Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label North Korean Hackers. Show all posts
PylangGhost
Crypto Scam Infostealer malware North Korean Hackers PylangGhost

North Korean Hackers Target Crypto Professionals With Info-Stealing Malware

 

North Korean hackers are tricking crypto experts into attending elaborate phoney job interviews in order to access their data and install sophisticated malware on their devices. 

Cisco Talos disclosed earlier this week that a new Python-based remote access trojan called "PylangGhost" links malware to a North Korean hacking group dubbed "Famous Chollima," also known as "Wagemole.” "Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies," the researchers explained. 

The effort uses fake employment sites that mimic reputable businesses like Coinbase, Robinhood, and Uniswap to recruit blockchain and crypto experts in India. The scam begins with bogus recruiters guiding job seekers to skill-testing websites, where they submit personal information and answer technical questions. 

Following completion of the assessments, candidates are directed to allow camera access for a video interview, and then urged to copy and execute malicious commands masked as video driver installations. 

Dileep Kumar H V, director of Digital South Trust, told Decrypt that to combat these scams, "India must mandate cybersecurity audits for blockchain firms and monitor fake job portals.” “CERT-In should issue red alerts, while MEITY and NCIIPC must strengthen global coordination on cross-border cybercrime,” he stated, calling for “stronger legal provisions” under the IT Act and “digital awareness campaigns.” 

The recently identified PylangGhost malware has the ability to harvest session cookies and passwords from more than 80 browser extensions, including well-known crypto wallets and password managers like Metamask, 1Password, NordPass, and Phantom. The Trojan runs remote commands from command-and-control servers and gains continuous access to compromised systems. 

This most recent operation fits in with North Korea's larger trend of cybercrime with a crypto focus, which includes the infamous Lazarus Group, which has been involved in some of the biggest heists in the industry. The regime is now focussing on individual professionals to obtain intelligence and possibly infiltrate crypto organisations from within, in addition to stealing money straight from exchanges. 

With campaigns like "Contagious Interview" and "DeceptiveDevelopment," the gang has been launching hiring-based attacks since at least 2023. These attacks have targeted cryptocurrency developers on platforms like GitHub, Upwork, and CryptoJobsList.
Read more »
North Korean Hackers
BitoPro hack crypto theft 2025 Cyber Attacks Lazarus Group cyberattack North Korean Hackers

BitoPro Blames North Korea’s Lazarus Group for $11 Million Crypto Theft During Hot Wallet Update

 

Taiwanese cryptocurrency exchange BitoPro has attributed a major cyberattack that resulted in the theft of approximately $11 million in digital assets to the infamous North Korean hacking group Lazarus. The breach occurred on May 8, 2025, when attackers exploited vulnerabilities during a hot wallet system upgrade.

According to BitoPro, its internal investigation uncovered evidence linking the incident to Lazarus, citing similarities in techniques and tactics observed in previous large-scale intrusions.

“The attack methodology bears resemblance to patterns observed in multiple past international major incidents, including illicit transfers from global bank SWIFT systems and asset theft incidents from major international cryptocurrency exchanges,” reads the company’s announcement.

BitoPro, which serves primarily Taiwanese customers and offers fiat currency transactions in TWD alongside various crypto assets, has over 800,000 registered users and processes nearly $30 million in trading volume each day.

During the attack, unauthorized withdrawals were conducted from an older hot wallet across multiple blockchains, including Ethereum, Tron, Solana, and Polygon. The stolen funds were subsequently funneled through decentralized exchanges and mixing services such as Tornado Cash, ThorChain, and Wasabi Wallet to obscure their origin.

Although the breach took place in early May, BitoPro publicly acknowledged the incident only on June 2, assuring users that platform operations remained unaffected and that impacted wallets were replenished using reserves.

The subsequent investigation concluded there was no evidence of insider involvement. Instead, attackers had carried out a sophisticated social engineering campaign that compromised an employee’s device responsible for managing cloud operations. Through this infection, they hijacked AWS session tokens, effectively bypassing multi-factor authentication protections to gain access to BitoPro’s cloud infrastructure.

The hackers’ command-and-control server then issued instructions to implant malicious scripts into the hot wallet host in preparation for the heist. By carefully simulating legitimate activity, they were able to transfer assets undetected when the wallet upgrade took place.

Once BitoPro became aware of the unauthorized activity, it deactivated the hot wallet system and rotated cryptographic keys, though by that point, roughly $11 million had already been drained.

The exchange has notified relevant authorities and collaborated with external cybersecurity specialists to conduct a thorough review, which concluded on June 11.

