@www.silentpush.com
//
North Korean operatives have infiltrated hundreds of Fortune 500 companies, posing a significant threat to IT infrastructure and sensitive data. Security experts revealed at the RSAC 2025 Conference that the infiltration extends across virtually every major corporation, with many Fortune 500 companies unknowingly employing North Korean technical workers. This alarming trend raises serious concerns about potential security breaches and data theft. The experts said that dozens of experts and law enforcement at RSA said the campaign is now out of control, impacting thousands of companies.
Even tech giant Google has detected North Korean technical workers in their talent pipeline as job candidates and applicants, although they have not been hired to date. "If you're not seeing this, it's because you're not detecting it, not because it's not happening to you," warned Iain Mulholland, senior director of security engineering at Google Cloud, emphasizing the universality of the threat. Insider risk management firm DTEX corroborated these findings, reporting that 7% of its customer base-representing a cross-section of the Fortune 2000-has been infiltrated by North Korean operatives working as full-time employees with privileged access.
The North Korean IT worker scam has expanded beyond the tech and crypto industries and is now a threat to all companies. One cybersecurity expert even found evidence that a U.S. political campaign in Oregon hired a North Korean IT worker to build its website. Initially, the workers primarily focused on legitimate employment to generate funds for the regime in Pyongyang, but experts are now seeing a tactical shift toward extortion, which has been observed.
Recommended read:
References :
- gbhackers.com: North Korean APT Hackers Pose as Companies to Spread Malware to Job Seekers
- iHLS: North Korean Hackers Set Up Fake U.S. Businesses to Target Cryptocurrency Developers
- www.cysecurity.news: Threat analysts at Silent Push, a U.S. cybersecurity firm, told Reuters that North Korean cyber spies established two companies in the U.S., Blocknovas LLC and Softglide LLC, using fictitious personas and addresses to infect developers in the cryptocurrency industry with malicious software, in violation of Treasury sanctions.
@unit42.paloaltonetworks.com
//
North Korean state-sponsored group Slow Pisces, also known as Jade Sleet, TraderTraitor, and PUKCHONG, is actively targeting cryptocurrency developers through social engineering campaigns on LinkedIn. Security researchers at Palo Alto Networks have uncovered a scheme where the group poses as potential employers, enticing developers with coding challenges that are actually malware delivery mechanisms. The malicious activity is suspected to be connected to the massive Bybit hack that occurred in February 2025.
The attackers send what appear to be legitimate coding assignments to the developers, but these challenges contain malware disguised within compromised projects. When the developers run these projects, their systems become infected with new customized Python malware dubbed RN Loader and RN Stealer. RN Loader collects basic information about the victim's machine and operating system, sending it to a remote server, while RN Stealer is designed to harvest sensitive data from infected Apple macOS systems, including system metadata and installed applications.
GitHub and LinkedIn have taken action to remove the malicious accounts used by Slow Pisces. Both companies affirm that they use automated technology, expert teams, and user reporting to combat malicious actors. Palo Alto Networks customers are protected through their Next-Generation Firewall with Advanced URL Filtering and Advanced DNS Security subscriptions. They urge those who suspect they might be compromised to contact the Unit 42 Incident Response team.
Recommended read:
References :
- Virus Bulletin: VirusBulletin reports on Slow Pisces (aka Jade Sleet, TraderTraitor, PUKCHONG) campaign targeting cryptocurrency developers on LinkedIn, posing as potential employers and sending malware disguised as coding challenges.
- unit42.paloaltonetworks.com: Unit 42 reports that North Korean state-sponsored group Slow Pisces (Jade Sleet) targeted crypto developers with a social engineering campaign that included malicious coding challenges.
- securityonline.info: Slow Pisces Targets Crypto Developers with Deceptive Coding Challenges
- The Hacker News: Crypto Developers Targeted by Python Malware Disguised as Coding Challenges
- Unit 42: Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware
- Security Risk Advisors: Slow Pisces Targets Crypto Developers With “Coding Challenges†That Deliver New RN Loader and RN Stealer Malware
- www.itpro.com: Hackers are duping developers with malware-laden coding challenges
- cyberpress.org: Slow Pisces Hackers Target Developers with Malicious Python Coding Tests
- gbhackers.com: Slow Pisces Group Targets Developers Using Coding Challenges Laced with Python Malware
- gbhackers.com: Slow Pisces Group Targets Developers Using Coding Challenges Laced with Python Malware
- sra.io: #NorthKorea - based #SlowPisces group hits #Crypto devs with #LinkedIn “coding challengesâ€! Repos mask #Python & #JS malware using YAML/EJS tricks.
