A new report from Proofpoint Inc. today details a revamped state-sponsored North Korean threat actor that has been actively targeting cryptocurrency holders and exchanges using new methodologies.
Dubbed TA444, the group has been active since at least 2017 and in 2022 turned its attention to cryptocurrency. It has overlaps with public activity from groups that include APT38, Bluenoroff, BlackAlicanto, Stardust Chollima and COPERNICIUM, and it’s believed to be tasked with funneling funds to North Korea or its handlers abroad.
North Korean hacking groups are not new, but what makes TA444 interesting is that the group uses a wider variety of delivery methods and payloads than previously seen. The group also uses blockchain-related lures, fake job opportunities at prestigious firms and salary adjustments to trap victims.
When first spotted taking an interest in blockchain and cryptocurrency, TA444 used two attack vectors for initial access: an LNK-oriented delivery chain and a chain beginning with documents using remote templates. The campaigns were typically referred to as…