The malign DLL then registers an event consumer under root\\subscription, ensuring revival after reboots without creating new services or registry run-keys—an evasion tactic that kept host-based detection rates below 5 percent in VirusTotal submissions through June 2025. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Within weeks of onboarding, the rogue contractors began seeding an innocuous-looking JavaScript dependency that, once compiled, side-loaded a PowerShell stager to contact *.china-cdn[.]org, a domain masquerading as a content mirror. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. By embedding North Korean developers inside legitimate software projects, the group obtained persistent, code-signing access to corporate repositories and CI/CD pipelines, allowing malicious updates to ride trusted channels. Treated devices later funneled telemetry, clipboard data, and cryptocurrency wallet files to Andariel’s command tier, compressing exfiltrated content with LZNT1 before AES-256 encryption. The same analysts identified that every build job reaching GitHub Actions runners after March 2025 contained the altered dependency—evidence that supply-chain poisoning rather than spear-phishing was the preferred attack vector. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The U.S. Treasury’s July 8 action against Song Kum Hyok and four Russia-based entities pulled back the curtain on a sophisticated malware-enabled revenue pipeline that has quietly bankrolled Pyongyang’s weapons programs for years. Victims span fintech, healthcare, and industrial IoT vendors on three continents; in several cases, corrupted binaries were pushed to over-the-air update servers, effectively weaponizing routine patch cycles. Continued sanctions pressure will complicate cash-out avenues, yet the campaign’s low footprint underscores why remote contractor workflows remain an attractive, hard-to-audit conduit for state-sponsored malware operators. Treasury researchers noted the group monetized stolen wallets directly, while other data was sold in Russian underground markets. The blob expands into a four-stage PowerShell script that never touches disk, leveraging Add-Type to compile C# inline and hijack the Windows Management Instrumentation service for persistence. The U.S. Department of the Treasury analysts noted the stager’s beacon interval dynamically shifts between 90 and 600 seconds, thwarting traffic-shape baselines. Each execution loads an encrypted .NET payload directly into memory, thwarting traditional file-based antivirus scans and leaving only volatile artifacts in amsi.dll hooks. Investigators trace the campaign to Andariel, a Reconnaissance General Bureau (RGB) sub-unit already notorious for high-value cryptocurrency heists.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 10 Jul 2025 18:30:12 +0000