{"total":1181,"returned":25,"filters":{"country":"KP","sanctioned":false,"limit":500},"bySource":{"mitre":174,"misp":964,"ransomwatch":216,"sanctions":6},"byCountry":[{"country":"CN","count":198},{"country":"RU","count":75},{"country":"IR","count":52},{"country":"KP","count":25},{"country":"PS","count":9},{"country":"TR","count":7},{"country":"VN","count":6},{"country":"UA","count":6},{"country":"US","count":5},{"country":"IL","count":5},{"country":"IN","count":4},{"country":"PK","count":4},{"country":"Unknown","count":4},{"country":"BY","count":4},{"country":"LB","count":3},{"country":"BR","count":3},{"country":"NG","count":3},{"country":"ID","count":3},{"country":"KR","count":2},{"country":"AE","count":2},{"country":"RO","count":2},{"country":"MY","count":2},{"country":"ES","count":2},{"country":"TN","count":2},{"country":"SY","count":2}],"byMotive":[{"motive":"ransomware","count":215},{"motive":"Espionage","count":85},{"motive":"Hacktivists-Nationalists","count":5},{"motive":"Cybercrime","count":2},{"motive":"Sabotage","count":2},{"motive":["Espionage","Sabotage"],"count":1},{"motive":"Extortion","count":1},{"motive":["Denial of service"],"count":1},{"motive":"Denial of service","count":1},{"motive":"Business Email Compromise","count":1},{"motive":["Denial of service"],"count":1},{"motive":"mainly financially motivated, additional espionage objective.","count":1},{"motive":["Denial of service"],"count":1},{"motive":"state-sponsored espionage and financially motivated","count":1},{"motive":"Information Operations","count":1}],"groups":[{"name":"Kimsuky","aliases":["APT43","Black Banshee","Velvet Chollima","Emerald Sleet","THALLIUM","Thallium","Operation Stolen Pencil","G0086","Springtail","Sparkling Pisces"],"description":"[Kimsuky](https://attack.mitre.org/groups/G0094) is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think ta","targetSectors":["Research - Innovation","Energy","Defense","Diplomacy","Academia - University ","News - Media","Government","Private sector"],"suspectedVictims":["Ministry of Unification","Sejong Institute","Korea Institute for Defense Analyses","Germany"],"refs":["https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/","https://www.cfr.org/interactive/cyber-operations/kimsuky","https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html","https://youtu.be/hAsKp43AZmM?t=1027","https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU?imagename=1","https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia","https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/","https://attack.mitre.org/groups/G0086/","https://us-cert.cisa.gov/ncas/alerts/aa20-301a","https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite","https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report","https://asec.ahnlab.com/en/57873/","https://asec.ahnlab.com/en/61082/","https://www.rewterz.com/rewterz-news/rewterz-threat-alert-north-korean-apt-kimsuky-aka-black-banshee-active-iocs-29/","https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/","https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html","https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b","https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage","https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/","https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage"],"sources":["mitre","misp"],"cves":["CVE-2020-0688"],"leakSites":[],"mitreId":"G0094","attackUrl":"https://attack.mitre.org/groups/G0094","techniqueCount":130,"softwareCount":19,"country":"KP","suspectedStateSponsor":"Korea (Democratic People's Republic of)","motive":"Espionage"},{"name":"Lazarus Group","aliases":["Labyrinth Chollima","HIDDEN COBRA","Guardians of Peace","ZINC","NICKEL ACADEMY","Operation DarkSeoul","Dark Seoul","Hidden Cobra","Hastati Group","Andariel","Unit 121","Bureau 121"],"description":"[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB).   [Lazarus Group](https://attack.mitre.org/groups/G0032) has been active sinc","targetSectors":["Government","Private sector"],"suspectedVictims":["South Korea","Bangladesh Bank","Sony Pictures Entertainment","United States","Thailand","France","China","Hong Kong","United Kingdom","Guatemala","Canada","Bangladesh","Japan","India","Germany","Brazil","Australia","Cryptocurrency exchanges in South Korea"],"refs":["https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/","https://www.us-cert.gov/ncas/alerts/TA17-164A","https://www.us-cert.gov/ncas/alerts/TA17-318A","https://www.us-cert.gov/ncas/alerts/TA17-318B","https://securelist.com/operation-applejeus/87553/","https://securelist.com/lazarus-under-the-hood/77908/","https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity","https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf","https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/","https://www.cfr.org/interactive/cyber-operations/lazarus-group","https://www.cfr.org/interactive/cyber-operations/operation-ghostsecret","https://www.cfr.org/interactive/cyber-operations/compromise-cryptocurrency-exchanges-south-korea","https://www.bleepingcomputer.com/news/security/lazarus-group-deploys-its-first-mac-malware-in-cryptocurrency-exchange-hack/","https://content.fireeye.com/apt/rpt-apt38","https://blog.malwarebytes.com/threat-analysis/2019/03/the-advanced-persistent-threat-files-lazarus-group/","https://www.theguardian.com/world/2009/jul/08/south-korea-cyber-attack","https://web.archive.org/web/20131123012339/https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise","https://www.nytimes.com/2013/03/21/world/asia/south-korea-computer-network-crashes.html","https://web.archive.org/web/20130607233212/https://www.symantec.com/connect/blogs/south-korean-financial-companies-targeted-castov","https://web.archive.org/web/20130701021735/https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war"],"sources":["mitre","misp"],"cves":["CVE-2018-4878"],"leakSites":[],"mitreId":"G0032","attackUrl":"https://attack.mitre.org/groups/G0032","techniqueCount":93,"softwareCount":26,"country":"KP","suspectedStateSponsor":"Korea (Democratic People's Republic of)","motive":["Espionage","Sabotage"]},{"name":"Contagious Interview","aliases":["WageMole","DeceptiveDevelopment","Gwisin Gang","Tenacious Pungsan","DEV#POPPER","PurpleBravo","Famous Chollima","UNC5267","Wagemole","Nickel Tapestry","Storm-1877","Void Dokkaebi"],"description":"[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and us","targetSectors":[],"suspectedVictims":[],"refs":["https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/","https://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cluster/","https://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html","https://jp.security.ntt/insights_resources/tech_blog/en-waterplum-ottercookie/","https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west","https://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/","https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/","https://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/","https://attack.mitre.org/groups/G1052/"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G1052","attackUrl":"https://attack.mitre.org/groups/G1052","techniqueCount":54,"softwareCount":4,"country":"KP"},{"name":"APT37","aliases":["InkySquid","ScarCruft","Reaper","Group123","TEMP.Reaper","APT 37","Group 123","Operation Daybreak","Operation Erebus","Reaper Group","Red Eyes","Ricochet Chollima"],"description":"[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Ne","targetSectors":["Government","Private sector"],"suspectedVictims":["South Korea","Japan","Vietnam"],"refs":["https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/","https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html","https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf","http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html","https://twitter.com/mstoned7/status/966126706107953152","https://www.cfr.org/interactive/cyber-operations/apt-37","https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/","https://unit42.paloaltonetworks.com/unit42-freemilk-highly-targeted-spear-phishing-campaign/","https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html","https://attack.mitre.org/groups/G0067/","https://securelist.com/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/75082/","https://securelist.com/operation-daybreak/75100/","https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/","https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/","https://unit42.paloaltonetworks.com/atoms/moldypisces/"],"sources":["mitre","misp"],"cves":["CVE-2021-26411","CVE-2020-26411","CVE-2020-1380","CVE-2018-4878","CVE-2017-0199"],"leakSites":[],"mitreId":"G0067","attackUrl":"https://attack.mitre.org/groups/G0067","techniqueCount":29,"softwareCount":13,"country":"KP","suspectedStateSponsor":"Korea (Democratic People's Republic of)"},{"name":"Andariel","aliases":["Silent Chollima","PLUTONIUM","Onyx Sleet","OperationTroy","Guardian of Peace","GOP","WHOis Team","Subgroup: