CyberVeille.ch13h ago

📢 Void Dokkaebi migre InvisibleFerret vers des binaires Cython pour contourner les détections
📝 ## 🔍 Contexte

Publié le 22 mai 2026 par Kazuki Fujisawa (Trend Micro), cet article doc...
📖 cyberveille : https://cyberveille.ch/posts/2026-05-31-void-dokkaebi-migre-invisibleferret-vers-des-binaires-cython-pour-contourner-les-detections/
🌐 source : https://www.trendmicro.com/en_us/research/26/e/analyzing-void-dokkaebi-invisibleferret-malware.html
#AnyDesk #BeaverTail #Cyberveille

Void Dokkaebi migre InvisibleFerret vers des binaires Cython pour contourner les détections

🔍 Contexte Publié le 22 mai 2026 par Kazuki Fujisawa (Trend Micro), cet article documente l’évolution technique du malware InvisibleFerret utilisé par Void Dokkaebi (alias Famous Chollima), un groupe d’intrusion aligné avec la Corée du Nord. 🎯 Acteur et cibles Void Dokkaebi cible systématiquement les développeurs de logiciels détenant des credentials de wallets cryptomonnaies, des clés de signature, et des accès aux pipelines CI/CD et infrastructures de production. Le vecteur initial historique repose sur de fausses offres d’emploi dans des entreprises crypto et IA, incitant les développeurs à cloner et exécuter des dépôts de code.

CyberVeille
CyberVeille.chMay 8

📢 Lazarus Group cache un loader malveillant dans des Git hooks pour cibler les développeurs
📝 ## 🕵️ Contexte

Publié le 6 mai 2026 par l'équipe OpenSourceMalware, cet article documente une évolution tactique de la...
📖 cyberveille : https://cyberveille.ch/posts/2026-05-08-lazarus-group-cache-un-loader-malveillant-dans-des-git-hooks-pour-cibler-les-developpeurs/
🌐 source : https://opensourcemalware.com/blog/dprk-git-hooks-malware
#BeaverTail #Contagious_Interview #Cyberveille

Lazarus Group cache un loader malveillant dans des Git hooks pour cibler les développeurs

🕵️ Contexte Publié le 6 mai 2026 par l’équipe OpenSourceMalware, cet article documente une évolution tactique de la campagne Contagious Interview / TaskJacker attribuée au groupe nord-coréen Lazarus Group (DPRK). La source est un blog de threat intelligence communautaire spécialisé dans les menaces open source. 🔄 Évolution de la technique Les opérateurs ont abandonné leurs vecteurs habituels (.vscode/tasks.json, scripts postinstall dans package.json, faux fichiers .woff2) au profit de Git hooks malveillants placés dans .githooks/pre-commit. Le hook se déclenche automatiquement lorsque la victime tente de committer du code, soit exactement au moment où le faux recruteur lui demande de “corriger un bug et committer”.

CyberVeille
(in)sicurezza digitaleApr 24

Contagious Interview diventa un worm: Void Dokkaebi trasforma 750 repository in vettori auto-propaganti contro gli sviluppatori

Il gruppo APT nordcoreano Void Dokkaebi (Famous Chollima) ha trasformato le sue finte offerte di lavoro in un attacco supply chain capace di propagarsi automaticamente: basta aprire un repository clonato in VS Code per attivare payload nascosti in commit manipolati. A marzo 2026, Trend Micro ha mappato oltre 750 repository infetti, 500 task.json malevoli e staging C2 su Tron, Aptos e Binance Smart Chain.

https://insicurezzadigitale.com/contagious-interview-diventa-un-worm-void-dokkaebi-trasforma-750-repository-in-vettori-auto-propaganti-contro-gli-sviluppatori/

CyberVeille.chApr 22

📢 HexagonalRodent : le sous-groupe DPRK qui industrialise le vol de crypto via l'IA
📝 ## 🌐 Contexte

Publié le 21 avril 2026 par Marcus Hutchins sur le blog d'Expel, cet article présente les résul...
📖 cyberveille : https://cyberveille.ch/posts/2026-04-22-hexagonalrodent-le-sous-groupe-dprk-qui-industrialise-le-vol-de-crypto-via-l-ia/
🌐 source : https://expel.com/blog/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers/
#BeaverTail #DPRK #Cyberveille

HexagonalRodent : le sous-groupe DPRK qui industrialise le vol de crypto via l'IA

