North Korea-Linked Threat Activity and Reporting on Lazarus, IT Worker Schemes, and Related Malware
Multiple reports and threat-intel posts highlighted North Korea-linked cyber activity spanning social engineering, malware, and broader ecosystem analysis. AllSecure described an attempted compromise of a CEO via a fake LinkedIn job interview attributed to Lazarus tradecraft (tagged BeaverTail / Contagious Interview), indicating continued use of recruiter-style lures and developer tooling themes (e.g., VSCode) to gain execution on target systems. Separately, eSentire published technical analysis on the DEV#POPPER remote access trojan and associated OmniStealer activity, framing it as DPRK-linked malware and providing defensive guidance for organizations facing this threat class.
Additional DPRK-focused intelligence covered both strategic and operational dimensions. Google’s Cloud Threat Horizons Report H1 2026 discussed cloud-focused threat activity and tracked DPRK-linked clusters (including UNC4899 and UNC5267), while Logpresso published an OSINT report on DPRK remote IT worker infiltration tactics (fraudulent employment/contractor placement). NKInternet released a catalog-style overview of North Korea’s software export ecosystem, and RedAsgard’s “Hunting Lazarus” series contributed hands-on investigative detail into Lazarus operator artifacts. A separate Lazarus threat-actor profile page aggregated historical reporting and statistics, but did not add a discrete new incident beyond compilation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
34 events from the most recent confirmed update back to the earliest known activity.
Wiz publishes report on threat actor targeting crypto organizations
A Bluesky post shared a Wiz publication titled "Threat Actor Targets Crypto Organizations," associated in the reference with JINX-0164, suspected DPRK-linked activity, and macOS targeting. The available reference provides only the report title and topical tags, without additional technical details, victims, or indicators.
RedAsgard publishes developer safety checklist on fake coding interviews
RedAsgard published an article titled "A Fake Coding Interview Is an Execution Request: Developer Safety Checklist," covering developer-targeted social engineering associated with fake coding interviews and Lazarus-linked tradecraft. The reference ties the article to themes including GitHub, npm, VSCode, and DPRK cyber threat intelligence.
RedAsgard publishes Hunting Lazarus Part IX: The Google Mirror
A Bluesky post shared RedAsgard's blog article "Hunting Lazarus Part IX: The Google Mirror," indicating a new Lazarus-focused threat intelligence publication. The available reference ties the report to BeaverTail, OtterCookie, and DPRK cyber threat intelligence themes but provides no additional technical details beyond the report title and topic tags.
Fox-IT publishes report on Lazarus RemotePE malware
A Fox-IT report titled "RemotePE: The Lazarus RAT that lives in memory" was publicly shared, associating the RemotePE malware family with the Lazarus threat actor. The available reference provides only the report title and broad Lazarus/DPRK context, without additional technical details beyond the report’s existence and topic.
Trend Micro publishes analysis of Void Dokkaebi InvisibleFerret malware
Trend Micro published a research article titled "Analyzing Void Dokkaebi’s Cython-Compiled InvisibleFerret Malware." The reference links InvisibleFerret to the DPRK-associated Void Dokkaebi activity cluster, but provides no further technical details beyond the report title and topic.
Bitso publishes "Interview with the Chollima VIII" article
Bitso published an article titled "Interview with the Chollima VIII," focused on DPRK IT worker activity and cyber threat intelligence. The available reference is a Bluesky post sharing the article and provides no additional technical details, victims, or indicators beyond the article's existence and topic.
Krypt3ia publishes report on DPRK activity evolution through campaign linkage
Krypt3ia published a threat intelligence report titled "DPRK Activity Evolution Through Campaign Linkage," focused on North Korean cyber activity and relationships across campaigns. The available reference provides only the report title and broad themes including cryptocurrency, IT workers, supply chain, and CTI.
meowmfer publishes report on active GitHub network in Contagious Interview
A Bluesky post shared meowmfer's report titled "Deep Dive into Active Github Network Running Contagious Interview," describing reporting on infrastructure tied to the DPRK-linked Contagious Interview campaign. The reference links the report to BeaverTail and OmniStealer themes but provides no further technical details beyond the report title and topic tags.
