NorthScan

Tomorrow is our talk at Insomni'hack. Excited to share our work!

⚠️ A fake job notice triggered full compromise in a Konni campaign. The attack drops EndRAT, enabling remote control, persistence, and silent data theft, then spreads via KakaoTalk messages from the victim’s account. Trusted contacts become the attack path. 🔗 Read → thehackernews.com/2026/03/konni-…

"First instance of PylangGhost RAT observed on npm" published by Kmsec. #FamousChollima, #PylangGhost, #DPRK, #CTI kmsec.uk/blog/pylanggho…

North Korean hackers deploy arsenal of six new malware in espionage campaign cstu.io/54faca

Huge thanks to @MauroEldritch and the team at ANY.RUN this research wouldn’t have been possible without their hard work and cooperation. Join us: insomnihack.ch/talks/smile-yo…

Excited to share that we’re presenting our research at InsomniHack 🎤 If you want the full deep dive, join us on March 19 at InsomniHack!

North Korean hackers exploit Google advertising links to steal data cstu.io/eca240

SEAL Intel investigator Heiner (@0xfigo) delves into the ever-changing world of DPRK IT Workers. The latest report uncovers a new strategy - enhancing job fraud with a scalable model of actively recruiting outside collaborators to bypass identity checks.

Russian Wagner Group-linked cargo jet makes rare flight to North Korea cstu.io/9cdc24

Top 10 last week's threats by uploads 🌐 ⬆️ #Xworm 944 (870) ⬇️ #Asyncrat 396 (413) ⬆️ #Vidar 371 (318) ⬇️ #Quasar 364 (395) ⬆️ #Stealc 354 (266) ⬆️ #Lumma 284 (282) ⬇️ #Remcos 213 (269) ⬆️ #Guloader 181 (179) ⬆️ #Agenttesla 173 (141) ⬇️ #Smoke 153 (158) Explore malware in action: #register" target="_blank" rel="nofollow noopener">app.any.run/?utm_source=tw… #Top10Malware

⚠️ #Lazarus Group’s Famous Chollima uses GitHub spam, fake recruiters, and AI interview tools to slip into finance, crypto, and healthcare companies as “IT workers”. 👨‍💻 Get a rare inside view of how these operatives work, communicate, and attempt to maintain access. See how #ANYRUN helped @BirminghamCyber & @north_scan reveal and analyze the hackers' toolchain and TTPs: any.run/cybersecurity-…

Press story from @nknewsorg here: nknews.org/pro/how-resear…

Thanks for taking the time to read and feature our research 🙌

Great talking to @MauroEldritch about the fascinating operation he, @north_scan and @anyrun_app carried out to dupe DPRK IT workers and expose their tools & techniques (while trolling them masterfully)! For more, check out @nknewsorg's story on their op: nknews.org/pro/share/b789…

@IntCyberDigest Thanks for sharing our research!

‼️🇰🇵 Meet North Korean recruiter 'Aaron,' who infiltrates Western companies by using AI and posing as a remote IT worker using stolen or rented identities. He was lured into a sandbox by researchers, who observed the wild APT in a controlled setting to see what he would do.

Glad to finally share our latest research into North Korean IT workers and their recent activity, published in collaboration with @MauroEldritch and the team at @anyrun_app Take a closer look at how these threat actors approach people, how they behave, and some of the tooling we observed.

@anyrun_app @BirminghamCyber Thanks for supporting this research!

🔴 LIVE from inside #Lazarus APT's IT workers scheme. For weeks, @BirminghamCyber & @north_scan kept #hackers believing they controlled a US dev's laptop. In reality, it was our sandbox recording everything. See full story and videos ⬇️ any.run/cybersecurity-…

@MauroEldritch @anyrun_app Read the full article here: any.run/cybersecurity-… Follow @north_scan for more research!