Kimsuky targets organizations with PebbleDash-based tools

Over the past few months, we have conducted an in-depth analysis of specific activity clusters of Kimsuky aka APT43, Ruby Sleet, Black Banshee, Sparkling Pisces, Velvet Chollima, and Springtail, a prolific Korean-speaking threat actor. Our research revealed notable tactical shifts throughout...

Two US Men Jailed for Helping North Korean Hackers Infiltrate US Firms

Matthew Knoot and Erick Prince have been jailed for 18 months each for helping North Korean hackers infiltrate US firms through remote laptop farms...

MAL-2026-3224 Malicious code in graphicctx (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 8867133b18f35132bf0096bdbd5d1891e87f8a07bbba09f6dffe21c8b048596e Packages in this campaign are used to exfiltrate data from users installing code from prepared Github repositories. Packages contain code to exfiltrate files...

AI Tools Are Helping Mediocre North Korean Hackers Steal Millions

One group of hackers used AI for everything from vibe coding their malware to creating fake company websites—and stole as much as $12 million in three months...

Mustang Panda Hits India and S. Korea with Updated LOTUSLITE Backdoor

Acronis reveals Mustang Panda is using an updated version of LOTUSLITE backdoor to target Indian banks and Korean diplomats. Learn how this DLL sideloading attack works...

OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident

OpenAI revealed a GitHub Actions workflow used to sign its macOS apps led to the download of the malicious Axios library on March 31, but noted that no user data or internal system was compromised. "Out of an abundance of caution, we are taking steps to protect the process that certifies our macO...

CVE-2026-5446

In wolfSSL, ARIA-GCM cipher suites used in TLS 1.2 and DTLS 1.2 reuse an identical 12-byte GCM nonce for every application-data record. Because wcAriaEncrypt is stateless and passes the caller-supplied IV verbatim to the MagicCrypto SDK with no internal counter, and because the explicit IV is...

MAL-2026-2517 Malicious code in kraken-trader (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 4bf5ec6e8a6020de1e122cf07f2dde0f02fa1a484ff984586db379729da75523 The package is a loader of malicious code disguised as remote "credits" code. The remote location, built from the parts in the code, delivers highly obfuscated...

North Korean Hackers Pose as Trading Firm to Steal $285M from Drift

North Korean hackers UNC4736 posed as a trading firm for six months to infiltrate Drift Protocol, using social engineering tactics to steal $285M without suspicion...

Exploit for Use After Free in Redis

CVE-2025-49844 RediShell AI-made Revshell PoC Untested comple...

North Korean Hackers Abuse GitHub to Spy on South Korean Firms

Researchers from FortiGuard Labs have uncovered a high-severity spying campaign targeting South Korean companies. Discover how North Korean…...

North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware

The North Korean threat actors behind the Contagious Interview campaign, also tracked as WaterPlum, have been attributed to a malware family tracked as StoatWaffle that's distributed via malicious Microsoft Visual Studio Code VS Code projects. The use of VS Code "tasks.json" to distribute malware...

North Korean Hacker Lands Remote IT Job, Caught After VPN Slip

New research from LevelBlue reveals how a suspected North Korean operative landed a remote IT role to fund national weapons programmes...

AI as tradecraft: How threat actors operationalize AI

In this article 1. AI as an enabler for cyberattacks 2. Post-compromise misuse of AI 3. Emerging trends 4. Mitigation guidance for AI-enabled threats 5. Microsoft Defender detections Threat actors are operationalizing AI along the cyberattack lifecycle to accelerate tradecraft, abusing both...

North Korean Hackers Publish 26 npm Packages Hiding Pastebin C2 for Cross-Platform RAT

Cybersecurity researchers have disclosed a new iteration of the ongoing Contagious Interview campaign, where the North Korean threat actors have published a set of 26 malicious packages to the npm registry. The packages masquerade as developer tools, but contain functionality to extract the actua...

Phishing Attacks Against People Seeking Programming Jobs

This is new. North Korean hackers are posing as company recruiters, enticing job candidates to participate in coding challenges. When they run the code they are supposed to work on, it installs malware on their system. News article...

North Korean Lazarus Group Adopts Medusa Ransomware in Global Attacks

Lazarus Group is now using Medusa ransomware in attacks on healthcare and social services, signaling a move toward profit-focused cybercrime...

MAL-2026-162 Malicious code in btcli-security (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a4b868f818b1a81f5fccee1967f70c3ff9d75c218d14ec09882c576a9c2c213e Package clones a legitimate bittensor-cli library and adds a hidden code that downloads a malicious script. The script then downloads an archive with malicious...

30,000 Korean Air Employee Records Stolen as Cl0p Leaks Data Online

Korean Air confirms a major data leak affecting 30,000 staff members after the Cl0p gang targeted a catering partner. Learn what data was stolen and the airline’s response to secure its data...

Keyboard Lag Leads Amazon to North Korean Impostor in Remote Role

Amazon Security Chief explains how a subtle keyboard delay exposed a North Korean impostor. Read about the laptop farm scheme and how 110 milliseconds of lag ended a major corporate infiltration...