North Korean operatives spotted using evasive techniques to steal data and cryptocurrency | CyberScoop<\/title> <meta name=\"description\" content=\"Research from Cisco Talos and Google Threat Intelligence Group underscores the extent to which North Korea-aligned attackers attempt to avoid detection.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/north-korea-attackers-evasive-techniques-malware\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"North Korean operatives spotted using evasive techniques to steal data and cryptocurrency\"> <meta property=\"og:description\" content=\"Research from Cisco Talos and Google Threat Intelligence Group underscores the extent to which North Korea-aligned attackers attempt to avoid detection.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/north-korea-attackers-evasive-techniques-malware\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-10-16T21:54:19+00:00\"> <meta property=\"article:modified_time\" content=\"2025-10-16T21:54:21+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korean-operatives-spotted-using-evasive-techniques-to-steal-data-and-cryptocurrency-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1759256725g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1760439954g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1753281318g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/86391\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=86391\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fnorth-korea-attackers-evasive-techniques-malware%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fnorth-korea-attackers-evasive-techniques-malware%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-86391 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/north-korea-attackers-evasive-techniques-malware\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.891216216216\">\n<div class=\"single-article__header-content\" readability=\"34.593103448276\">\n<p> Research from Cisco Talos and Google Threat Intelligence Group underscores the extent to which North Korea-aligned attackers attempt to avoid detection. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/86391\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korean-operatives-spotted-using-evasive-techniques-to-steal-data-and-cryptocurrency.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korean-operatives-spotted-using-evasive-techniques-to-steal-data-and-cryptocurrency-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korean-operatives-spotted-using-evasive-techniques-to-steal-data-and-cryptocurrency-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korean-operatives-spotted-using-evasive-techniques-to-steal-data-and-cryptocurrency-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korean-operatives-spotted-using-evasive-techniques-to-steal-data-and-cryptocurrency-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korean-operatives-spotted-using-evasive-techniques-to-steal-data-and-cryptocurrency-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korean-operatives-spotted-using-evasive-techniques-to-steal-data-and-cryptocurrency-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korean-operatives-spotted-using-evasive-techniques-to-steal-data-and-cryptocurrency-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korean-operatives-spotted-using-evasive-techniques-to-steal-data-and-cryptocurrency-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korean-operatives-spotted-using-evasive-techniques-to-steal-data-and-cryptocurrency-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korean-operatives-spotted-using-evasive-techniques-to-steal-data-and-cryptocurrency-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> In this picture taken near the truce village of Panmunjom inside the demilitarized zone (DMZ) separating the two Koreas, a bird flies near a North Korean flag fluttering in the wind at the propaganda village of Gijungdong in North Korea on October 4, 2022. (Photo by ANTHONY WALLACE\/AFP via Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"30.861423220974\"><body readability=\"62.824969400245\"><\/p>\n<p>North Korean operatives that dupe job seekers into installing malicious code on their devices have been spotted using new malware strains and techniques, resulting in the theft of credentials or cryptocurrency and ransomware deployment, according to researchers from Cisco Talos and Google Threat Intelligence Group.<\/p>\n<p>Cisco Talos said it observed an attack linked to Famous Chollima that involved the use of <a href=\"https:\/\/blog.talosintelligence.com\/beavertail-and-ottercookie\/\">BeaverTail and OtterCookie<\/a> \u2014 separate but complementary malware strains frequently used by the North Korea-aligned threat group. Researchers said their analysis determined the extent to which BeaverTail and OtterCookie have merged and displayed new functionality in recent campaigns. <\/p>\n<p>GTIG said it <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/dprk-adopts-etherhiding\">observed UNC5342 using EtherHiding<\/a>, malicious code in the form of JavaScript payloads that turn a public blockchain into a decentralized command and control server. Researchers said UNC5342 incorporated EtherHiding into a North Korea-aligned social engineering campaign previously dubbed Contagious Interview by Palo Alto Networks. <\/p>\n<p>Cisco and Google both said North Korean threat groups\u2019 use of more specialized and evasive malware underscores the efforts the nation-state attackers are taking to achieve multiple goals while avoiding more common forms of detection.