North Korea-Linked Threat Activity and Reporting on Lazarus, IT Worker Schemes, and Related Malware
Multiple reports and threat-intel posts highlighted North Korea-linked cyber activity spanning social engineering, malware, and broader ecosystem analysis. AllSecure described an attempted compromise of a CEO via a fake LinkedIn job interview attributed to Lazarus tradecraft (tagged BeaverTail / Contagious Interview), indicating continued use of recruiter-style lures and developer tooling themes (e.g., VSCode) to gain execution on target systems. Separately, eSentire published technical analysis on the DEV#POPPER remote access trojan and associated OmniStealer activity, framing it as DPRK-linked malware and providing defensive guidance for organizations facing this threat class.
Additional DPRK-focused intelligence covered both strategic and operational dimensions. Google’s Cloud Threat Horizons Report H1 2026 discussed cloud-focused threat activity and tracked DPRK-linked clusters (including UNC4899 and UNC5267), while Logpresso published an OSINT report on DPRK remote IT worker infiltration tactics (fraudulent employment/contractor placement). NKInternet released a catalog-style overview of North Korea’s software export ecosystem, and RedAsgard’s “Hunting Lazarus” series contributed hands-on investigative detail into Lazarus operator artifacts. A separate Lazarus threat-actor profile page aggregated historical reporting and statistics, but did not add a discrete new incident beyond compilation.
Timeline
Apr 27, 2026
NKInternet reports fake dev and company entities vexxloso and Nixsora.com
NKInternet published an article titled "More Fake Devs, More Fake Companies: vexxloso and Nixsora.com," adding reporting on suspected DPRK-linked fake developer and fake company activity. The available reference identifies the named entities and ties the article to North Korean IT worker threat intelligence, but provides no further technical details or victim information.
Apr 23, 2026
Expel publishes report on Lazarus using AI to target developers
Expel published an article titled "Inside Lazarus: How North Korea uses AI to industrialize attacks on developers," describing Lazarus-linked activity focused on developers. The available reference is a Bluesky post sharing the report and does not provide additional technical details, victims, or indicators beyond the report’s existence and topic.
Apr 22, 2026
Trend Micro reports Void Dokkaebi fake interview malware campaign
Trend Micro published a report titled "Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories," describing a DPRK-linked campaign that used fake job interview lures and code repositories in the infection chain. The available reference is a social media post sharing the report and does not provide additional victim, indicator, or malware-behavior details.
Apr 21, 2026
NoxHunt publishes report on DPRK IT workers' computers
A NoxHunt article titled "Inside the computers of DPRK IT workers" was publicly shared, indicating new reporting focused on North Korean IT worker activity. The available reference includes only the title and topic tags, without technical findings or victim details.
Apr 20, 2026
FalconFeeds reports UNC1069 deepfake campaign targeting crypto and supply chains
FalconFeeds published a report titled "UNC1069: DPRK’s Deepfake-Driven Cyber Campaign Targeting Crypto and Software Supply Chains." The report characterized UNC1069 as a North Korea-linked operation using deepfake-enabled social engineering and highlighted targeting of cryptocurrency organizations and software supply chains.
Apr 17, 2026
Researcher claims DPRK-linked IT worker cell infiltrated Tokamak Network
A Bluesky post attributed to meowmfer claimed to have mapped a cell of more than 14 accounts that allegedly infiltrated Tokamak Network. The post framed the activity in the context of DPRK-linked IT worker operations but provided no technical details on access methods, affected systems, or independent confirmation.
Apr 8, 2026
SecurityAlliance publishes UNC1069 advisory on fake Teams and Zoom calls
SecurityAlliance published an advisory on DPRK-linked activity tracked as UNC1069. The advisory highlighted social-engineering lures involving fake Microsoft Teams and Zoom calls.
Apr 8, 2026
Socket reports Contagious Interview campaign spreading across five ecosystems
A Socket article reported that North Korea’s Contagious Interview campaign had spread across five ecosystems and was delivering staged remote access trojan payloads. The reference does not provide further technical details, victims, or indicators beyond the article’s existence and scope.