Andariel"],"description":"[Andariel](https://attack.mitre.org/groups/G0138) is a North Korean state-sponsored threat group that has been active since at least 2009. [Andariel](https://attack.mitre.org/groups/G0138) has primarily focused its operations--which have in","targetSectors":[],"suspectedVictims":[],"refs":["https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf","https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G0138","attackUrl":"https://attack.mitre.org/groups/G0138","techniqueCount":12,"softwareCount":2,"country":"KP"},{"name":"AppleJeus","aliases":["UNC4736","Gleaming Pisces","Citrine Sleet","UNC1720"],"description":"[AppleJeus](https://attack.mitre.org/groups/G1049) is a North Korean state-sponsored threat group attributed to the Reconnaissance General Bureau. Associated with the broader [Lazarus Group](https://attack.mitre.org/groups/G0032) umbrella o","targetSectors":[],"suspectedVictims":[],"refs":["https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"],"sources":["mitre","misp"],"cves":[],"leakSites":[],"mitreId":"G1049","attackUrl":"https://attack.mitre.org/groups/G1049","techniqueCount":2,"softwareCount":0,"country":"KP"},{"name":"TEMP.Hermit","aliases":[],"description":"","targetSectors":[],"suspectedVictims":[],"refs":["https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html"],"sources":["misp"],"cves":[],"leakSites":[],"country":"KP"},{"name":"OnionDog","aliases":[],"description":"This threat actor targets the South Korean government, transportation, and energy sectors.","targetSectors":["Government","Private sector"],"suspectedVictims":["South Korea"],"refs":["http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml","https://www.cfr.org/interactive/cyber-operations/onion-dog"],"sources":["misp"],"cves":[],"leakSites":[],"country":"KP","suspectedStateSponsor":"Unknown","motive":"Espionage"},{"name":"TA406","aliases":[],"description":"TA406 is engaging in malware distribution, phishing, intelligence collection, and cryptocurrency theft, resulting in a wide range of criminal activities.","targetSectors":["Government","Journalists","NGOs"],"suspectedVictims":["China","France","Germany","India","Japan","North America","Russia","South Africa","South Korea","United Kingdom"],"refs":["https://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steals","https://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front"],"sources":["misp"],"cves":[],"leakSites":[],"country":"KP"},{"name":"TraderTraitor","aliases":["Jade Sleet","UNC4899","Pukchong"],"description":"TraderTraitor targets blockchain companies through spear-phishing messages. The group sends these messages to employees, particularly those in system administration or software development roles, on various communication platforms, intended to gain access to these start-up and high-tech companies. TraderTraitor may be the work of operators previously responsible for APT38 activity.","targetSectors":[],"suspectedVictims":[],"refs":["https://www.mandiant.com/resources/blog/north-korea-supply-chain","https://us-cert.cisa.gov/ncas/alerts/aa22-108a","https://www.mandiant.com/resources/blog/north-korea-cyber-structure-alignment-2023","https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil"],"sources":["misp"],"cves":[],"leakSites":[],"country":"KP"},{"name":"TA444","aliases":[],"description":"TA444 is a North Korea state-sponsored threat actor that primarily focuses on financially motivated operations. They have been active since at least 2017 and have recently shifted their attention to targeting cryptocurrencies. TA444 employs various infection methods and has a diverse range of malware and backdoors at their disposal. They have been attributed to stealing hundreds of millions of dol","targetSectors":[],"suspectedVictims":[],"refs":["https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds","https://cyberscoop.com/north-korean-cryptocurrency-hackers-education-government/","https://www.darkreading.com/remote-workforce/north-korea-apt-swindled-1b-crypto-investors-2022"],"sources":["misp"],"cves":[],"leakSites":[],"country":"KP"},{"name":"Pearl Sleet","aliases":["DEV-0215","LAWRENCIUM"],"description":"Pearl Sleet is a nation state activity group based in North Korea that has been active since at least 2012. They primarily target defectors from North Korea, media organizations in carrying out their cyber espionage activities.","targetSectors":[],"suspectedVictims":[],"refs":["https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-december-2023/ba-p/3998431"],"sources":["misp"],"cves":[],"leakSites":[],"country":"KP"},{"name":"Ruby