A North Korea-related threat actor known as UNC4899 has been attributed to attacks targeting two different organizations by approaching employees via LinkedIn and Telegram.
“Under the shaming of a freelance opportunity for software development work, UNC4899 has leveraged social engineering techniques to convince targeted employees to run malicious Docker containers on their respective workstations.” [PDF] Cloud Threat Horizons Report H2 2025 Report.
UNC4899 overlaps with activities tracked under Monica’s Jade Mizore, Pukchon, Slow Pisces and Trader Traiter. The state-sponsored actor, who has been active since at least 2020, is known for targeting the cryptocurrency and blockchain industry.
In particular, the hacking group has been involved in key cryptocurrency robberies, including Axie Infinity ($625 million) in March 2022, DMM Bitcoin ($308 million) in May 2024, and Bybit ($1.4 billion) in February 2025.
Another example highlighting that refinement is the alleged exploitation of JumpCloud’s infrastructure to target downstream customers within the verticals of cryptocurrency.
According to DTEX, Traderraitor is part of the third (or division) of the North Korean Reconnaissance Bureau, and is the most prolific of the Pyongyang hacking group when it comes to cryptocurrency theft.
Attacks attached by threat actors involved exploiting job-themed lures, uploading malicious NPM packages, giving employees of target companies a favorable opportunity, or asking them to cooperate with them on GitHub projects, leading to the execution of rogue NPM libraries.
“Tradertraitor shows persistent interest in cloud-centric and cloud-adjacent attack surfaces. Often there is an ultimate goal of compromising companies that are customers of the cloud platform rather than the platform itself.”
The attacks observed by Google Cloud target each organization’s Google Cloud and Amazon Web Services (AWS) environment, paving the way for a downloader called GlassCannon, allowing backdoors such as Prottwist and Mazewire to establish connections with attacker-controlled servers.
In cases involving Google Cloud environments, threat actors have been found to employ stolen credentials to remotely interact using anonymous VPN services using the Google Cloud CLI, and carry out extensive reconnaissance and qualification theft activities. However, the multifactor authentication (MFA) configuration applied to the credentials prevented them in their efforts.
“UNC4899 ultimately determined that the victim’s account had administrative privileges on the Google Cloud project and overridden the MFA requirements,” Google said. “After successfully gaining access to targeted resources, they quickly repaired the MFA again to avoid detection.”
The intrusion targeting the second victim’s AWS environment is said to have followed a similar playbook, but this time we interacted remotely via the AWS CLI using long-term access keys obtained from the AWS credentials file.
Threat officials encountered access control obstacles and prevented them from taking sensitive actions, but said Google had discovered evidence that was likely to indicate theft of a user’s session cookie. We then used these cookies to identify the associated cloud front configuration and S3 bucket.
UNC4899 “utilized the unique controls applied to access to upload and exchange existing JavaScript files, replacing them with something that contains malicious code designed to manipulate cryptocurrency functions and trigger transactions with the target organization’s cryptocurrency wallet,” Google says.
In both cases, the attack ended with threat actors successfully withdrawing millions of cryptocurrencies, the company added.
The development will take place as stated that Sonatype flagged and blocked 234 unique malware NPM and Pypi packages between January and July 2025, which are attributed to the Lazarus Group in North Korea. Some of these libraries are configured to drop known qualification steals called Beavertail, which are associated with consecutive interviews from many years of campaigns.
“These packages mimic popular developer tools, but act as spy implants designed to steal secrets, steal profile hosts and open permanent backdoors to critical infrastructure,” says the software supply chain security company. “The surge in activity in H1 2025 shows a strategic pivot. Lazarus embeds malware directly into the open source package registry, namely NPM and PYPI, at an incredible rate.”
Source link
