Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label North Korea Hackers. Show all posts
North Korea Hackers
Blockchain Crypto workers Info Stealing Malware Job Scam malware North Korea Hackers

Crypto Workers Tricked in Job Scams Involving New Malware Linked to North Korea

 



A new online scam is targeting people who work in the cryptocurrency industry, using fake job offers and interviews to trick them into installing harmful software on their devices.

According to a report by cybersecurity researchers at Cisco Talos, the attack involves a new type of malware called PylangGhost. It is a remote access tool also known as a trojan, built using the Python programming language. Once installed, it allows attackers to secretly control the victim’s computer and steal private data like passwords and session cookies.

The people behind the scam are believed to be tied to North Korean hacking groups, who have been linked to several past cryptocurrency-related cybercrimes. This time, they are pretending to be recruiters from well-known companies like Coinbase, Uniswap, and Robinhood to appear trustworthy.


How the Scam Works

The attackers set up fake job websites that look like they belong to real crypto companies. They then contact professionals in the industry, especially those with experience in blockchain development and invite them to apply for jobs.

Victims are asked to complete technical assessments and share personal details, believing it's part of the interview process. Later, they’re told to prepare for a video interview and are asked to install what is described as a “video driver” to improve camera quality. However, this download is actually the PylangGhost malware.

Once installed, the software can:

1. Steal login credentials from over 80 browser extensions (such as MetaMask, Phantom, and 1Password).

2. Allow attackers to access and control the computer remotely.

3. Stay hidden and continue running even after a system reboot.


Real-World Examples

Researchers say this method has already been used in India and other countries. Similar scams in the past included fake companies like “BlockNovas LLC” and “SoftGlide LLC,” which were created to look legitimate. In one case, the FBI had to shut down one of these websites.

In another incident, engineers at the crypto exchange Kraken discovered that one job applicant was a North Korean hacker. The person was caught when they failed basic identity checks during an interview.

The malware also has a history. PylangGhost is the Python version of an earlier program called GolangGhost, which was used to target macOS systems. The newer version is now aimed specifically at Windows users, while Linux systems appear unaffected for now.


Security Experts Call for Action

Cybersecurity experts in India say this growing threat should be taken seriously. Dileep Kumar H V, director at Digital South Trust, has recommended:

• Regular cybersecurity audits for blockchain firms.

• Stronger legal protections under India’s IT Act.

• National awareness campaigns and better monitoring of fake job portals.

He also stressed the need for international coordination, urging agencies like CERT-In, MEITY, and NCIIPC to work together with global partners to counter these attacks.


Why It Matters

These scams reflect a shift in tactics and deployment of new technologies, from hacking exchanges to targeting individuals. By stealing credentials or gaining insider access, attackers may be trying to infiltrate companies from within. As the crypto industry continues to expand and transcend boundaries, so do the risks, thus making awareness and vigilance more critical than ever.



Read more »
North Korea cyberattacks
cyberattacks trending news malware Malware attacks News North Korea North Korea Hackers North Korea cyberattacks

North Korean Hackers Target Fintech and Gaming Firms with Fake Zoom Apps

 

A newly uncovered cyber campaign is targeting organizations across North America, Europe, and the Asia-Pacific by exploiting fake Zoom applications. Cybersecurity experts have traced the operation to BlueNoroff, a notorious North Korean state-backed hacking group affiliated with the Lazarus Group. The campaign’s primary focus is on the gaming, entertainment, and fintech sectors, aiming to infiltrate systems and steal cryptocurrency and other sensitive financial data. 

Attack strategy 

The attack begins with a seemingly innocuous AppleScript disguised as a routine maintenance operation for Zoom’s software development kit (SDK). However, hidden within the script—buried beneath roughly 10,000 blank lines—are malicious commands that quietly download malware from a counterfeit domain, zoom-tech[.]us. 

Once the malware is downloaded, it integrates itself into the system through LaunchDaemon, granting it persistent and privileged access at every system startup. This allows the malware to operate covertly without raising immediate alarms. The malicious software doesn’t stop there. It fetches additional payloads from compromised infrastructure, presenting them as legitimate macOS components like “icloud_helper” and “Wi-Fi Updater.” 