RedAsgard publishes Hunting Lazarus Part VIII on OtterCookie
A Bluesky post shared RedAsgard's blog article "Hunting Lazarus Part VIII: OtterCookie," indicating a new Lazarus-focused threat intelligence publication centered on the OtterCookie malware or campaign. The available reference does not include the article's substantive technical findings beyond its existence and topic.
Arkham research on Lazarus Group on-chain footprint is shared
A Bluesky post shared a new Arkham research article focused on the Lazarus Group's on-chain footprint and money-laundering activity, with AppleJeus and DPRK cyber threat intelligence themes. The reference indicates the report was being publicly promoted on 2026-05-15.
Researcher alleges DPRK recruiter offered payment to launder Upwork identity
A Bluesky post alleged that a North Korean recruiter attempted to pay someone $300 per month to launder an Upwork identity. The claim adds a specific example of suspected DPRK IT worker tradecraft involving freelance-platform identity misuse, though no independent confirmation or technical evidence is provided in the reference.
Researcher alleges suspected DPRK IT worker was employed at THORSwap
A Bluesky post by meowmfer alleged that a suspected DPRK IT worker had been employed at THORSwap. The reference provides only a brief claim and an archived link, without technical evidence, access details, or independent confirmation.
NISOS publishes report on DPRK employment fraud targeting crypto companies
NISOS published a report titled "DPRK Employment Fraud Targeting Crypto Companies," describing North Korean employment fraud activity aimed at cryptocurrency firms. The available reference is a Bluesky post sharing the report and ties it to DPRK IT worker threat intelligence.
Kmsec publishes report on DPRK abuse of Cloudflare Workers and Pages
A report attributed to Kmsec on North Korea's abuse of Cloudflare Workers and Cloudflare Pages was publicly shared. The available reference links the topic to DPRK cyber activity but does not provide underlying technical details, victims, or indicators beyond the report's existence and focus.
NKInternet reports fake dev and company entities vexxloso and Nixsora.com
NKInternet published an article titled "More Fake Devs, More Fake Companies: vexxloso and Nixsora.com," adding reporting on suspected DPRK-linked fake developer and fake company activity. The available reference identifies the named entities and ties the article to North Korean IT worker threat intelligence, but provides no further technical details or victim information.
Expel publishes report on Lazarus using AI to target developers
Expel published an article titled "Inside Lazarus: How North Korea uses AI to industrialize attacks on developers," describing Lazarus-linked activity focused on developers. The available reference is a Bluesky post sharing the report and does not provide additional technical details, victims, or indicators beyond the report’s existence and topic.
Trend Micro reports Void Dokkaebi fake interview malware campaign
Trend Micro published a report titled "Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories," describing a DPRK-linked campaign that used fake job interview lures and code repositories in the infection chain. The available reference is a social media post sharing the report and does not provide additional victim, indicator, or malware-behavior details.
NoxHunt publishes report on DPRK IT workers' computers
A NoxHunt article titled "Inside the computers of DPRK IT workers" was publicly shared, indicating new reporting focused on North Korean IT worker activity. The available reference includes only the title and topic tags, without technical findings or victim details.
FalconFeeds reports UNC1069 deepfake campaign targeting crypto and supply chains
FalconFeeds published a report titled "UNC1069: DPRK’s Deepfake-Driven Cyber Campaign Targeting Crypto and Software Supply Chains." The report characterized UNC1069 as a North Korea-linked operation using deepfake-enabled social engineering and highlighted targeting of cryptocurrency organizations and software supply chains.
Researcher claims DPRK-linked IT worker cell infiltrated Tokamak Network
A Bluesky post attributed to meowmfer claimed to have mapped a cell of more than 14 accounts that allegedly infiltrated Tokamak Network. The post framed the activity in the context of DPRK-linked IT worker operations but provided no technical details on access methods, affected systems, or independent confirmation.
SecurityAlliance publishes UNC1069 advisory on fake Teams and Zoom calls
SecurityAlliance published an advisory on DPRK-linked activity tracked as UNC1069. The advisory highlighted social-engineering lures involving fake Microsoft Teams and Zoom calls.
