{ "id": "fc555193-8437-4875-8586-2a8b0f0aeb12", "created_at": "2026-04-06T01:30:18.304128Z", "updated_at": "2026-04-10T13:11:49.024507Z", "deleted_at": null, "sha1_hash": "e0578491bd2042d6f2786119b9ae6e67ced49e47", "title": "North Korean hackers spoof venture capital firms in Japan, Vietnam and US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 71785, "plain_text": "North Korean hackers spoof venture capital firms in Japan,\r\nVietnam and US\r\nBy Jonathan Greig\r\nPublished: 2023-06-06 · Archived: 2026-04-06 00:19:04 UTC\r\nHackers based in North Korea are spoofing financial institutions and venture capital firms in the U.S., Vietnam\r\nand Japan, according to new research.\r\nRecorded Future’s Insikt Group linked the campaign to APT38, a state-sponsored group in North Korea notorious\r\nfor several high-profile attacks on cryptocurrency firms and other organizations.\r\n“We discovered 74 domains resolving to 5 IP addresses, as well as 6 malicious files, in the most recent cluster of\r\nactivity from September 2022 to March 2023,” the researchers said. “Previous Insikt Group reporting on\r\noverlapping activity attributed to TAG-71 highlighted the group’s spoofing of domains belonging to financial\r\nfirms in Japan, Taiwan, and the United States, as well as popular cloud services used by a large number of\r\nenterprises.”\r\nThe Record is an editorially independent unit of Recorded Future.\r\nThe report noted that North Korean hacking groups have a long history of launching financially-motivated attacks\r\nand intrusion campaigns on cryptocurrency exchanges, commercial banks and e-commerce systems.\r\nThese campaigns are meant to bolster “the North Korean government’s continued efforts to generate funds for the\r\nregime, which remains under significant international sanctions.”\r\nInsikt Group researcher Mitch Haszard said what stood out most from the recent campaign was the spoofing of\r\nventure capital firms. He noted that APT38 has previously targeted international financial transactions cooperative\r\nSWIFT and cryptocurrency exchanges.\r\n“Both kind of have a clear, ‘we are here to steal money’ purpose, but the spoofing of venture capital firms is\r\nsomething new and slightly different,” he said.\r\nDating back to March 2022, the researchers said they detected 18 malicious servers being used by North Korean\r\nhackers that allowed them to deliver malware and “heavily spoofed popular cloud services, cryptocurrency\r\nexchanges, and private investment firms to trick potential victims into opening malicious content or providing\r\ntheir login credentials.”\r\nBy targeting investment banking and venture capital firms, the group is aiming to “expose sensitive or confidential\r\ninformation of these entities or their customers, which may result in legal or regulatory action, jeopardize pending\r\nbusiness negotiations or agreements, or expose information damaging to a company’s strategic investment\r\nportfolio.”\r\nhttps://therecord.media/north-korean-hacking-group-spoofs-venture-capital-firms-finance-japan-vietnam\r\nPage 1 of 3\n\nIn a campaign that ran from January 2023 to March 2023, Insikt Group found three more IP addresses associated\r\nwith the group.\r\nThese addresses hosted 21 domains themed around common terms associated with document software like “doc-share” and “autoprotect” while several others purport to be financial institutions within Japan, Vietnam, and the\r\nUnited States.\r\nSeveral of the IP addresses were also tied to another financially-motivated hacking group identified by researchers\r\nwith security firm Kaspersky.\r\nDue to the crippling financial sanctions faced by North Korea, the country’s hackers will likely continue to launch\r\nfinancially-motivated attacks, the researchers surmised.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/north-korean-hacking-group-spoofs-venture-capital-firms-finance-japan-vietnam\r\nPage 2 of 3\n\nJonathan Greig\r\nis a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since\r\n2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia.\r\nHe previously covered cybersecurity at ZDNet and TechRepublic.\r\nSource: https://therecord.media/north-korean-hacking-group-spoofs-venture-capital-firms-finance-japan-vietnam\r\nhttps://therecord.media/north-korean-hacking-group-spoofs-venture-capital-firms-finance-japan-vietnam\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://therecord.media/north-korean-hacking-group-spoofs-venture-capital-firms-finance-japan-vietnam" ], "report_names": [ "north-korean-hacking-group-spoofs-venture-capital-firms-finance-japan-vietnam" ], "threat_actors": [ { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439018, "ts_updated_at": 1775826709, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e0578491bd2042d6f2786119b9ae6e67ced49e47.pdf", "text": "https://archive.orkl.eu/e0578491bd2042d6f2786119b9ae6e67ced49e47.txt", "img": "https://archive.orkl.eu/e0578491bd2042d6f2786119b9ae6e67ced49e47.jpg" } }