These files are designed with anti-forensics techniques to erase temporary files and conceal their activity, all while maintaining a hidden backdoor for remote control and data exfiltration. This deceptive approach is particularly dangerous in remote work environments, where minor software issues are often resolved without deep inspection—making it easier for such malware to slip past unnoticed. 

Motives behind the attack

BlueNoroff’s intent appears financially driven. The malware specifically searches for cryptocurrency wallet extensions, browser-stored login credentials, and authentication keys. In one known incident dated May 28, a Canadian online gambling platform fell victim to this scheme after its systems were compromised via a fraudulent Zoom troubleshooting script. 

Protection Measures for Organizations Given the growing sophistication of such campaigns, security experts recommend several protective steps: 

• Independently verify Zoom participants to ensure authenticity. 

• Block suspicious domains like zoom-tech[.]us at the firewall level. 

• Deploy comprehensive endpoint protection that can detect hidden scripts and unauthorized daemons. 

• Invest in reliable antivirus and ransomware protection, especially for firms with cryptocurrency exposure. 

• Use identity theft monitoring services to detect compromised credentials early. 

• Train employees to recognize and respond to social engineering attempts. 

• Secure digital assets with hardware wallets instead of relying on software-based solutions alone.
Read more »
North Korea Hackers
Crypto Wallet Cyber Fraud Fake Firm Lazarus Group North Korea Hackers

North Korean Hackers Create Fake U.S. Firms to Dupe Crypto Developers

 

Threat analysts at Silent Push, a U.S. cybersecurity firm, told Reuters that North Korean cyber spies established two companies in the U.S., Blocknovas LLC and Softglide LLC, using fictitious personas and addresses to infect developers in the cryptocurrency industry with malicious software, in violation of Treasury sanctions. A third firm, Angeloper Agency, is connected to the campaign but does not seem to be registered in the United States. 

“This is a rare example of North Korean hackers actually managing to set up legal corporate entities in the U.S. in order to create corporate fronts used to attack unsuspecting job applicants,” noted Kasey Best, director of threat intelligence at Silent Push. 

The hackers are members of a subsection inside the Lazarus Group, an elite team of North Korean hackers which is part of the Reconnaissance General Bureau, Pyongyang’s principal foreign intelligence agency, Silent Push added. 

Blocknovas and Softglide were not explicitly mentioned by the FBI. On Thursday, however, the FBI submitted a seizure notice on Blocknovas' website, stating that the name was taken "as part of a law enforcement action against North Korean Cyber Actors who utilised this domain to deceive individuals with fake job postings and distribute malware."

FBI sources told Reuters ahead of the seizure that the agency is still "focused on imposing risks and consequences, not only on the DPRK actors themselves, but anybody who is facilitating their ability to conduct these schemes.” 

One FBI officer stated that North Korean cyber operations are "perhaps one of the most advanced persistent threats" to the United States. The North Korean delegation to the United Nations in New York did not immediately respond to a request for comment. 

“These attacks utilize fake personas offering job interviews, which lead to sophisticated malware deployments in order to compromise the cryptocurrency wallets of developers, and they also target the developers' passwords and credentials which could be used to further attacks on legitimate businesses,” Best stated. 

Silent Push was able to authenticate several victims of the operation, "specifically via Blocknovas, which is by far the most active of the three front companies," the researchers stated in their report.
Read more »
RAT
BeaverTail malware North Korea Hackers NPM Package RAT

North Korean Hackers Use 11 Malicious npm Packages to Propagate BeaverTail Malware

 

The North Korean threat actors behind the ongoing Contagious Interview campaign are expanding their tentacles on the npm ecosystem by distributing more malicious packages including the BeaverTail malware and a new remote access trojan (RAT) loader. 

"These latest samples employ hexadecimal string encoding to evade automated detection systems and manual code audits, signaling a variation in the threat actors' obfuscation techniques," Socket security researcher Kirill Boychenko noted in a report. 

The following packages were downloaded over 5,600 times before being removed: empty-array-validator, twitterapis, debugger-vite, snore-log, core-pino, events-utils, icloud-cod, cln-logger, node-clog, and consolidate-log. 