Socket reports Contagious Interview campaign spreading across five ecosystems
A Socket article reported that North Korea’s Contagious Interview campaign had spread across five ecosystems and was delivering staged remote access trojan payloads. The reference does not provide further technical details, victims, or indicators beyond the article’s existence and scope.
NKInternet publishes article on npm malware, fake developers, and deepfakes
NKInternet published an article titled "npm Malware, Fake Devs, and Deepfake Videos: These Are A Few of My Favorite DPRK Things," covering DPRK-linked themes including npm ecosystem abuse, fake developers, and deepfake videos. The reference provides no additional technical details, victims, or indicators beyond the article's existence and topic.
Walmart publishes "Mapping Ottercookie Infrastructure" report
Walmart published a cyber threat intelligence report titled "Mapping Ottercookie Infrastructure," focused on Ottercookie and DPRK-linked activity. The reference is a social media post sharing the report and does not provide additional technical details beyond the report’s existence and topic.
eSentire publishes EtherRAT and EtherHiding technical analysis
eSentire released a report on EtherRAT and its SYS_INFO module, describing command-and-control activity using Ethereum-based infrastructure (EtherHiding), target selection logic, and beaconing designed to resemble CDN traffic. The report was publicly shared on 2026-03-26.
Sophos publishes research on NICKEL ALLEY strategy
Sophos published an article titled "NICKEL ALLEY strategy: Fake it ‘til you make it," covering North Korea-linked activity. The reference associates the report with themes including ClickFix, Contagious Interview, and PylangGhost.
AhnLab releases February 2026 APT group trends report
AhnLab published its "February 2026 APT Group Trends Report" on the ASEC site. The reference indicates the report covered activity associated with groups including BlueNoroff, Lazarus, and Medusa.
U.S. Treasury sanctions facilitators of DPRK IT worker fraud
The U.S. Department of the Treasury announced sanctions against facilitators of North Korean IT worker fraud targeting U.S. businesses. Related coverage also highlighted OFAC action involving DPRK IT workers' use of cryptocurrency.
Allsecure discloses fake LinkedIn job interview targeting its CEO
Allsecure published an account of a North Korea-linked attempt to hack its CEO through a fake job interview on LinkedIn. The activity was associated in the reference with Lazarus ecosystem themes including BeaverTail, Contagious Interview, and VSCode.
NKInternet publishes North Korea software catalog article
NKInternet published an article titled "Made for Export: North Korea’s Software Catalog," covering North Korean software offerings. The exact publication date is not stated in the reference, but it was publicly available by 2026-03-11.
Google releases Cloud Threat Horizons Report H1 2026
Google published its "Cloud Threat Horizons Report H1 2026," which the reference associates with cloud threat intelligence involving UNC4899, UNC5267, and DPRK-linked activity. The report was being shared publicly on 2026-03-10.
Logpresso publishes OSINT report on disguised DPRK IT workers
Logpresso published a Korean-language report on OSINT analysis of North Korean IT workers obtaining employment under disguise. The linked blog post is explicitly dated 2026-03-09.
eSentire publishes analysis of DEV#POPPER and OmniStealer
eSentire released a blog post analyzing the DEV#POPPER remote access trojan and OmniStealer, framed as relevant to DPRK-linked activity. The write-up focused on understanding the malware and defensive guidance for organizations.
RedAsgard publishes Lazarus threat intelligence report
RedAsgard published "Hunting Lazarus, Part 5: Eleven Hours on His Disk," a threat intelligence report focused on the Lazarus Group. The reference indicates the report was available by 2026-03-09.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
35 references tracked. Mallory keeps watching after this page renders.