- Security Risk Advisors: #NorthKorea - based #SlowPisces group hits #Crypto devs with #LinkedIn “coding challengesâ€! Repos mask #Python & #JS malware using YAML/EJS tricks.
do son@securityonline.info
//
Cybersecurity analysts have uncovered a sophisticated campaign exploiting a fake Zoom installer to deliver BlackSuit ransomware across Windows-based systems. The attack, beginning with a malicious download from a website mimicking the teleconferencing application Zoom, lures unsuspecting victims into installing malware capable of crippling entire networks. When the victim clicked the “Download” button, they unknowingly triggered a chain reaction of events.
The fake installer, crafted with Inno Setup, hides the d3f@ckloader, a Pascal-based loader. After gaining initial access, the attackers deploy Brute Ratel and Cobalt Strike for lateral movement, using QDoor to facilitate RDP access. After 9 days, they deploy the BlackSuit ransomware across the network, deleting Volume Shadow Copies to hinder data recovery efforts before encrypting files and dropping ransom notes. The attackers also used WinRAR to compress file share data and uploaded the archives to Bublup, a cloud storage service for data exfiltration.
Recommended read:
References :
- bsky.app: The notorious North Korean Lazarus hacking group has reportedly adopted 'ClickFix' tactics to deploy malware targeting job seekers in the cryptocurrency industry, particularly centralized finance (CeFi).
- BleepingComputer: North Korean hackers adopt ClickFix attacks to target crypto firms
- Cyber Security News: Hackers Exploit Zoom Installer to Gain RDP Access and Launch BlackSuit Ransomware Attack
- gbhackers.com: Beware! A Fake Zoom Installer Drops BlackSuit Ransomware on Your Windows Systems
- Virus Bulletin: The DFIR Report researchers look into a fake Zoom installer that used d3f@ckloader & IDAT loader to drop SectopRAT, which dropped Cobalt Strike & Brute Ratel after 9 days. For later movement the threat actor used QDoor & finally deployed BlackSuit ransomware.
- Osint10x: Fake Zoom Ends in BlackSuit Ransomware
- securityonline.info: Fake Zoom, Real Ransom: Nine-Day Malware Intrusion Ends with BlackSuit Ransomware Blast
- bsky.app: Lazarus adopts ClickFix technique.
- : New “ClickFake Interview†campaign attributed to the Lazarus Group targets crypto professionals with fake job offers
- BleepingComputer: Report of the Lazarus Group adopting the ClickFix technique for malware deployment.
Bill Toulas@BleepingComputer
//
OKX Web3 has suspended its DEX aggregator services following reports of abuse by the North Korean Lazarus hackers. The Lazarus Group, known for conducting a $1.5 billion crypto heist, triggered this action. The suspension is aimed at implementing security upgrades to prevent further abuse and protect users from illicit activities like money laundering.
OKX's response includes implementing advanced security technologies, such as multi-factor authentication and machine learning algorithms, to predict and prevent potential security breaches. The company is also collaborating with regulatory authorities to align its security measures with international standards, including stricter Know Your Customer protocols and enhanced transaction monitoring systems. These steps are part of a comprehensive security overhaul aimed at fortifying the platform against sophisticated cyber threats.
Recommended read:
References :
- bsky.app: Bsky Social - OKX Web3 has decided to suspend its DEX aggregator services to implement security upgrades following reports of abuse by the notorious North Korean Lazarus hackers, who recently conducted a $1.5 billion crypto heist.
- BleepingComputer: Infosec Exchange - OKX Web3 has decided to suspend its DEX aggregator services to implement security upgrades following reports of abuse by the notorious North Korean Lazarus hackers, who recently conducted a $1.5 billion crypto heist.
- BleepingComputer: BleepingComputer - OKX suspends DEX aggregator after Lazarus hackers try to launder funds
- The DefendOps Diaries: OKX's Strategic Response to Cyber Threats: A Comprehensive Security Overhaul
- bsky.app: OKX Web3 has decided to suspend its DEX aggregator services to implement security upgrades following reports of abuse by the notorious North Korean Lazarus hackers, who recently conducted a $1.5 billion crypto heist.
- bsky.app: OKX Web3 has decided to suspend its DEX aggregator services to implement security upgrades following reports of abuse by the notorious North Korean Lazarus hackers, who recently conducted a $1.5 billion crypto heist.
- securityonline.info: Web3 Laundering Fears: OKX Suspends Platform Amidst Scrutiny
- www.scworld.com: OKX tool leveraged by Lazarus Group briefly taken down
Lorenzo Franceschi-Bicchierai@techcrunch.com
//
The U.S. Secret Service, in collaboration with international law enforcement agencies, has seized the domain of the Russian cryptocurrency exchange Garantex. This action was part of an ongoing investigation and involved agencies such as the Department of Justice's Criminal Division, the FBI, Europol, the Dutch National Police, the German Federal Criminal Police Office, the Frankfurt General Prosecutor's Office, the Finnish National Bureau of Investigation, and the Estonian National Criminal Police. The Secret Service confirmed the seizure of website domains associated with Garantex's administration and operation.
