulent IT‑worker schemes, naming banks, an IT company and several representatives in China and Russia and linking crypto flows to those operations.