Post by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open source@lazarusholic.bsky.social on Bluesky
bsky.app
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
North Korea-linked Social Engineering Campaigns Targeting Developers and Defense Supply Chains
North Korea–aligned operators, including **Lazarus** (aka **HIDDEN COBRA**), are running multiple social-engineering-led intrusion campaigns aimed at stealing sensitive technology and establishing durable access. Reporting on **Operation DreamJob** describes fake job-offer lures used to compromise European drone manufacturers and defense contractors, with tooling and infrastructure designed to evade traditional defenses and support cyber-espionage against UAV-related intellectual property. Separately, a developer-focused operation dubbed **“Fake Font”** uses fake recruiter outreach and malicious GitHub repositories to trick engineers into opening projects that abuse *Visual Studio Code* automation (via `.vscode/tasks.json`) and disguised payloads (e.g., `.woff2` “font” files) to execute multi-stage malware that ultimately deploys the **InvisibleFerret** Python backdoor for credential and crypto-wallet theft and long-term access. A distinct DPRK-linked campaign reported by Darktrace targets South Korean users with spear-phishing that delivers a JSE script masquerading as an HWPX document and then abuses **VS Code tunnels** as a covert C2 channel over trusted Microsoft infrastructure, complicating detection in developer-heavy environments. Other items in the set describe unrelated activity: phishing abuse of *Vercel* to deliver remote-access tooling, exploitation of **CVE-2025-51683** (blind SQLi) in the *Mjobtime* time-tracking app to reach MSSQL `xp_cmdshell`, a hospitality-focused **DCRat** campaign using **ClickFix** and `MSBuild.exe`, a generic CSS exfiltration technique write-up, and Trend Micro research on the **PeckBirdy** LOLBins framework used by China-aligned intrusion sets—none of which are part of the DPRK developer/defense recruitment-themed operations above.
Mar 21, 2026
North Korean Threat Actors Use AI-Enabled IT Worker Scams and Target Crypto Firms
Microsoft-linked reporting says **North Korean threat actors** are using **AI** to scale and refine long-running “fake IT worker” schemes, where operatives pose as legitimate remote hires to obtain *authorized* access inside victim organizations. The activity is attributed to DPRK-linked clusters **Jasper Sleet** and **Coral Sleet**, with AI used to improve identity fabrication and maintenance (including face/voice manipulation) and to sustain day-to-day communications that help keep fraudulent personas credible, enabling “sustained, large-scale misuse of legitimate access.” Separately, reporting on suspected DPRK-linked intrusions describes a coordinated campaign against **cryptocurrency organizations** spanning staking platforms, exchange software providers, and exchanges, with theft of **source code, private keys, and cloud secrets**. Investigators described two primary access paths: exploitation of `CVE-2025-55182` in the *React2Shell* framework (including mass scanning and WAF-bypass techniques) and the use of **pre-obtained valid AWS access tokens** to move directly into cloud enumeration; researchers also recovered artifacts from attacker infrastructure (e.g., shell history, archived code, and tool configurations) that provided visibility into post-compromise activity and C2 setup.
Mar 21, 2026
North Korea’s Chollima Threat Actors Evolve and Expand Targeting
Reporting highlighted multiple, **unrelated** threat developments rather than a single cohesive incident. One thread focused on North Korea-linked **Chollima** activity: a targeted spear-phishing operation attributed to **Ricochet Chollima** used Dropbox-hosted lures to deliver archives containing weaponized Windows shortcut (`.LNK`) files, with tradecraft designed to evade detection (including multi-stage execution and fileless, memory-resident behavior). Separately, a CrowdStrike-based report described a strategic reorganization of **LABYRINTH CHOLLIMA** into three operational groupings—**GOLDEN CHOLLIMA** (smaller, steady revenue theft), **PRESSURE CHOLLIMA** (high-payout crypto heists), and a core **espionage** unit—while retaining shared malware “DNA” via frameworks such as **KorDLL** and **Hawup**, indicating continued coordination across DPRK cyber operations. Other items covered distinct, non-DPRK activity and should not be conflated with the Chollima reporting. One article described **infostealer campaigns expanding to macOS**, including Python-based cross-platform stealers and macOS families such as **Atomic macOS Stealer (AMOS)**, using malvertising, fake installers/DMGs, and trusted platforms to harvest credentials, cookies, keychain data, crypto wallets, and developer secrets. Another described a **fake Dropbox phishing** campaign using PDF-based staging (including obfuscation techniques like `FlateDecode` and `AcroForm` objects) hosted on legitimate infrastructure (e.g., Vercel Blob storage) to redirect victims to a counterfeit login page and exfiltrate credentials via **Telegram**—a separate credential-harvesting operation not tied to the Chollima APT reporting.
Mar 21, 2026