https://feed.craftedsignal.io/tags/north-korea/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 06 Apr 2026 16:35:39 +0000https://feed.craftedsignal.io/briefs/2026-04-drift-hack/Mon, 06 Apr 2026 16:35:39 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-drift-hack/The Drift Protocol suffered a $280 million crypto theft orchestrated by North Korean hackers who spent six months building an in-person operational presence within the Drift ecosystem, engaging with contributors at crypto conferences and via Telegram.On April 1st, 2026, the Solana-based trading platform, Drift Protocol, experienced a sophisticated attack resulting in the theft of over $280 million. Investigations by Elliptic and TRM Labs point to North Korean hackers, possibly UNC4736 (also known as AppleJeus and Labyrinth Chollima), a threat actor previously linked to Lazarus. The attackers cultivated a presence within the Drift ecosystem over six months, posing as a quantitative firm. They approached Drift contributors in person at multiple crypto conferences, building trust and rapport. Communications continued via Telegram, where they discussed trading strategies and potential vault integrations, demonstrating technical proficiency and familiarity with Drift’s operations. The Telegram group was deleted immediately after the theft.

Attack Chain

1. Initial Reconnaissance: The threat actors posed as a quantitative firm to gather information about Drift Protocol and its contributors.
2. In-Person Engagement: The actors attended multiple crypto conferences, engaging with specific Drift contributors.
3. Relationship Building: They communicated with targets via Telegram, discussing trading strategies and potential vault integrations.
4. Potential Compromise: Two contributors were potentially compromised via a malicious code repository exploiting a VSCode/Cursor vulnerability allowing silent code execution, or via a malicious TestFlight application presented as a wallet product.
5. Privilege Escalation: The attack allowed the hijacking of the Security Council administrative powers.
6. Asset Draining: The attackers drained user assets in approximately 12 minutes.
7. Data Removal: The Telegram group used for engaging contributors was deleted immediately after the theft.
8. Funds Laundering: The stolen funds were likely transferred to attacker-controlled wallets and prepared for laundering, though the wallets have been flagged across exchanges and bridge operators.

Impact

The Drift Protocol suffered a loss of over $280 million, impacting users of the Solana-based trading platform. All Drift Protocol functions remain frozen, and the compromised wallets have been removed from the multisig process. The incident highlights the risks associated with social engineering and the importance of verifying the identities of individuals and organizations interacting with critical infrastructure. The attack has also raised concerns about the security practices within the cryptocurrency sector.

Recommendation

• Monitor for unusual network activity and potential exploitation of VSCode/Cursor vulnerabilities via process_creation and network_connection logs using the “Detect Suspicious VSCode Code Execution” Sigma rule.
• Monitor for suspicious applications installed via TestFlight, especially those presented as wallet products, using file_event logs and the “Detect Suspicious TestFlight Application Installation” Sigma rule.
• Implement strict identity verification procedures for individuals and organizations interacting with sensitive systems and data.
• Educate employees about social engineering tactics and the risks of interacting with unknown individuals or organizations.

]]>criticalthreatdrift-protocolcrypto-theftnorth-koreaunc4736lazarus-groupsocial-engineeringsupply-chainhttps://feed.craftedsignal.io/briefs/2026-05-nickel-alley/Wed, 25 Mar 2026 10:25:17 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-nickel-alley/NICKEL ALLEY, a North Korean threat group, is targeting technology professionals with fake job opportunities and malicious code repositories to deliver malware like PyLangGhost RAT and BeaverTail, aiming to steal cryptocurrency.NICKEL ALLEY, a threat group operating on behalf of the North Korean government, continues to target professionals in the technology sector using sophisticated social engineering tactics. Since at least mid-2025, the group has been observed creating fake LinkedIn company pages, GitHub repositories, and job opportunities to deceive prospective candidates and deliver malware. They employ tactics such as “ClickFix,” where victims are tricked into running malicious commands under the guise of fixing technical issues. Additionally, they’ve compromised npm package repositories and used typosquatting to distribute malicious packages. The group leverages cloud platforms like Vercel for payload hosting, tailoring malware delivery based on victim system configurations. This activity is primarily motivated by cryptocurrency theft.

Attack Chain

1. Initial Contact: The attacker contacts a technology professional with a fake job opportunity, often advertised through LinkedIn or email.
2. Fake Company Profile: The attacker establishes credibility by creating a fake company profile on LinkedIn and/or GitHub.
3. Malicious Repository: The attacker creates a GitHub repository containing malicious code disguised as a software development project or crypto game (e.g., web3-social-platform).
4. ClickFix Delivery (PyLangGhost RAT): During a fake interview process, the attacker instructs the victim to perform a “fix” by running a command which downloads and executes a VBScript file.
5. VBScript Execution: The VBScript file (e.g., update.vbs, start.vbs) decompresses an archive (Lib.zip) containing library files and executes a renamed Python interpreter (csshost.exe) with a malicious Python script (nvidia.py).
6. BeaverTail Delivery (GitHub): The victim is convinced to clone the GitHub repository and execute commands like npm install and npm start. The index.js file retrieves the BeaverTail malware from a Base64-encoded URL hosted on Vercel.
7. Malware Execution: PyLangGhost RAT or BeaverTail malware executes on the victim’s system, enabling file exfiltration, arbitrary command execution, and system profiling.
8. Data Theft: The malware targets browser credentials, cookies, and cryptocurrency wallet data, leading to financial theft.

Impact

NICKEL ALLEY’s activities primarily target software developers and blockchain professionals. Successful attacks lead to the compromise of developer systems, theft of sensitive credentials, and exfiltration of cryptocurrency. The group’s persistent targeting of the technology sector highlights their continued focus on financial gain through cryptocurrency theft. Compromised systems can be used to further propagate attacks or to steal intellectual property.

Recommendation

• Monitor process creation events for the execution of wscript.exe launching VBScript files from the %TEMP% directory and followed by execution of renamed python.exe (csshost.exe) as described in the Attack Chain above. Deploy the Sigma rule Detect NICKEL ALLEY VBScript ClickFix to detect this activity.
• Inspect network connections from unusual processes (not browsers or standard networking tools) to newly registered domains or infrastructure providers like Vercel, using the Detect NICKEL ALLEY Outbound Connection Sigma rule.
• Block access to the IOC domains talentacq[.]pro, publicshare[.]org, and astrabytesyncs[.]com at the DNS resolver.
• Educate employees, especially those in software development, about social engineering tactics such as fake job opportunities and the ClickFix technique.

]]>highthreatNICKEL ALLEYNorth Koreacryptocurrencysupply-chain