North Korean Threat Actor BlueNoroff Targets Web3 Sector

The April 1, 2026, $285 million Drift Protocol loss was part of a broader campaign by North Korea-linked Lazarus Group (TraderTraitor) targeting DeFi protocols. On April 18, 2026, the group executed a $290 million heist against KelpDAO by exploiting its cross-chain verification layer (DVN) via compromised RPC nodes, falsified data injection, and DDoS attacks, laundering funds through Tornado Cash. The attack paused KelpDAO’s rsETH contracts, froze Aave’s rsETH collateral usage, and was isolated to rsETH without broader contagion. Drift Protocol’s Security Council hijacking, attributed to UNC4736 (AppleJeus/Labyrinth Chollima), and KelpDAO’s DVN compromise both align with Lazarus Group’s pattern of sophisticated state-sponsored attacks on DeFi infrastructure.

North Korean state-sponsored hackers, primarily the Lazarus Group and its Bluenoroff (APT38) subgroup, continue to aggressively target cryptocurrency-adjacent entities to fund the regime’s illicit activities. As of March 2026, confirmed thefts in 2025 exceeded $2 billion, with cumulative losses since 2017 surpassing $6.75 billion. Recent attacks now include e-commerce platforms like Bitrefill, where North Korean operators compromised employee devices to steal cryptocurrency and gift-card inventory. Investigations increasingly reveal sophisticated persistence, cross-chain laundering, and multi-vector social engineering, alongside new enforcement actions targeting facilitators in the U.S. Prior milestones include the record-setting Bybit breach in February 2025 ($1.5B), multiple exchange compromises (e.g., Upbit, BitoPro), and the conviction of five individuals for aiding North Korean IT worker fraud schemes that generated over $2.2M for the regime. North Korean hackers also continue to refine laundering pathways—employing mixers, bridges, obscure blockchains, and custom tokens—over approximately 45-day cycles. U.S. authorities have sought forfeiture of $15M in stolen crypto linked to APT38 and are dismantling ancillary networks used to funnel revenue to Pyongyang.

The North Korean Lazarus Group (UNC1069, also tracked as WaterPlum) continues to expand its operations with new malware and refined tactics targeting the cryptocurrency and defense sectors. Recent activity includes the deployment of StoatWaffle, a modular malware delivered via malicious Visual Studio Code (VS Code) projects, which abuses auto-run tasks to maintain persistence and execute next-stage payloads. The malware includes stealer and RAT modules, targeting sensitive data such as browser credentials and iCloud Keychain on macOS. The threat actor has also disseminated additional malware families—including PylangGhost, PolinRider, and FlexibleFerret (WeaselStore)—through npm packages, GitHub repositories, and staged recruitment processes. Targets include founders, CTOs, and senior engineers in cryptocurrency and Web3 sectors, often approached via LinkedIn or fake job interviews. Microsoft has introduced mitigations in VS Code (v1.109/1.110) to block auto-run tasks, addressing abuse of the 'tasks.json' file. The campaign overlaps with previously documented activity by UNC1069 and GhostCall, highlighting the group's persistent focus on the open-source ecosystem and cross-platform attacks.