The Lazarus Group has developed a notorious reputation for targeting cryptocurrency platforms and decentralized finance ecosystems, with previous operations including a record-setting $1.5 billion theft from Bybit.
Read more »
OtterCookie
Infostealer Malicious Campaign malware North Korean Hackers OtterCookie

North Korean Hackers Deploy OtterCookie Malware in Contagious Interview Campaign

 

The North Korean hackers behind the ongoing Contagious Interview campaign have been observed launching a new JavaScript malware named OtterCookie. 

The campaign includes social engineering techniques, with the hacker team frequently posing as recruiters to trick job seekers into downloading malware during an interview process. This entails sharing malware-laced files via GitHub or the official package registry, paving the way for the propagation of malware like BeaverTail and InvisibleFerret. 

Palo Alto Networks Unit 42, which first detected the activity in November 2023, is tracking the cluster as CL-STA-0240. In September 2024, Singaporean cybersecurity company Group-IB disclosed the deployment of an upgraded version of BeaverTail that employs a modular approach, delegating its information-stealing capability to a collection of Python scripts known as CivetQ. 

According to the latest findings from Japanese cybersecurity company NTT Security Holdings, the JavaScript malware that launches BeaverTail is also designed to fetch and execute OtterCookie. 

The new malware is said to have been launched in September 2024, with a new variant identified in the wild last month. OtterCookie, upon running, establishes connections with a command-and-control (C2) server using the Socket.IO JavaScript library, and awaits further instructions. It is intended to execute shell commands that facilitate data theft, including files, clipboard items, and cryptocurrency wallet keys. 

The older OtterCookie variant discovered in September is functionally identical, but with a slight implementation difference: the cryptocurrency wallet key theft capability is directly incorporated into the malware, rather than a remote shell command. The discovery indicates that attackers are actively updating their tools while leaving the infection chain mostly intact, highlighting the campaign's efficacy. 

This comes as South Korea's Ministry of Foreign Affairs (MoFA) sanctioned 15 individuals and one organisation in connection with a fraudulent IT worker program engineered by North Korea to establish a regular source of funds. These funds are funnelled to North Korea, often through data theft and other illegal means. 

Kim Ryu Song, one of the 15 sanctioned individuals, was also charged by the U.S. Department of Justice (DoJ) earlier this month for allegedly participating in a long-running conspiracy to violate sanctions and commit wire fraud, money laundering, and identity theft by illegally seeking employment in U.S. companies and non-profit organisations.
Read more »
UNC2970
Cyber Attacks Cyber-Espionage North Korean Hackers Threat Landscape UNC2970

North Korean Hackers Target Energy and Aerospace Industries in Novel Espionage Campaign

 

As per recent findings from Mandiant, companies operating in the energy and aerospace sectors are being targeted by a cyber-espionage campaign that has connections with North Korea.

The outfit behind the campaign, dubbed UNC2970, is most likely linked to North Korea and shares similarities with another Pyongyang-backed threat actor, TEMP.Hermit. Researchers at the Google-owned cybersecurity firm discovered UNC2970's latest campaign in June 2024 and published their findings on Tuesday. 

The group was initially identified in 2021, and it has since targeted victims in the United States, United Kingdom, the Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong, and Australia. 

According to the research, UNC2970 hackers engage with their victims via email and WhatsApp, posing as recruiters for well-known companies. They eventually share a malware archive that claims to have a job description in PDF format.

The PDF file can only be read with a trojanized version of SumatraPDF, an actual open-source document viewer that installs a backdoor called Mistpen via the Burnbook launcher. Researchers revealed that the attackers updated the open-source code of an older version of SumatraPDF for this campaign, but that the SumatraPDF service itself was not compromised. UNC2970 uses real job description text to target victims, including those employed in critical infrastructure sectors in the United States. 

The Mistpen virus is a fork of a legitimate plugin for the Notepad++ open-source text and source code editor. The backdoor has been upgraded over time with new features, including a network connectivity check, which complicates sample analysis, researchers noted. Although Mandiant does not name the specific victims of this attack, researchers believe the hackers are targeting senior or manager-level employees. 

"This suggests the threat actor aims to gain access to sensitive and confidential information typically restricted to higher-level employees,” researchers stated. "The hackers also tailor their malicious messages to better align with the victim's profile."
Read more »
North Korean Hackers
American Firms Data Breach Data Theft EDR IT Sector North Korean Hackers

KnowBe4 Avoids Data Breach After Hiring North Korean Hacker


 

American cybersecurity firm KnowBe4 recently discovered that a new hire, brought on as a Principal Software Engineer, was actually a North Korean state actor. This individual attempted to install data-stealing malware on the company's devices, but the threat was identified and neutralised before any data breach occurred.