Apr 8, 2026
NKInternet publishes article on npm malware, fake developers, and deepfakes
NKInternet published an article titled "npm Malware, Fake Devs, and Deepfake Videos: These Are A Few of My Favorite DPRK Things," covering DPRK-linked themes including npm ecosystem abuse, fake developers, and deepfake videos. The reference provides no additional technical details, victims, or indicators beyond the article's existence and topic.
Apr 7, 2026
Walmart publishes "Mapping Ottercookie Infrastructure" report
Walmart published a cyber threat intelligence report titled "Mapping Ottercookie Infrastructure," focused on Ottercookie and DPRK-linked activity. The reference is a social media post sharing the report and does not provide additional technical details beyond the report’s existence and topic.
Mar 26, 2026
eSentire publishes EtherRAT and EtherHiding technical analysis
eSentire released a report on EtherRAT and its SYS_INFO module, describing command-and-control activity using Ethereum-based infrastructure (EtherHiding), target selection logic, and beaconing designed to resemble CDN traffic. The report was publicly shared on 2026-03-26.
Mar 24, 2026
Sophos publishes research on NICKEL ALLEY strategy
Sophos published an article titled "NICKEL ALLEY strategy: Fake it ‘til you make it," covering North Korea-linked activity. The reference associates the report with themes including ClickFix, Contagious Interview, and PylangGhost.
Mar 12, 2026
AhnLab releases February 2026 APT group trends report
AhnLab published its "February 2026 APT Group Trends Report" on the ASEC site. The reference indicates the report covered activity associated with groups including BlueNoroff, Lazarus, and Medusa.
Mar 12, 2026
U.S. Treasury sanctions facilitators of DPRK IT worker fraud
The U.S. Department of the Treasury announced sanctions against facilitators of North Korean IT worker fraud targeting U.S. businesses. Related coverage also highlighted OFAC action involving DPRK IT workers' use of cryptocurrency.
Mar 11, 2026
Allsecure discloses fake LinkedIn job interview targeting its CEO
Allsecure published an account of a North Korea-linked attempt to hack its CEO through a fake job interview on LinkedIn. The activity was associated in the reference with Lazarus ecosystem themes including BeaverTail, Contagious Interview, and VSCode.
Mar 11, 2026
NKInternet publishes North Korea software catalog article
NKInternet published an article titled "Made for Export: North Korea’s Software Catalog," covering North Korean software offerings. The exact publication date is not stated in the reference, but it was publicly available by 2026-03-11.
Mar 10, 2026
Google releases Cloud Threat Horizons Report H1 2026
Google published its "Cloud Threat Horizons Report H1 2026," which the reference associates with cloud threat intelligence involving UNC4899, UNC5267, and DPRK-linked activity. The report was being shared publicly on 2026-03-10.
Mar 9, 2026
Logpresso publishes OSINT report on disguised DPRK IT workers
Logpresso published a Korean-language report on OSINT analysis of North Korean IT workers obtaining employment under disguise. The linked blog post is explicitly dated 2026-03-09.
Mar 9, 2026
eSentire publishes analysis of DEV#POPPER and OmniStealer
eSentire released a blog post analyzing the DEV#POPPER remote access trojan and OmniStealer, framed as relevant to DPRK-linked activity. The write-up focused on understanding the malware and defensive guidance for organizations.