A rapidly spreading phishing campaign is targeting Windows users and Booking.com partner accounts worldwide, stealing credentials and deploying various remote access trojans (RATs) using malicious JavaScript files and PowerShell commands. The campaign affects multiple sectors, including manufacturing, technology, healthcare, construction, retail/hospitality, and the hospitality industry. The attackers use personalized phishing pages and socially engineered scenarios to lure victims into downloading the malware. The campaign involves multiple stages, including an initial obfuscated script, a spoofed site, and the deployment of RATs such as PureHVNC, DCRat, and Babylon RAT. The attackers employ sophisticated techniques to evade detection and maintain long-term access to compromised networks. The campaign has been observed in countries including Austria, Belarus, Canada, Egypt, India, and Pakistan. The phishing emails use themes related to voicemail messages, purchases, and banking verification issues to deceive recipients into clicking on malicious links. The initial payload is a ZIP archive containing an obfuscated JavaScript file that acts as a dropper for UpCrypter, which functions as a conduit for various RATs. The malware uses steganography to embed the final payload within a harmless-looking image and includes anti-analysis and anti-virtual machine checks to evade detection. The malware is executed without writing to the file system, minimizing forensic traces. The campaign is part of a larger trend where threat actors abuse legitimate services for phishing attacks. A new campaign impersonates Ukrainian government agencies to deliver CountLoader, which drops Amatera Stealer and PureMiner. The phishing emails contain malicious SVG files designed to trick recipients into opening harmful attachments. The SVG files initiate the download of a password-protected ZIP archive containing a CHM file, which activates CountLoader. CountLoader drops various payloads, including Cobalt Strike, AdaptixC2, and PureHVNC RAT, and in this case, Amatera Stealer and PureMiner. Amatera Stealer gathers system information, collects files, and harvests data from various applications and browsers. A Vietnamese-speaking threat group uses phishing emails with copyright infringement notice themes to deploy PXA Stealer, which evolves into PureRAT. PureRAT is a modular, professionally developed backdoor that gives attackers complete control over a compromised host. The campaign demonstrates a progression from simple phishing lures to multi-layered infection sequences involving defense evasion and credential theft. The attack chain begins with a ZIP archive containing a legitimate PDF reader executable and a malicious DLL, using DLL sideloading to execute the next payload. The malware employs multiple stages of obfuscation, including Base64 encoding, steganography, and anti-analysis techniques to evade detection. The campaign uses a combination of Python scripts and .NET executables to achieve its objectives, demonstrating a progression from simple phishing lures to multi-layered infection sequences. The final payload, PureRAT, is a modular, professionally developed backdoor that provides complete control over a compromised host. The threat actor uses Telegram bot descriptions and URL shorteners to dynamically fetch and execute the next payload, allowing for flexible updates to the attack chain. The malware includes defense evasion techniques such as AMSI patching and ETW unhooking to avoid detection by security tools. The campaign is attributed to a Vietnamese-speaking threat group associated with the PXA Stealer malware family, using infrastructure traced to Vietnam. The threat actor demonstrates proficiency in multiple languages and techniques, including Python bytecode loaders, WMI enumeration, .NET process hollowing, and reflective DLL loading. The pivot from a custom-coded stealer to a commercial RAT like PureRAT lowers the barrier to entry for the attacker, providing access to a stable, feature-rich toolkit. A large-scale phishing operation has been targeting Booking.com partner accounts since at least April 2025. The campaign exploits hotel systems and customer data, using a sophisticated malware campaign. The intrusion begins with malicious emails sent from legitimate hotel accounts or impersonating Booking.com, leading victims to execute a PowerShell command that downloads PureRAT. PureRAT allows attackers to remotely control infected machines, steal credentials, capture screenshots, and exfiltrate sensitive data. The malware initially targets hotel staff to steal login credentials for booking platforms, which are then used in fraudulent schemes. The campaign demonstrates the growing professionalization of cybercrime targeting the hospitality industry, with hundreds of malicious domains active as of October 2025. The firm continues to monitor adversary infrastructure and improve detection methods to help protect booking platforms and their customers. Researchers have uncovered a broad campaign in which threat actors target hotels with ClickFix attacks to steal customer data as part of ongoing attacks against the hospitality sector that includes secondary attacks against the establishments' customers. The initial attack against hotels uses a compromised email account to send malicious messages to multiple hotel establishments. In some instances, attackers alter the "From" header to impersonate Booking.com, while subject lines are often related to guest matters, including references to last-minute booking, listings, reservations, and the like. The attack chain then uses a redirection URL that ultimately leads to a ClickFix reCAPTACHA challenge in which users are prompted to copy a malicious PowerShell command. This command eventually leads to the deployment of infostealing and remote access Trojan (RAT) malware. The campaign has led to secondary attacks against hotel customers, with attackers contacting them via WhatsApp or email using legitimate reservation details of the target. Attackers then ask victims to validate banking details by visiting a URL, which leads to the phishing page that mimics Booking.com’s typography and layout and which harvests the victim’s banking information. A Russian-speaking threat behind an ongoing, mass phishing campaign has registered more than 4,300 domain names since the start of the year. The activity, per Netcraft security researcher Andrew Brandt, is designed to target customers of the hospitality industry, specifically hotel guests who may have travel reservations with spam emails. The campaign is said to have begun in earnest around February 2025. Of the 4,344 domains tied to the attack, 685 domains contain the name "Booking", followed by 18 with "Expedia," 13 with "Agoda," and 12 with "Airbnb," indicating an attempt to target all popular booking and rental platforms. The ongoing campaign employs a sophisticated phishing kit that customizes the page presented to the site visitor depending on a unique string in the URL path when the target first visits the website. The customizations use the logos from major online travel industry brands, including Airbnb and Booking.com. The attack begins with a phishing email urging recipients to click on a link to confirm their booking within the next 24 hours using a credit card. Should they take the bait, the victims are taken to a fake site instead after initiating a chain of redirects. These bogus sites follow consistent naming patterns for their domains, featuring phrases like confirmation, booking, guestcheck, cardverify, or reservation to give them an illusion of legitimacy. The pages support 43 different languages, allowing the threat actors to cast a wide net. The page then instructs the victim to pay a deposit for their hotel reservation by entering their card information. In the event that any user directly attempts to access the page without a unique identifier called AD_CODE, they are greeted with a blank page. The bogus sites also feature a fake CAPTCHA check that mimics Cloudflare to deceive the target. The ongoing campaign employs a sophisticated phishing kit that customizes the page presented to the site visitor depending on a unique string in the URL path when the target first visits the website. The customizations use the logos from major online travel industry brands, including Airbnb and Booking.com. The attack begins with a phishing email urging recipients to click on a link to confirm their booking within the next 24 hours using a credit card. Should they take the bait, the victims are taken to a fake site instead after initiating a chain of redirects. These bogus sites follow consistent naming patterns for their domains, featuring phrases like confirmation, booking, guestcheck, cardverify, or reservation to give them an illusion of legitimacy. The pages support 43 different languages, allowing the threat actors to cast a wide net. The page then instructs the victim to pay a deposit for their hotel reservation by entering their card information. In the event that any user directly attempts to access the page without a unique identifier called AD_CODE, they are greeted with a blank page. The bogus sites also feature a fake CAPTCHA check that mimics Cloudflare to deceive the target. The campaign uses a unique identifier called AD_CODE to ensure consistent branding across pages. The phishing pages attempt to process a transaction in the background while displaying a support chat window for 3D Secure verification. The identity of the threat group remains unknown, but Russian is used in source code comments and debugger output. The campaign is linked to a previous phishing campaign targeting the hospitality industry with PureRAT malware. The phishing kit is a fully automated, multi-stage platform designed for efficiency and stealth. The phishing kit employs CAPTCHA filtering to evade security scans and uses Telegram bots to exfiltrate stolen credentials and payment information. The ongoing trojan malware campaign designed to take control of systems and steal sensitive information is being generated with the aid of AI. PureRAT is a full-featured remote access trojan (RAT) and infostealer which first emerged last year. It has recently been spotted being distributed via malicious links in phishing emails which pose as job opportunities. Analysis by Symantec and Carbon Black Threat Hunter Team has concluded that the cybercriminals behind PureRAT are using AI tools to write scripts and code. One of the reasons for this conclusion is that sections of the code powering PureRAT contain emojis. Many AIs have a tendency to insert emojis in code comments because they’ve been trained using data from social platforms such as Reddit. In addition, sections of the code appear to contain explanatory comments, debug messages and reminders. For example, one section of the code contains the line “Remember to paste the base64-encoded HVNC shellcode here”. It’s likely that these are instructions by an AI tool which those behind PureRAT have failed to remove from the scripts. Aside from Emojis, detailed comments on nearly every line of the script are usually a giveaway that it was authored by AI. While we do see attackers occasionally leaving notes for themselves, we'd hardly ever see something like a full sentence. Nonetheless, despite the leftover AI-generated instructions, PureRAT is a potent, widely distributed malware threat. The malware provides cybercriminals with the ability to stealthy maintain a remote presence on an infected machine, which the attackers can use to either steal data for themselves or sell access to compromised machines to others. The attacker may be casting their net for jobseekers in multiple countries in the hope that they open the emails on their work computer. The attacker’s usage of AI provides further evidence that the technology is being used by lower-skilled attackers to assist with developing tools and automating their attacks. According to Symantec and Carbon Black, there is evidence that the attacker behind PureRAT is based in Vietnam. This conclusion has been reached because of the use of the Vietnamese language throughout the scripts, both in the code and in the comments left by AI tools. There are also references to Hanoi, the Vietnamese capital.