🌐 Contexte Publié le 21 avril 2026 par Marcus Hutchins sur le blog d’Expel, cet article présente les résultats d’une investigation approfondie sur un groupe APT nord-coréen (DPRK) nouvellement nommé Expel-TA-0001 / HexagonalRodent, actif depuis au moins octobre 2025 et évalué avec haute confiance comme étant un sous-groupe de Famous Chollima (CrowdStrike). 🎯 Ciblage et modus operandi HexagonalRodent cible principalement les développeurs Web3 dans le but de voler des cryptomonnaies et des NFTs. La chaîne d’infection repose sur :

CyberVeille
Alterego_MidshipmanApr 17

[Translation] How a “dream job invitation” turns into an attack

It all starts with a notification that feels familiar and exciting for any developer: “You’ve been shortlisted for an AI developer position.” The company looks impressive — DLMind, an “AI innovation lab.” The recruiter appears legitimate — Tim Morenc, CEDS, with a polished LinkedIn profile, professional communication style, and mutual connections.

But behind this friendly outreach is BeaverTail — a malicious operation designed to steal your code, credentials, and developer assets.

The attack is part of a broader pattern associated with North Korean cyber operations, including groups such as Lazarus Group.

How the attack works

The victim is approached via LinkedIn or similar platforms

A convincing fake company and recruiter profile is used

A “technical assignment” or test task is provided

The task contains malicious code or a compromised dependency

Once executed, it extracts sensitive data such as:

GitHub / Git credentials

SSH keys

API tokens

browser session data

Why it works

The campaign relies on social engineering rather than technical exploitation:

trust in recruitment processes

desire for career opportunities

familiarity of developer workflows (GitHub, npm, Python, etc.)

Key takeaway

Any unsolicited “test assignment” should be treated as potentially hostile code. Execution environments must be isolated, and credentials should never be exposed in evaluation setups.

---

#hashtags
#cybersecurity #infosec #malware #socialengineering #phishing #infostealer #supplychainattack #github #developers #techsecurity #beavertail #lazarusgroup

Show threadAlterego_MidshipmanApr 17

@habr25 [Translation] How a “dream job invitation” turns into an attack

It all starts with a notification that feels familiar and exciting for any developer: “You’ve been shortlisted for an AI developer position.” The company looks impressive — DLMind, an “AI innovation lab.” The recruiter appears legitimate — Tim Morenc, CEDS, with a polished LinkedIn profile, professional communication style, and mutual connections.

But behind this friendly outreach is BeaverTail — a malicious operation designed to steal your code, credentials, and developer assets.

The attack is part of a broader pattern associated with North Korean cyber operations, including groups such as Lazarus Group.

How the attack works

The victim is approached via LinkedIn or similar platforms

A convincing fake company and recruiter profile is used

A “technical assignment” or test task is provided

The task contains malicious code or a compromised dependency

Once executed, it extracts sensitive data such as:

GitHub / Git credentials

SSH keys

API tokens

browser session data

Why it works

The campaign relies on social engineering rather than technical exploitation:

trust in recruitment processes

desire for career opportunities

familiarity of developer workflows (GitHub, npm, Python, etc.)

Key takeaway

Any unsolicited “test assignment” should be treated as potentially hostile code. Execution environments must be isolated, and credentials should never be exposed in evaluation setups.

---

#hashtags
#cybersecurity #infosec #malware #socialengineering #phishing #infostealer #supplychainattack #github #developers #techsecurity #beavertail #lazarusgroup

Hackread.comMar 10

📢⚠️Watch as North Korean Lazarus hackers tried to infect #AllSecure CEO Chris Papathanasiou through a fake LinkedIn job interview. The attackers used a coding test loaded with the notorious #BeaverTail malware. 🦫

Read: https://hackread.com/fake-linkedin-interview-lazarus-hackers-allsecure-ceo/

#CyberSecurity #Lazarus #NorthKorea #LinkedIn #Scam

Fake LinkedIn Interview Used by Lazarus Hackers to Target AllSecure CEO

Follow us on all major social media platforms @Hackread

Hackread - Cybersecurity News, Data Breaches, AI and More
Mike 🇨🇦 NuanceRhymesWithOrangeFeb 19
BREAKFAST OF CHAMPIONS #Photography #beavertail #ottawa
C.Feb 2

"... they wear shorts outside in February to shovel snow, and they eat beaver tails! Canadians are either really tough, or effing crazy."

#Canada #Canadian #snow #shovel #shorts #BeaverTail #misunderstanding #tough #crazy

Hackread.comDec 18

NEW: Developers, crypto users, and job seekers beware - North Korea’s Lazarus Group is deploying a new #BeaverTail variant to steal credentials and crypto via fake job offers, dev tools and smart contracts.

Read: https://hackread.com/lazarus-embed-beavertail-variant-developer-tools/

#CyberSecurity #Lazarus #NorthKorea #DevSec #InfoStealer

Lazarus Group Embed New BeaverTail Variant in Developer Tools

Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread