The Banshee Queen👑

$3 BILLION: the (underestimated) profit of North Korea-based APTs' cyber operations over the past 5 years. Meet me at @SANSInstitute @NCSC #CyberThreat23 to talk about Black Alicanto (#TA444, #Bluenoroff) activity, TTPs, and place in the wider #DPRK cyber threat ecosystem!

@ZianTT_Official has found another data breach of Integrity Tech. We have no further information unfortunately, nor access to any of the data, so we can't assess the true nature and validity of the claim.

Awesome work to identify company in China that purchased H200 chips through smugglers

@nahamike01 @Huntio @nahamike01 www[.]paloaltonetworkhelp[.]com also looks similar, what do you think? - ba5ed40b3435e2c6bc56749adefb7d1141324c2944f680e6b4cdea2ef90a51f6

Active cluster on Vultr/The Constant Company (AS20473) using ZeroSSL certs spoofing Kaspersky & McAfee. Tradecraft shows similarities to APT41; however, analysis is ongoing. 45.77.176[.]85 217.69.1[.]147 80.240.16[.]246 64.20.75[.]136 kasperskysecure[.]com McAfeeupdates[.]com

DPRK IT workers are now recruiting people on upwork/freelancer to hand over their accounts + install anydesk so they can work under someone else's identity We found folders of IDs, recruitment scripts, and 80/20 payment splits. This scales way better than individual infiltration & platforms need to detect the behavior (rmm tools, impossible travel) not just verify the identity. Full research from SEAL Intel: radar.securityalliance.org/from-north-kor…

The DPRK IT Workers are increasingly using people to do their bidding on-demand rather than buying accounts / IDs. Happen to stumble on someone hunting for such plebs tonight. 😁

I’d believe that DPRK IT workers has taken in house CTI to new heights, maybe to where it belongs in those orgs. I see many of these team shining now Info sharing is prolific, much innovation being made on detection, and much more straightforward customers/engagement across BUs

Related dailynk.com/english/north-…

Large multilateral effort regarding DPRK Cyber Ops and the IT Work efforts. There is so much to unpack here and a lot of orgs/countries took a swing at it. Check it out and will post some pics for pizzazz. msmt.info/Publications/d…

Thanks for the call out Matt Burgess! It's true, DPRK boyz are acting as architects, structural engineers, and stamping/approving designs in the United States for a quick dollar. They steal legitimate licenses and make up stamps. Time to do something. wired.com/story/north-ko…

Guide on how to make a #DPRK friend and get rekt for life in the process by being a North Korean mule. 1) They can initiate contact outside of the regular IT-related channels. Discord channels like "Learn Korean together", gaming communities etc. 2) They will continue to talk with you for months if they feel there's a chance you'll give them access to your PC (RDP), identity (real and digital) or run chores (go for interviews) for them. They will complain it's hard to do work in US/EU from their location. 3) They will act friendly but extremely pushy. They have a scenario to follow but they will improvise too. They will try to make themselves more credible by sending you some money ("for a new PC"). 4) It will sometimes feel like you're talking with few different people, because you are. 5) They will jump on the call without any issues. The usual DPRK-call tactics apply.

How do you catch a DPRK actor you ask? Here are a few things to think about; 1. They love to use a VPN when applying for jobs. Check your HR system.

Congratulations to Dakota Cary and Adam Meyers on being named to the 2025 CyberScoop 50 Awards! Both are past CYBERWARCON speakers who make an impact in the cyber community. Dakota Cary — Most Inspiring Up & Comer Adam Meyers — Industry Leadership cyberscoop.com/2025-cyberscoo…

11/ The main challenge faced in fighting DPRK ITWs at companies include the lack of collaboration between services and the private sector. There’s also the negligence by the teams hiring them who become combative when alerted. ITWs are in no way sophisticated but are persistent since there’s so many flooding the job market globally for roles. Payoneer is commonly being used to convert fiat into crypto from dev work. I have already covered multiple times on indicators of what to look out for so I will not repeat those again.

1/ An unnamed source recently compromised a DPRK IT worker device which provided insights into how a small team of five ITWs operated 30+ fake identities with government IDs and purchased Upwork/LinkedIn accounts to obtain developer jobs at projects.

North Korean 🇰🇵-linked hacking group APT37 concealed malware within JPEG image files to carry out attacks. genians.co.kr/en/blog/threat…

Quck analysis of new #ToolShell payload observed by @leak_ix: Paylaod is a .dll executed in memory. Sha-256: 3461da3a2ddcced4a00f87dcd7650af48f97998a3ac9ca649d7ef3b7332bd997 It collects System Info and the sensitive machine key. Sends back in response. Single Request takeover.

I'm personally aware of 44 different crypto companies that these 9 guys have worked between 2020 and today. No less than 18 of those projects were subsequently hacked. (More were probably hacked but it was hidden from public view.) Bro.

Your remote employee "Jack" who has "9 years of rich experience developing blockchain" and a 3-6 month old github is a DPRK IT Worker. His buddy, with a brand new github called "jacky-[projectname]-dev", is also a DPRK IT Worker.