The announcement comes nearly a month after six npm packages were discovered to be distributing BeaverTail, a JavaScript stealer that can also deploy a Python-based backdoor known as InvisibleFerret. The campaign's ultimate purpose is to breach developer systems using the premise of a job interview, steal sensitive data, syphon financial assets, and maintain long-term access to compromised networks. 

The newly discovered npm packages masquerade as utilities and debuggers, with one of them - dev-debugger-vite - utilising a command-and-control (C2) address previously identified by SecurityScorecard as being used by the Lazarus Group in a campaign called Phantom Circuit in December 2024.

What distinguishes these packages is that some of them, like events-utils and icloud-cod, are connected to Bitbucket repositories rather than GitHub. Furthermore, the icloud-cod package was discovered to be located in a directory called "eiwork_hire," confirming the threat actor's usage of interview-related themes to activate the infection. 

An investigation of the packages, cln-logger, node-clog, consolidate-log, and consolidate-logger, revealed slight code-level differences, indicating that the attackers are publishing numerous malware variants to boost the campaign's success rate.

Regardless of the alterations, the malicious code encoded in the four packages acts as a remote access trojan (RAT) loader, capable of spreading a next-stage payload from a remote server. Cybersecurity expert Boychenko stated that the exact nature of the malware being disseminated via the loader is unknown at this time due to the C2 endpoints no longer serving payloads. 

"The code functions as an active malware loader with remote access trojan (RAT) capabilities," Boychenko noted. "It dynamically fetches and executes remote JavaScript via eval(), enabling North Korean attackers to run arbitrary code on infected systems. This behavior allows them to deploy any follow-up malware of their choosing, making the loader a significant threat on its own.” 

The findings highlight the persistent nature of Contagious Interview, which, in addition to posing a long-term threat to software supply chains, has adopted the infamous ClickFix social engineering approach to propagate malware. 

The discovery of the new npm packages comes as South Korean cybersecurity firm AhnLab outlined a recruitment-themed phishing effort that downloads BeaverTail, which is subsequently used to launch a previously undocumented Windows backdoor known as Tropidoor. The firm's analysis of data shows that BeaverTail is actively targeting developers in South Korea.
Read more »
North Korea Hackers
Crypto Attack Cryptocurrency exchange Cyber Attacks DMM Hacker attack North Korea North Korea Hackers

North Korean Hackers Suspected in $70M Phemex Crypto Exchange Exploit

 

A significant cyberattack on the Singapore-based cryptocurrency exchange Phemex has resulted in the loss of over $70 million in digital assets. Blockchain security experts believe the incident may be linked to North Korean hackers. The breach was detected on Thursday, prompting Phemex to suspend withdrawals after receiving alerts from security firms about unusual activity. 

Initially, approximately $30 million was reported stolen, but the attack persisted, leading to further asset depletion. The company’s CEO, Federico Variola, confirmed that the exchange’s cold wallets remained intact and unaffected. According to cybersecurity analysts, the tactics used in this attack resemble previous high-profile exploits targeting crypto exchanges.

The perpetrators swiftly transferred various tokens across multiple blockchain networks, beginning with high-value assets such as Bitcoin (BTC), Ethereum (ETH), and Solana (SOL), along with stablecoins like USDC and USDT. Since stablecoins can be frozen, the attackers quickly converted them into Ethereum before moving on to smaller, less liquid tokens. 

Researchers tracking the breach noted that hundreds of different cryptocurrencies were stolen, with attackers draining even minor altcoins. The process was reportedly carried out manually rather than through automated scripts, with assets transferred to fresh addresses before being laundered through additional layers of transactions. Experts believe the scale and coordination suggest the involvement of an experienced hacking group.  

A pseudonymous investigator known as SomaXBT.eth pointed to a North Korean-affiliated group as the likely culprit, noting similarities between this incident and previous attacks attributed to state-backed hackers. Another security analyst compared the breach to the attack on Japan’s DMM platform, which resulted in the theft of $308 million and was linked to the North Korean hacking group TraderTraitor. Data from blockchain explorers shows that the attackers utilized at least 275 transactions across Ethereum-based chains, using multiple addresses to siphon funds from networks such as Arbitrum, Base, Polygon, Optimism, and zkSync. 