Mar 9, 2026
RedAsgard publishes Lazarus threat intelligence report
RedAsgard published "Hunting Lazarus, Part 5: Eleven Hours on His Disk," a threat intelligence report focused on the Lazarus Group. The reference indicates the report was available by 2026-03-09.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Malware
Organizations
Affected Products
Sources
5 more from sources like lazarusholic bluesky
Related Stories
North Korea-linked Social Engineering Campaigns Targeting Developers and Defense Supply Chains
North Korea–aligned operators, including **Lazarus** (aka **HIDDEN COBRA**), are running multiple social-engineering-led intrusion campaigns aimed at stealing sensitive technology and establishing durable access. Reporting on **Operation DreamJob** describes fake job-offer lures used to compromise European drone manufacturers and defense contractors, with tooling and infrastructure designed to evade traditional defenses and support cyber-espionage against UAV-related intellectual property. Separately, a developer-focused operation dubbed **“Fake Font”** uses fake recruiter outreach and malicious GitHub repositories to trick engineers into opening projects that abuse *Visual Studio Code* automation (via `.vscode/tasks.json`) and disguised payloads (e.g., `.woff2` “font” files) to execute multi-stage malware that ultimately deploys the **InvisibleFerret** Python backdoor for credential and crypto-wallet theft and long-term access. A distinct DPRK-linked campaign reported by Darktrace targets South Korean users with spear-phishing that delivers a JSE script masquerading as an HWPX document and then abuses **VS Code tunnels** as a covert C2 channel over trusted Microsoft infrastructure, complicating detection in developer-heavy environments. Other items in the set describe unrelated activity: phishing abuse of *Vercel* to deliver remote-access tooling, exploitation of **CVE-2025-51683** (blind SQLi) in the *Mjobtime* time-tracking app to reach MSSQL `xp_cmdshell`, a hospitality-focused **DCRat** campaign using **ClickFix** and `MSBuild.exe`, a generic CSS exfiltration technique write-up, and Trend Micro research on the **PeckBirdy** LOLBins framework used by China-aligned intrusion sets—none of which are part of the DPRK developer/defense recruitment-themed operations above.
1 months ago
North Korean Threat Actors Use AI-Enabled IT Worker Scams and Target Crypto Firms
Microsoft-linked reporting says **North Korean threat actors** are using **AI** to scale and refine long-running “fake IT worker” schemes, where operatives pose as legitimate remote hires to obtain *authorized* access inside victim organizations. The activity is attributed to DPRK-linked clusters **Jasper Sleet** and **Coral Sleet**, with AI used to improve identity fabrication and maintenance (including face/voice manipulation) and to sustain day-to-day communications that help keep fraudulent personas credible, enabling “sustained, large-scale misuse of legitimate access.” Separately, reporting on suspected DPRK-linked intrusions describes a coordinated campaign against **cryptocurrency organizations** spanning staking platforms, exchange software providers, and exchanges, with theft of **source code, private keys, and cloud secrets**. Investigators described two primary access paths: exploitation of `CVE-2025-55182` in the *React2Shell* framework (including mass scanning and WAF-bypass techniques) and the use of **pre-obtained valid AWS access tokens** to move directly into cloud enumeration; researchers also recovered artifacts from attacker infrastructure (e.g., shell history, archived code, and tool configurations) that provided visibility into post-compromise activity and C2 setup.
1 months ago
North Korea’s Chollima Threat Actors Evolve and Expand Targeting
Reporting highlighted multiple, **unrelated** threat developments rather than a single cohesive incident. One thread focused on North Korea-linked **Chollima** activity: a targeted spear-phishing operation attributed to **Ricochet Chollima** used Dropbox-hosted lures to deliver archives containing weaponized Windows shortcut (`.LNK`) files, with tradecraft designed to evade detection (including multi-stage execution and fileless, memory-resident behavior). Separately, a CrowdStrike-based report described a strategic reorganization of **LABYRINTH CHOLLIMA** into three operational groupings—**GOLDEN CHOLLIMA** (smaller, steady revenue theft), **PRESSURE CHOLLIMA** (high-payout crypto heists), and a core **espionage** unit—while retaining shared malware “DNA” via frameworks such as **KorDLL** and **Hawup**, indicating continued coordination across DPRK cyber operations. Other items covered distinct, non-DPRK activity and should not be conflated with the Chollima reporting. One article described **infostealer campaigns expanding to macOS**, including Python-based cross-platform stealers and macOS families such as **Atomic macOS Stealer (AMOS)**, using malvertising, fake installers/DMGs, and trusted platforms to harvest credentials, cookies, keychain data, crypto wallets, and developer secrets. Another described a **fake Dropbox phishing** campaign using PDF-based staging (including obfuscation techniques like `FlateDecode` and `AcroForm` objects) hosted on legitimate infrastructure (e.g., Vercel Blob storage) to redirect victims to a counterfeit login page and exfiltrate credentials via **Telegram**—a separate credential-harvesting operation not tied to the Chollima APT reporting.
1 months ago