Palo Alto Unit 42 reported a campaign attributed to DPRK-linked agents. The latter are believed to be actively seeking employment in the United States and Western Europe for both espionage and financial gain purposes, exposing organizations to potential insider threats. Unit 42 identified GitHub accounts that inadvertently published data reportedly pertaining to a large number of impersonation accounts. These accounts have seemingly been used for a prolonged period of time. The agents were apparently applying for hybrid roles, and shortly before starting in person, they claimed unexpected circumstances forced them to delay their relocation to the intended job location, asking to start remotely. This way, the agents would obtain a foothold within the organization and start making financial gains.
Simultaneously, Microsoft reports a supply chain compromise impacting the Taiwan-based software company CyberLink. The attack was attributed to the DPRK-linked Lazarus. The attack vector was a malicious version of a legitimate CyberLink installer - dubbed "LambLoad" - signed with a valid CyberLink certificate. The trojanized installer served to download a second-stage malware. The event impacted over one hundred assets across Taiwan, Japan, Canada, and the United States.