Additionally, transactions were tracked across Avalanche, Binance Smart Chain, Polkadot, Solana, and Tron. A primary wallet connected to the breach handled at least $44 million in stolen funds, while notable amounts included $16 million in SOL, $12 million in XRP, and $5 million in BTC. Despite the losses, Phemex still holds roughly $1.8 billion in assets, the majority of which are in its native PT token, followed by significant holdings in Bitcoin and USDT. 

The exchange has announced that it is developing a compensation plan for affected users. As of the latest reports, activity from the attacker’s addresses appears to have ceased, with the final recorded transactions occurring around 10:00 AM ET.
Read more »
Zero-day Flaw
Chrome Attack Chain Crypto Hack Cyber Attacks North Korea Hackers Zero-day Flaw

Lazarus Group Exploits Chrome Zero-Day Flaw Via Fake NFT Game

 

The notorious North Korean hacking outfit dubbed Lazarus has launched a sophisticated attack campaign targeting cryptocurrency investors. This campaign, discovered by Kaspersky researchers, consists of a multi-layered assault chain that includes social engineering, a fake game website, and a zero-day flaw in Google Chrome. 

The report claims that in May 2024, Kaspersky Total Security identified a new attack chain that used the Manuscrypt backdoor to target the personal computer of an unidentified Russian citizen. 

Kaspersky researchers Boris Larin and Vasily Berdnikov believe the campaign began in February 2024. After investigating the attack further, analysts discovered that the attackers had developed a website called "detankzonecom" that seemed to be a genuine platform for the game "DeFiTankZone." 

This game reportedly combines Decentralised Finance (DeFi) elements with Non-Fungible Tokens (NFTs) in a Multiplayer Online Battle Arena (MOBA) situation. The website even offers a downloadable trial edition, adding to the look of trustworthiness. However, beneath the surface is a malicious trap. 

“Under the hood, this website had a hidden script that ran in the user’s Google Chrome browser, launching a zero-day exploit and giving the attackers complete control over the victim’s PC,” researchers noted. 

The exploit contains code for two vulnerabilities: one that enables hackers to access the whole address space of the Chrome process using JavaScript (CVE-2024-4947), and the other that allows attackers to circumvent the V8 sandbox and access memory outside the confines of the register array. 

Google addressed CVE-2024-4947, a type confusion flaw in the V8 JavaScript and WebAssembly engine, in March 2024, although it's unknown if attackers discovered it first and weaponised it as a zero-day or exploited it as an N-day flaw.

In this campaign, Lazarus has used social media sites like LinkedIn and X (previously Twitter) to target prominent players in the cryptocurrency field. With several accounts on X, they created a social media presence and actively promoted the fake game. They also hired graphic designers and generative AI to create amazing advertising material for the DeTankZone game. The group also sent carefully designed messages to interested parties pretending to be blockchain startups or game developers looking for funding.

This campaign highlights how the Lazarus Group's strategies have changed. It is crucial to be wary of unsolicited investment opportunities, particularly when they involve dubious social media promotions or downloadable game clients. In order to mitigate the risk of zero-day attacks, it is also crucial to maintain browser software, such as Chrome, updated with the most recent security fixes.
Read more »
United States
Cyber Attacks Nation-State Attack North Korea Hackers Nuclear United States

Mandiant: North Korean Hackers Are Targeting Naval Tech

 

Google Cloud's Mandiant cyber researchers have upgraded Andariel, also known as Onyx Sleet, Plutonium, and Silent Chollima, to an official advanced persistent threat (APT) group, alerting that it is targeting extremely sensitive atomic secrets and technology as North Korea continues its nuclear weapons acquisition efforts.

APT45, which has been active since 2009 and may have some connection to the Lazarus hacking operation, is characterised as having a moderate level of sophistication in terms of both scope and technology. Like many North Korean groups, its main objective is to steal money to fund the failing, isolated regime. It is most likely under the control of North Korea's Reconnaissance General Bureau (RGB) 3rd Bureau and started out as a financially motivated operator. 

What sets it apart from other groups, though, is its suspected development and use of ransomware. Mandiant provided evidence of APT45 clusters using the Maui and Shatteredglass ransomware strains, while it hasn't been able to corroborate this claim with certainty. What is known with some certainty is that APT45's interest has recently shifted to other fields, such as crop science, healthcare, and pharmaceuticals, with much of its time being devoted to military affairs, according to Mandiant. 