The seizure warrant was obtained by the US Attorney's Office for the Eastern District of Virginia. Garantex had previously been sanctioned by the U.S. in April 2022, due to its association with illicit activities. Authorities have linked over $100 million in transactions on the exchange to criminal enterprises and dark web markets, including substantial sums connected to the Conti ransomware gang and the Hydra online drug marketplace.
Recommended read:
References :
- bsky.app: The US Secret Service has seized the domain of the sanctioned Russian cryptocurrency exchange Garantex in collaboration with the Department of Justice's Criminal Division, the FBI, and Europol.
- The Register - Security: International cops seize ransomware crooks' favorite Russian crypto exchange
- infosec.exchange: UPDATE: Secret Service spokesperson told us that it "has seized website domains associated with the administration and operation of Russian cryptocurrency exchange, Garantex as part of an ongoing investigation."
- Zack Whittaker: NEW: Russian crypto exchange Garantex has been seized by the U.S. Secret Service during an international law enforcement operation. FBI declined to comment; Secret Service didn't respond, but Garantex's domain is now pointing to nameservers run by the Secret Service. More from :
- securityaffairs.com: International law enforcement operation seized the domain of the Russian crypto exchange Garantex
- The Register - Security: Uncle Sam charges alleged Garantex admins after crypto-exchange web seizures
- infosec.exchange: NEW: The U.S. government has accused two administrators of Russian crypto exchange Garantex of facilitating money laundering for terrorists and cybercriminals. Aleksej Besciokov and Aleksandr Mira Serda allegedly knew they were helping ransomware hackers as well as DPRK's Lazarus Group. Besciokov is also accused of conspiracy to violate U.S. sanctions.
- The Hacker News: U.S. Secret Service Seizes Russian Garantex Crypto Exchange Website
- infosec.exchange: NEW: U.S. Secret Service and other international law enforcement agencies have seized the website of Russian crypto exchange Garantex. Garantex had previously been sanctioned by the U.S. government for being associated with ransomware gangs like Conti and darknet markets, as well as by the European Union for ties to sanctioned Russian banks.
- The DefendOps Diaries: International Collaboration in the Takedown of Garantex
- Threats | CyberScoop: The Department of Justice also indicted two men tied to the exchange.
- BleepingComputer: The administrators of the Russian Garantex crypto-exchange have been charged in the United States with facilitating money laundering for criminal organizations and violating sanctions.
- techcrunch.com: US charges admins of Garantex for allegedly facilitating crypto money laundering for terrorists and hackers
- Metacurity: Law enforcement took down hacker-friendly Russian crypto exchange Garantex
- www.scworld.com: Global law enforcement crackdown hits Russian crypto exchange Garantex
- securityonline.info: Secret Service-Led Operation Seizes Garantex Cryptocurrency Exchange
- techcrunch.com: Russian crypto exchange Garantex seized by law enforcement operation
- Jon Greig: US officials charged Aleksej Besciokov and Aleksandr Mira Serda on Friday for their roles at Garantex They also made copies of Garantex’s customer and accounting databases before servers were seized by German and Finnish officials
- infosec.exchange: NEW: After authorities took down the domains of Russian crypto exchange's Garantex, and charged two of its administrators for facilitating money laundering, the company is now inviting customers for “face-to-face meetings� at its headquarters. 🤔
- hackread.com: Garantex Crypto Exchange Seized, Two Charged in Laundering Scheme
- techcrunch.com: Following takedown operation, Garantex invites customers to ‘face-to-face’ Moscow meeting
- BrianKrebs: Scoop: Alleged Co-Founder of sanctioned cryptocurrency exchange Garantex arrested in India. Authorities in India today arrested the alleged co-founder of Garantex, a cryptocurrency exchange sanctioned by the U.S. government in 2022 for facilitating tens of billions of dollars in money laundering by transnational criminal and cybercriminal organizations. Sources close to the investigation told KrebsOnSecurity the Lithuanian national Aleksej Besciokov, 46, was apprehended while vacationing on the coast of India with his family.
- krebsonsecurity.com: Authorities in India today arrested the alleged co-founder of Garantex, a cryptocurrency exchange sanctioned by the U.S. government in 2022 for facilitating tens of billions of dollars in money laundering by transnational criminal and cybercriminal organizations. Sources close to the investigation told KrebsOnSecurity the Lithuanian national Aleksej Besciokov, 46, was apprehended while vacationing on the coast of India with his family.
- Security | TechRepublic: Long Arm of the Law Comes for Russian Crypto: Why Secret Service Seized Garantex
- BleepingComputer: Garantex crypto exchange admin arrested while on vacation
- Chainalysis: International Action Dismantles Notorious Russian Crypto Exchange Garantex
- The DefendOps Diaries: International Crackdown on Garantex: Implications for the Crypto Industry
|
|
FlagThis - #crypto