This incident is the testament to the persistent threat from North Korean operatives posing as IT professionals, a danger that the FBI has been warning about since 2023. North Korea has a well-organised network of IT workers who disguise their true identities to secure employment with American companies. The revenue generated by these infiltrators funds the country's weapons programs, cyber operations, and intelligence gathering.

How the Hacker Bypassed Checks

Before hiring the malicious actor, KnowBe4 conducted extensive background checks, verified references, and held four video interviews. Despite these precautions, the individual used a stolen U.S. identity and AI tools to create a fake profile picture that matched during the video calls. This deception enabled the hacker to bypass the initial vetting process.

On July 15, 2024, KnowBe4's Endpoint Detection and Response (EDR) system flagged an attempt to load malware from the Mac workstation recently issued to the new hire. The malware, designed to steal information stored in web browsers, was intended to capture any leftover credentials or data from the computer's previous user.

When confronted by KnowBe4's IT staff, the state actor initially offered excuses but soon ceased all communication.

Deceptive Hiring Practices

KnowBe4 CEO Stu Sjouwerman explained that the scheme involved tricking the company into sending the workstation to an "IT mule laptop farm" near the address provided by the fraudster. The hacker then used a VPN to connect to the device during U.S. working hours, making it seem like they were working as usual.

To prevent similar incidents, KnowBe4 advises companies to use isolated sandboxes for new hires, keeping them away from critical network areas. Additionally, firms should ensure that new employees' external devices are not used remotely and treat any inconsistencies in shipping addresses as potential red flags.

This incident at KnowBe4 zeroes in on the intricate  methods employed by North Korean hackers to infiltrate American companies. By staying vigilant and implementing robust security measures, firms can protect themselves from such threats.


Read more »
Tornado Cash
Axie Infinity cryptocurrency theft Cyber Crime decentralized mixers Horizon Bridge law enforcement actions Lazarus Group North Korean Hackers Sinbad.io Tornado Cash

Lazarus Group Hackers Resurface Utilizing Tornado Cash for Money Laundering

 

The Lazarus hacking group from North Korea is reported to have reverted to an old tactic to launder $23 million obtained during an attack in November. According to investigators at Elliptic, a blockchain research company, the funds, which were part of the $112.5 million stolen from the HTX cryptocurrency exchange, have been laundered through the Tornado Cash mixing service.

Elliptic highlighted the significance of this move, noting that Lazarus had previously switched to Sinbad.io after U.S. authorities sanctioned Tornado Cash in August 2022. However, Sinbad.io was later sanctioned in November. Elliptic observed that Lazarus Group appears to have resumed using Tornado Cash to obscure the trail of their transactions, with over $23 million laundered through approximately 60 transactions.

The researchers explained that this shift in behavior likely stems from the limited availability of large-scale mixers following law enforcement actions against services like Sinbad.io and Blender.io. Despite being sanctioned, Tornado Cash continues to operate due to its decentralized nature, making it immune to seizure and shutdown like centralized mixers.

Elliptic has been monitoring the movement of the stolen $112.5 million since HTX attributed the incident to Lazarus. The funds remained dormant until March 13 when they were observed passing through Tornado Cash, corroborated by other blockchain security firms.

North Korean hackers utilize services such as Tornado Cash and Sinbad.io to conceal the origins of their ill-gotten gains and convert them into usable currency, aiding the regime in circumventing international sanctions related to its weapons programs, as per U.S. government claims.

According to the U.S. Treasury Department, North Korean hackers have utilized Sinbad and its precursor Blender.io to launder a portion of the $100 million stolen from Atomic Wallet customers in June, as well as substantial amounts from high-profile crypto thefts like those from Axie Infinity and Horizon Bridge.

Researchers estimate that North Korean groups pilfered around $1.7 billion worth of cryptocurrency in 2022 and approximately $1 billion in 2023. The Lazarus Group, operational for over a decade, has reportedly stolen over $2 billion worth of cryptocurrency to finance North Korea's governmental activities, including its weapons programs, as stated by U.S. officials. The group itself faced U.S. sanctions in 2019.
Read more »
North Korean Hackers
Coin Mixer Crypto Crime Cyber Crime cyber theft North Korean Hackers

North Korean Hacking Outfit Lazarus Siphons $1.2M of Bitcoin From Coin Mixer

 

Lazarus Group, a notorious hacker group from North Korea, reportedly moved almost $1.2 million worth of Bitcoin (BTC) from a coin mixer to a holding wallet. This move, which is the largest transaction they have made in the last month, has blockchain analysts and cybersecurity experts talking. 

Details of recent transactions

Two transactions totaling 27.371 BTC were made to the Lazarus Group's wallet, according to blockchain analysis firm Arkham. 3.34 BTC were subsequently moved to a separate wallet that the group had previously used. The identity of the coin mixer involved in these transactions remains unknown. Coin mixers are used to conceal the trail of cryptocurrency transactions, making it difficult to track down the ownership and flow of funds.