Sleet","aliases":["CERIUM"],"description":"Ruby Sleet is a threat actor linked to North Korea's Ministry of State Security. Cerium has been involved in spear-phishing campaigns, compromising devices, and conducting cyberattacks alongside other North Korean threat actors. They have also targeted companies involved in COVID-19 research and vaccine development.","targetSectors":[],"suspectedVictims":[],"refs":["https://blogs.microsoft.com/on-the-issues/2020/11/13/health-care-cyberattacks-covid-19-paris-peace-forum/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"KP"},{"name":"Opal Sleet","aliases":["OSMIUM","Konni","Vedalia"],"description":"Konni is a threat actor associated with APT37, a North Korean cyber crime group. They have been active since 2012 and are known for their cyber-espionage activities. Konni has targeted various sectors, including education, government, business organizations, and the cryptocurrency industry. They have exploited vulnerabilities such as CVE-2023-38831 and have used malware like KonniRAT to gain contr","targetSectors":[],"suspectedVictims":[],"refs":["https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/","https://paper.seebug.org/3031/","https://www.rewterz.com/rewterz-news/rewterz-threat-alert-konni-apt-group-active-iocs-11","https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/","https://gbhackers.com/vedalia-apt-group-exploits/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"KP"},{"name":"Storm-0530","aliases":["DEV-0530","H0lyGh0st"],"description":"H0lyGh0st is a North Korean threat actor that has been active since June 2021. They are responsible for developing and deploying the H0lyGh0st ransomware, which targets small-to-medium businesses in various sectors. The group employs \"double extortion\" tactics, encrypting data and threatening to publish it if the ransom is not paid. There are connections between H0lyGh0st and the PLUTONIUM APT gro","targetSectors":[],"suspectedVictims":[],"refs":["https://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/","https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a","https://blogs.blackberry.com/en/2022/08/h0lygh0st-ransomware","https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/","https://www.picussecurity.com/resource/h0lygh0st-north-korean-threat-group-strikes-back-with-new-ransomware"],"sources":["misp"],"cves":[],"leakSites":[],"country":"KP"},{"name":"APT45","aliases":[],"description":"APT45 is a North Korean cyber threat actor that has been active since at least 2009. They have conducted espionage campaigns targeting government agencies and defense industries, as well as financially-motivated operations, including ransomware development. APT45 has targeted critical infrastructure, financial organizations, nuclear research facilities, and healthcare and pharmaceutical companies.","targetSectors":[],"suspectedVictims":[],"refs":["https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine"],"sources":["misp"],"cves":[],"leakSites":[],"country":"KP"},{"name":"UNC2970","aliases":[],"description":"UNC2970 is a North Korean threat actor that primarily targets organizations through spear-phishing emails with job recruitment themes, often utilizing fake LinkedIn accounts to engage victims. The group employs the PLANKWALK backdoor and other malware families, leveraging compromised WordPress sites for command and control. They have been observed using BYOVD techniques to exploit vulnerable drive","targetSectors":[],"suspectedVictims":[],"refs":["https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970"],"sources":["misp"],"cves":[],"leakSites":[],"country":"KP"},{"name":"UAT-5394","aliases":[],"description":"UAT-5394 is a state-sponsored North Korean threat actor known for developing the MoonPeak RAT, which is based on XenoRAT. They have transitioned from using QuasarRAT to MoonPeak and have established command and control infrastructure. UAT-5394 employs tactics such as using RDP for remote access and has implemented State Machines in their malware to complicate analysis. Their activity indicates a f","targetSectors":[],"suspectedVictims":[],"refs":["https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"KP"},{"name":"Wassonite","aliases":[],"description":"WASSONITE is a North Korea-linked APT that has targeted industrial sectors, including electric generation, nuclear energy, manufacturing, and research entities in