Threat Research

North Korean threat actors continue to refine their tactics to target cryptocurrency and DeFi organizations. A recent investigation examined an intrusion against a FinTech entity in this sector. The activity was attributed to UNC1069, a financially motivated threat actor active since at least 2018....

ScoringMathTea is a newly uncovered C++ Remote Access Trojan used by North Korea’s Lazarus Group in a fresh phase of Operation DreamJob, targeting defense contractors supporting Ukraine to steal sensitive UAV technology....

In August 2025, an intrusion targeting an Asian subsidiary of a major European manufacturer was investigated and assessed as likely carried out by the North Korea–linked group UNC2970, aligning with Operation DreamJob. The attack began with a targeted WhatsApp message to a project engineer and used variants of the BURNBOOK loader and MISTPEN backdoor....

APT37, a North Korea–linked threat group, conducted a social engineering campaign masquerading as an academic forum invitation from a South Korean national security think tank. The lure referenced a real event titled “Trump 2.0 Era: Prospects and South Korea’s Response” to gain credibility....

North Korea-linked Lazarus Group has launched a new wave of Operation DreamJob, targeting European defense companies involved in unmanned aerial vehicle (UAV) development. The campaign uses trojanized open-source GitHub projects and the ScoringMathTea malware to steal proprietary data and manufacturing know-how....

BlueNoroff (also known as APT38, Sapphire Sleet, and TA444) — a financially motivated North Korean threat group — continues its SnatchCrypto operation, targeting blockchain developers and Web3 executives. The group has evolved its tactics with new infiltration methods and malware families....

A North Korea-aligned group, Famous Chollima, is using fake job offers to lure victims into installing malware. In a recent case, a trojanized Node.js app called Chessfi was distributed via the NPM package node-nvm-ssh. The group’s tools, BeaverTail and OtterCookie, have evolved by merging functionalities and adding a new JavaScript module for keylogging and taking screenshots....

North Korean-aligned threat group APT37 (aka ScarCruft, Ruby Sleet, Velvet Chollima) has been observed using advanced malware in recent campaigns targeting individuals linked to the North Korean regime and human rights activism in South Korea....

Multiple Russian IP address ranges—masked through VPNs, proxy servers, and VPS infrastructure—are being used in cybercrime operations aligned with North Korea's Void Dokkaebi group (also known as Famous Chollima). These IPs are linked to companies near the North Korea-Russia border and support IT workers operating from countries like China, Russia, and Pakistan....

Slow Pisces (aka Jade Sleet, TraderTraitor, PUKCHONG) is a North Korean threat group focused on funding the DPRK through crypto-targeted attacks. In a recent campaign, the group posed as employers on LinkedIn, targeting cryptocurrency developers. They sent malware-laced coding challenges that infected victims' systems....