Editor-In-Chief, BitDegree@bitdegree.org
//
The BitMEX cryptocurrency exchange has successfully thwarted an intrusion attempt orchestrated by the Lazarus Group, a notorious hacking organization with ties to North Korea. The exchange's security team detected the attack, preventing any compromise of their systems. In a significant countermove, BitMEX's security team managed to access one of the Lazarus Group's servers, providing valuable insights into their operations and tactics.
Researchers at BitMEX uncovered critical missteps made by the Lazarus Group during their campaigns, including exposed IP addresses and an accessible database. One key finding involved a rare slip-up where a hacker inadvertently revealed their real IP address, which was traced to Jiaxing, China. This location is near Shanghai and represents a notable lapse in security for the typically secretive group. BitMEX also blocked a phishing attempt linked to the Lazarus Group, where attackers posed as NFT partners on LinkedIn to trick one of its employees. The Lazarus Group's attack strategy often begins with relatively unsophisticated methods like phishing to gain initial access to targeted systems. In this case, the attackers invited a BitMEX employee to a private GitHub repository containing code for a fake Next.js/React website. The goal was to make the victim run the project, which included malicious code, on their computer. BitMEX emphasized that the "Lazarus Group" comprises multiple hacking teams under the control of the North Korean government, responsible for stealing significant sums of money through various cyberattacks. Recommended read:
References :
@www.silentpush.com
//
References:
gbhackers.com
, iHLS
,
North Korean operatives have infiltrated hundreds of Fortune 500 companies, posing a significant threat to IT infrastructure and sensitive data. Security experts revealed at the RSAC 2025 Conference that the infiltration extends across virtually every major corporation, with many Fortune 500 companies unknowingly employing North Korean technical workers. This alarming trend raises serious concerns about potential security breaches and data theft. The experts said that dozens of experts and law enforcement at RSA said the campaign is now out of control, impacting thousands of companies.
Even tech giant Google has detected North Korean technical workers in their talent pipeline as job candidates and applicants, although they have not been hired to date. "If you're not seeing this, it's because you're not detecting it, not because it's not happening to you," warned Iain Mulholland, senior director of security engineering at Google Cloud, emphasizing the universality of the threat. Insider risk management firm DTEX corroborated these findings, reporting that 7% of its customer base-representing a cross-section of the Fortune 2000-has been infiltrated by North Korean operatives working as full-time employees with privileged access. The North Korean IT worker scam has expanded beyond the tech and crypto industries and is now a threat to all companies. One cybersecurity expert even found evidence that a U.S. political campaign in Oregon hired a North Korean IT worker to build its website. Initially, the workers primarily focused on legitimate employment to generate funds for the regime in Pyongyang, but experts are now seeing a tactical shift toward extortion, which has been observed. Recommended read:
References :
@www.silentpush.com
//
North Korean hackers, identified as the Contagious Interview APT group, are running a sophisticated malware campaign targeting individuals seeking employment in the cryptocurrency sector. Silent Push threat analysts have uncovered the operation, revealing that the group, also known as Famous Chollima and a subgroup of Lazarus, is using three front companies—BlockNovas LLC, Angeloper Agency, and SoftGlide LLC—to spread malicious software. These companies are being used to lure unsuspecting job applicants into downloading malware through fake job interview opportunities, marking an evolution in the group's cyber espionage and financial gain tactics.
The campaign involves the distribution of three distinct malware strains: BeaverTail, InvisibleFerret, and OtterCookie. Job seekers are enticed with postings on various online platforms, including CryptoJobsList, CryptoTask, and Upwork. Once an application is submitted, the hackers send what appear to be legitimate interview-related files containing the malware. The attackers are also using AI-generated images to create employee profiles for these front companies, specifically using Remaker AI to fabricate realistic personas, enhancing the credibility of their fraudulent operations and making it harder for job seekers to differentiate between genuine and malicious opportunities. The use of these front companies and AI-generated profiles signifies a new escalation in the tactics employed by Contagious Interview. The malware, once installed, allows hackers to remotely access infected computers and steal sensitive data. The campaign leverages legitimate platforms like GitHub and various job boards to further enhance its deceptive nature. Silent Push's analysis has successfully traced the malware back to specific websites and internet addresses used by the hackers, including lianxinxiao[.]com, and uncovered a hidden online dashboard monitoring suspected BeaverTail websites, providing valuable insights into the operational infrastructure of this North Korean APT group. Recommended read:
References :
@nvd.nist.gov
//
Cyble Research and Intelligence Labs (CRIL) has uncovered a new ransomware operation dubbed "DOGE BIG BALLS Ransomware." This campaign uses a finance-themed ZIP file named "Pay Adjustment.zip" to trick users into executing malicious shortcut files. These files then trigger multi-stage PowerShell scripts, ultimately delivering custom payloads that include a kernel-mode exploit tool and reconnaissance modules. The ransomware itself is a modified version of Fog, further customized with a provocative name that references a known public figure.
The attention-grabbing name is likely a deliberate attempt to misdirect attention and create confusion, potentially questioning the effectiveness of governmental cybersecurity efforts. Despite the name's provocative nature, the attack mechanism is relatively simple. The ransomware is typically distributed via a compressed ZIP file, sometimes disguised as a PDF document. Once opened, the malicious payload bypasses traditional security defenses using obfuscation and anti-detection techniques. The DOGE Big Balls ransomware attack highlights the evolving tactics of cybercriminals, blending technical sophistication with psychological manipulation. It also demonstrates the increasing trend of ransomware attacks targeting the healthcare sector, as seen with the recent attack on DaVita, a Denver-based dialysis firm. This incident underscores the critical need for organizations to bolster their cybersecurity defenses and incident response capabilities to protect sensitive data and maintain operational continuity. Recommended read:
References :
Ddos@Daily CyberSecurity
//
North Korean Lazarus APT group has expanded its malicious activities within the npm ecosystem, deploying eleven new packages designed to deliver the BeaverTail malware and a new remote access trojan (RAT) loader. These malicious packages have been downloaded over 5,600 times before their removal, posing a significant risk to developer systems. The threat actors are utilizing previously identified aliases, as well as newly created accounts, to distribute these packages.
The campaign, dubbed "Contagious Interview," aims to compromise developer systems, steal sensitive credentials or financial assets, and maintain access to compromised environments. To evade detection, the attackers are employing hexadecimal string encoding and other obfuscation techniques. Some of the packages, such as "events-utils" and "icloud-cod," are linked to Bitbucket repositories, while others use command-and-control (C2) addresses previously associated with Lazarus Group campaigns, indicating the scale and coordination of this operation. Cybersecurity researchers are urging developers to be vigilant and carefully review all dependencies before installing them. The North Korean threat actors continue to create new npm accounts and deploy malicious code across platforms like the npm registry, GitHub, and Bitbucket, demonstrating their persistence and showing no signs of slowing down. This campaign highlights the increasing sophistication of supply chain attacks and the need for robust security measures to protect against such threats. Recommended read:
References :
|