North Korean state actors continue to exploit fake employee schemes to infiltrate companies, particularly in blockchain and technology sectors, funneling stolen virtual currency and funds to North Korea's weapons program. The practice has escalated with remote work and AI, enabling fraudsters to impersonate employees and gain privileged access to company networks. Labyrinth Chollima, a prolific North Korean-linked cyber threat group, has evolved into three distinct hacking groups: Labyrinth Chollima (cyber espionage targeting industrial, logistics, and defense), Golden Chollima (smaller-scale cryptocurrency theft), and Pressure Chollima (high-value heists). Each group uses distinct toolsets derived from the same malware framework used by Labyrinth Chollima in the 2000s and 2011s. A joint investigation uncovered a network of remote IT workers tied to Lazarus Group's Famous Chollima division, with researchers capturing live activity of Lazarus operators on sandboxed laptops. The scheme, tracked as Jasper Sleet, PurpleDelta, and Wagemole, involves stealing or borrowing identities, using AI tools for interviews, and funneling salaries to the DPRK. Thousands of North Korean IT workers have infiltrated companies over the past two years, exploiting hiring processes and remote work environments. The U.S. Treasury has sanctioned individuals and entities involved, while Japan, South Korea, and the U.S. collaborate to combat the threat. Five U.S. citizens pleaded guilty to assisting North Korea's illicit revenue generation schemes, and two additional U.S. nationals, Kejia Wang and Zhenxing Wang, have now been sentenced to prison for operating a 'laptop farm' that facilitated the infiltration of over 100 companies, generating $5 million in illicit revenue and causing $3 million in damages to victim companies.