India, South Korea, and Japan since at least 2018. The group employs DTrack RAT for remote access, Mimikatz for credential capture, and various system tools for lateral movement and file transfers. WASSONITE has been observed using nucle","targetSectors":[],"suspectedVictims":[],"refs":["https://www.dragos.com/blog/2022-ics-ot-threat-landscape-recap-what-to-watch-for-this-year/","https://www.dragos.com/threat/wassonite/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"KP"},{"name":"Larva-24005","aliases":[],"description":"Larva-24005 is a threat actor that breaches servers in Korea to establish a web server and PHP environment for phishing attacks, primarily targeting individuals involved with North Korea and university professors researching the regime. They exploit the BlueKeep vulnerability for initial access and utilize RDPWrap and a custom keylogger post-compromise. Phishing emails are crafted to appear as leg","targetSectors":[],"suspectedVictims":[],"refs":["https://asec.ahnlab.com/en/86535/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"KP"},{"name":"puNK-003","aliases":[],"description":"puNK-003 is a North Korean APT group known for deploying the Lilith RAT, a sophisticated C++ remote access trojan, and its AutoIt variant, CURKON, which functions as a downloader. The group primarily distributes malware through targeted phishing attacks using malicious LNK files. Analysis indicates that puNK-003 shares similarities with the KONNI group, particularly in the use of AutoIt scripts an","targetSectors":[],"suspectedVictims":[],"refs":["https://trojan-killer.net/how-to-remove-lilith-rat-complete-removal-guide/","https://s2w.inc/en/resource/detail/581"],"sources":["misp"],"cves":[],"leakSites":[],"country":"KP"},{"name":"ELUSIVE COMET","aliases":[],"description":"ELUSIVE COMET is a threat actor responsible for significant cryptocurrency theft through sophisticated social engineering attacks, particularly leveraging Zoom's remote control feature. Their attack methodology involves manipulating legitimate workflows and exploiting human-centric vulnerabilities rather than technical flaws. The actor employs tactics such as social proof, time pressure, and inter","targetSectors":[],"suspectedVictims":[],"refs":["https://blog.trailofbits.com/2025/04/17/mitigating-elusive-comet-zoom-remote-control-attacks/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"KP"},{"name":"UNC5342","aliases":[],"description":"UNC5342 is a North Korea-linked APT that employs the EtherHiding technique to deliver malware and facilitate cryptocurrency theft. The actor has been observed deploying EtherRAT and JADESNOW malware, utilizing transaction history as a Dead Drop Resolver to embed payloads directly into the calldata of blockchain transactions. Their operations involve leveraging centralized API services to interact ","targetSectors":[],"suspectedVictims":[],"refs":["https://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding"],"sources":["misp"],"cves":[],"leakSites":[],"country":"KP"},{"name":"UNC1069","aliases":["MASAN","CryptoCore"],"description":"CryptoCore is a North Korean APT known for targeting cryptocurrency exchanges and financial institutions, employing spear-phishing techniques that lead to LONEJOGGER malware infections. The group has leveraged social engineering tactics, including deepfake technology and hijacked YouTube accounts, to execute sophisticated giveaway scams that deceive victims into sending cryptocurrencies. Their ope","targetSectors":[],"suspectedVictims":[],"refs":["https://www.mandiant.com/resources/blog/north-korea-cyber-structure-alignment-2023","https://www.spixnet.com/cybersecurity-blog/2023/04/03/newly-exposed-apt43-hacking-group-targeting-us-orgs-since-2018/","https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools/"],"sources":["misp"],"cves":[],"leakSites":[],"country":"KP"},{"name":"Nickel Alley","aliases":[],"description":"NICKEL ALLEY is a North Korean threat group that targets technology professionals through fake job opportunities, employing social engineering tactics such as creating fraudulent LinkedIn pages and GitHub repositories for malware delivery. They utilize the ClickFix tactic to deploy the PyLangGhost RAT, which supports file exfiltration and system profiling, particularly focusing on Chrome cryptocur","targetSectors":[],"suspectedVictims":[],"refs":["https://www.sophos.com/en-us/blog/nickel-alley-strategy-fake-it-til-you-make-it"],"sources":["misp"],"cves":[],"leakSites":[],"country":"KP"}]}