“Many advances in North Korea’s military capabilities in recent years can directly be attributed to APT45’s successful espionage efforts against governments and defence organisations around the world,” stated Mandiant principal analyst Michael Barnhart. “When Kim Jong Un demands better missiles, these are the guys who steal the blueprints for him.” 

APT45's actions involve a combination of publicly available hacking tools and modified and secret malware variants. Its tool library appears to be distinct from those of other North Korean APTs, although its malware shares some traits, such as code reuse, unique custom encoding, and passwords. 

FBI operation 

Over the last few weeks, Mandiant has been "actively engaged" in an organised effort, operating alongside the FBI and other US agencies, to monitor APT45's efforts to gather defence and research intelligence from the US and other nations, including the UK, France, Germany, and South Korea, as well as Brazil, India, and Nigeria.

APT45 is believed to have targeted heavy and light tanks, self-propelled howitzers, light strike and ammo supply vehicles, littoral combat ships and combatant craft, submarines, torpedoes, and unmanned and autonomous underwater vehicles; modelling and simulation technology; fighter aircraft and drones; missiles and missile defence systems; satellites, satellite communications, and related technology; surveillance and phased-array radar systems; and manufacturing, including shipbuilding, robotics, 3D printing, casting, fabrication, moulding of metal, plastics and rubber, and machining processes. More worrisomely, the group has also been tracking facilities and research, nuclear power plants, waste and storage, and uranium enrichment and processing. 

“APT45 isn’t bound by ethical considerations and have demonstrated they’re willing and agile enough to target any entity to achieve their objectives, including hospitals,” added Barnhart. “A coordinated global effort involving both public and private sectors is necessary to counter this persistent and evolving threat.”
Read more »
North Korea Hackers
Asian Payment Firm Cryptoc Cyber Crime Money Laundering North Korea Hackers

Lazarus Hacking Group is Using Asian Firms to Launder Stolen Crypto

 

Cambodian payments company received crypto worth over US$150,000 from a digital wallet employed by North Korean hacking group Lazarus, blockchain data shows, a glimpse of how the criminal outfit has laundered funds in Southeast Asia. 

Huione Pay, based in Phnom Penh and offers currency exchange, payments and remittance services, received the crypto between June 2023 and February this year, according to the previously unreported blockchain data reviewed by Reuters. 

The crypto was transferred to Huione Pay from an anonymous digital wallet that, according to blockchain experts, was used by a hacking outfit to deposit funds stolen from three crypto firms in June and July 2023. 

The United States' Federal Bureau of Investigation said in August last year that Lazarus stole US$160 million from the crypto firms: Estonia-based Atomic Wallet and CoinsPaid; and Alphapo, registered in Saint Vincent and the Grenadines. 

They were the latest in a series of heists by Lazarus that the US said was funding Pyongyang's weapons programmes. Cryptocurrency allows North Korea to circumvent international sanctions, the United Nations has said.

The crypto might have assisted the regime pay for banned goods and services, according to the Royal United Services Institute, a London-based defence and security think tank. 

Huione Pay's board said the company had not known it "received funds indirectly" from the hacks and cited the multiple transactions between its wallet and the source of the hack as the reason it was unaware.

Rhe wallet that sent the funds was not under its management, Huione added. 

Huione Pay — whose three directors include Hun To, a cousin of Prime Minister Hun Manet — refused to elaborate why it had received funds from the wallet or provide details of its compliance policies. The firm stated Hun To's directorship does not include day-to-day oversight of its operations. The National Bank of Cambodia (NBC) said payments companies such as Huione weren't allowed to deal or trade in any cryptocurrencies and digital assets.

US blockchain analysis firm TRM Labs told Reuters that Huione Pay was one of a number of payment platforms and over-the-counter brokers that received a majority of the crypto stolen in the Atomic Wallet hack. Brokers connect buyers and sellers of crypto, offering traders a greater degree of privacy than crypto exchanges. 

TRM also said the attackers conceal their tracks by converting the stolen crypto via a complex laundering operation into different cryptocurrencies, including tether (USDT) — a so-called "stablecoin" that retains a steady value in dollars.
Read more »
Subscribe to: Posts (Atom)