"This incident is notable for its blend of social engineering, exploitation of personal-to-corporate device peer-to-peer data (P2P) transfer mechanisms, workflows, and eventual pivot to the cloud to employ living-off-the-cloud (LOTC) techniques."
"Upon gaining access to the cloud environment, the attackers are said to have abused legitimate DevOps workflows to harvest credentials, break out of the confines of containers, and tamper with Cloud SQL databases to facilitate the cryptocurrency theft."
"Using their AI-assisted Integrated Development Environment (IDE), the victim then interacted with the archive's contents, eventually executing the embedded malicious Python code, which spawned and executed a binary that masqueraded as the Kubernetes command-line tool."
UNC4899, a North Korean state-sponsored group, executed a sophisticated multi-stage attack against a cryptocurrency organization in 2025. The campaign began with social engineering targeting a developer, tricking them into downloading a malicious archive disguised as an open-source project. The developer transferred the file to their corporate device via AirDrop. When opened in an IDE, the archive executed malicious Python code that deployed a backdoor masquerading as Kubernetes CLI. This provided attackers access to the corporate network and subsequently the cloud environment. Once in the cloud, attackers abused legitimate DevOps workflows to harvest credentials, escape container restrictions, and modify Cloud SQL databases to facilitate cryptocurrency theft.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]