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>By installing EtherHiding on the blockchain, UNC5342 can remotely update the malware\u2019s functionality and maintain continuous control over their operations without worry about infrastructure takedowns or disruptions.<\/p>\n<p>\u201cThis development signals an escalation in the threat landscape, as nation-state threat actors are now utilizing new techniques to distribute malware that is resistant to law enforcement takedowns and can be easily modified for new campaigns,\u201d Robert Wallace, consulting leader at Mandiant, Google\u2019s incident response firm, said in an email. <\/p>\n<p>Google researchers described North Korea\u2019s social engineering campaign as a sophisticated and ongoing effort to commit espionage, gain persistent access to corporate networks and steal sensitive data or cryptocurrency during the job application and interview process.<\/p>\n<p>The crux of these attacks often occur during a fake technical assessment when job candidates are asked to download files that unbeknownst to them contain malicious code, according to Google. Researchers observed a multi-stage malware infection process involving JadeSnow, BeaverTail and InvisibleFerret. <\/p>\n<p>Cisco Talos researchers uncovered a Famous Chollima attack on an undisclosed organization based in Sri Lanka that likely originated from a user that fell for a fake job offer. The organization wasn\u2019t targeted by the attackers, according to the report.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Researchers observed a previously undocumented keylogging and screenshotting module in the campaign that they traced to OtterCookie samples. The information-stealing malware contained a module that listens for keystrokes and periodically takes screenshots of the desktop session, which are automatically uploaded to the OtterCookie command and control server, Cisco Talos said.<\/p>\n<p>Cisco and Google both shared indicators of compromise in their respective reports to help threat hunters find additional artifacts of the North Korea threat groups\u2019 malicious activity.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.7995735607676\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/north-korean-operatives-spotted-using-evasive-techniques-to-steal-data-and-cryptocurrency-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/north-korea-attackers-evasive-techniques-malware\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>North Korean operatives spotted using evasive techniques to steal data<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[724,78,3729,4236,168,646,647,46,256,288],"tags":[727,86,3731,4237,169,650,240,54,262,294],"class_list":["post-8085","post","type-post","status-publish","format-standard","hentry","category-cisco-talos","category-cybersecurity","category-google-threat-intelligence-group","category-jobs","category-malware","category-mandiant","category-north-korea","category-ransomware","category-research","category-threats","tag-cisco-talos","tag-cybersecurity","tag-google-threat-intelligence-group","tag-jobs","tag-malware","tag-mandiant","tag-north-korea","tag-ransomware","tag-research","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cisco-talos\/\" rel=\"category tag\">Cisco Talos<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/google-threat-intelligence-group\/\" rel=\"category tag\">Google Threat Intelligence Group<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/jobs\/\" rel=\"category tag\">jobs<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/malware\/\" rel=\"category tag\">Malware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/mandiant\/\" rel=\"category tag\">Mandiant<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/north-korea\/\" rel=\"category tag\">North Korea<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware\/\" rel=\"category tag\">ransomware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8085","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8085"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8085\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8085"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8085"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8085"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8085,"date":"2025-10-16T16:54:19","date_gmt":"2025-10-16T21:54:19","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=86391"},"modified":"2025-10-16T16:54:19","modified_gmt":"2025-10-16T21:54:19","slug":"north-korean-operatives-spotted-using-evasive-techniques-to-steal-data-and-cryptocurrency","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/10\/16\/north-korean-operatives-spotted-using-evasive-techniques-to-steal-data-and-cryptocurrency\/","title":{"rendered":"North Korean operatives spotted using evasive techniques to steal data and cryptocurrency"},"content":{"rendered":"