The Lazarus Group's latest effort adds to its long history of sophisticated cyber crimes, notably involving cryptocurrency. The US Treasury Department has linked them to a $600 million bitcoin theft from the Ronin bridge, which is linked to Axie Infinity, a famous online game. 

Growing cryptocurrency reservoir

According to Arkham, the Lazarus Group's combined wallet holdings are currently worth approximately $79 million. This includes around $73 million in Bitcoin and $3.4 million in Ether. This huge wealth accumulation through illicit techniques exemplifies the group's persistent and expanding cryptocurrency operations.

Furthermore, a recent TRM Labs study discovered that North Korean-affiliated hackers, notably the Lazarus Group, were responsible for one-third of all cryptocurrency attacks and thefts in 2023. These operations apparently earned them roughly $600 million. 

Cyber attack patterns  

Multiple cybersecurity firms have carried out investigations into the Lazarus Group's operational tactics. Taylor Monahan, a Metamask developer, stated that the latest Orbit assault, which resulted in a loss of $81 million, was similar to prior Lazarus Group operations. Such patterns provide significant insights into their strategies and can assist in the development of more effective defensive measures for future attacks.

Over the last three years, the cybersecurity firm Recorded Future has attributed more than $3 billion in cryptocurrency breaches and vulnerabilities to the Lazarus Group. Their consistent and effective execution of high-profile cyber thefts highlights the advanced nature of their skills, as well as the challenges encountered in combatting such attacks.
Read more »
South Korea
Andariel Data Breach Hacker group Military Data North Korea North Korean Hackers Ransomware group South Korea

Seoul Police Reveals: North Korean Hackers Stole South Korean Anti-Aircraft Data


South Korea: Seoul police have charged Andariel, a North Korea-based hacker group for stealing critical defense secrets from South Korea’s defense companies. Allegedly, the laundering ransomware is redirected to North Korea. One of the 1.2 terabytes of data the hackers took was information on sophisticated anti-aircraft weaponry.  

According to the Seoul Metropolitan Police Agency, the hacker group utilized servers that they had rented from a domestic server rental company to hack into dozens of South Korean organizations, including defense companies. Also, the ransomware campaign acquired ransoms from a number of private sector victim firms. 

Earlier this year, the law enforcement agency and the FBI jointly conducted an investigation to determine the scope of Andariel's hacking operations. This was prompted by reports from certain South Korean corporations regarding security problems that were believed to be the result of "a decline in corporate trust." 

Andariel Hacker Group 

In an investigation regarding the origin of Andariel, it was found that it is a subgroup of the Lazarus Group. The group has stolen up to 1.2 terabytes of data from South Korean enterprises and demanded 470 million won ($357,000) in Bitcoin as ransom from three domestic and international organizations.  

According to a study conducted by Mandiant, it was revealed that Andariel is operated by the North Korean intelligence organization Reconnaissance General Bureau, which gathers intelligence for the regime's advantage by mainly targeting international enterprises, governmental organizations, defense companies, and financial services infrastructure. 

Apparently, the ransomware group is also involved in cybercrime activities to raise funds for conducting its operation, using specially designed tools like the Maui ransomware and DTrack malware to target global businesses. In February, South Korea imposed sanctions on Andariel and other hacking groups operating in North Korea for engaging in illicit cyber operations to fund the dictatorial regime's nuclear and missile development projects.  

The threat actor has used a number of domestic and foreign crypto exchanges, like Bithumb and Binance, to launder the acquired ransom. Till now, a sum of 630,000 yuan ($89,000) has been transferred to China's K Bank in Liaoning Province. The hackers proceeded to redirect the laundered money from the K Bank branch to a location close to the North Korea-China border. 

Seoul police noted that they have seized the domestic servers and virtual asset exchange used by Andariel to conduct their campaigns. Also, the owner of the account, that was used in transferring the ransom, has been detained. 

"The Security Investigation Support Department of the Seoul Metropolitan Police Agency is actively conducting joint investigations with related agencies such as the U.S. FBI regarding the overseas attacks, victims and people involved in this incident, while continuing to investigate additional cases of damage and the possibility of similar hacking attempts," the agency said.

The police have warned businesses of the threat actor and have advised them to boost their cybersecurity and update security software to the latest versions. It has also been advised to organizations to encrypt any critical data, in order to mitigate any future attack. 

Moreover, police are planning to investigate server rental companies to verify their subscribers’ identities and to ensure that the servers have not been used in any cybercrime activity.  

Read more »
Subscribe to: Posts (Atom)