Thanks for sharing - this is a great addition.
As we mentioned in the blog, all identified accounts were reported to GitHub and we requested action prior to publication. Some of them have been taken down.
That said, it’s still useful to have this list - in case anyone recognizes past interactions or activity involving these accounts on their side.
Are your remote developers who they say they are? We uncovered a massive network of DPRK IT workers infiltrating companies using synthetic identities, AI-generated interview scripts, and “persona packages”.
Key highlights:
🔹A coordinated ecosystem of fake developer personas operating across GitHub, portfolio sites, and freelancing platforms.
🔹Reusable identity infrastructure including resumes, email accounts, and repositories.
🔹Evidence of AI-assisted job application workflows and templated interview responses.
🔹Archived “persona packages” containing identity documents, portfolio assets, and operational instructions.
🔹Monitoring the activities of a specific intruder “group” from 2021 to March 2026.
#CyberSecurity #ThreatIntel #InsiderThreat #DPRK
Since 2021, North Korean (#DPRK) IT workers have built a sprawling ecosystem of synthetic developer personas complete with AI‑generated photos, overlapping #GitHub repositories, and reusable portfolio sites. Our investigation uncovered a single GitHub account (cybersage14) that switched identities from “Nicolas Sammaritano” (Argentina) to “Caddo Smith” (Texas) while keeping the same technical profile. This is not isolated fraud; it is a structured, labor‑enabled access model designed to infiltrate global companies and evade sanctions. #InsiderThreat
🎉 Our High-Tech Crime Trends 2026 Report is here!
Supply chain attacks have become the dominant force reshaping the global cyber threat landscape.
Group-IB's High-Tech Crime Trends Report 2026 reveals a decisive shift in cybercrime away from isolated intrusions toward ecosystem-wide compromise. Attackers are now exploiting trusted vendors, open-source software, SaaS platforms, and managed service providers to gain inherited access to hundreds of downstream organizations.
Key findings:
🔹 Open-source ecosystems under siege npm and PyPI targeted with stolen credentials and automated malware worms
🔹 Malicious browser extensions weaponized to harvest credentials and hijack sessions
🔹 AI-powered phishing campaigns bypassing MFA through OAuth workflows
🔹 Data breaches triggering multi-tenant, cascading downstream impact
🔹 Industrialized ransomware supply chains coordinating upstream access
"Cybercrime is no longer defined by single breaches. It is defined by cascading failures of trust," said Dmitry Volkov, CEO of Group-IB.
Powered by intelligence from our Digital Crime Resistance Centers across 11 countries and adversary-centric telemetry, this report provides actionable insights for enterprises, governments, and law enforcement.
📥 Download the High-Tech Crime Trends Report 2026 to understand how supply chain compromises unfold and how to disrupt attack chains before damage occurs: https://t.co/uWbRTDNH4q
🔗 Read the full press release: https://t.co/9zKIDPWhl0
#CyberSecurity #SupplyChainAttack #InfoSec #ThreatIntelligence #Ransomware #Phishing #HTCT2026
I with my colleagues from @GroupIB_TI and @GroupIB_DFIR uncover how #UNC2891 is blending stealthy malware, physical infiltration, and money #mule ops to pull off high-impact bank attacks in Southeast Asia.
📌 Key findings:
• Undetected access since 2017
• Rootkits, log wipers, and "magical password" backdoors
• Raspberry Pi planted inside a bank’s ATM switch
• DNS tunneling + OpenVPN for lateral movement
• Money mules recruited via Google ads & guided via TeamViewer
🔖Full report: https://t.co/TQFbpvplIg
#ThreatIntel #CyberCrime #ATM #GroupIB #FinancialThreats
Can one email put billions of weekly downloads at risk?
Yes, it can. That’s how one of the most significant NPM #supplychain incidents to date began. A single #Phishing message disguised as an #NPM security update gave attackers access to a trusted developer account and spread malicious code through 20 popular packages.
In the first post of our new email protection series, Group-IB experts explain how #BusinessEmailProtection could have detected and stopped the message before it ever reached the inbox.
Read the full story: https://t.co/Jww5ARjnme
Group-IB’s Threat Intelligence team has investigated the work of the #Lynx#Ransomware group, unveiling multi-architecture builds (Windows, Linux, ESXi). Their affiliate panel centralizes attack orchestration and data-leak scheduling. #RaaS#CyberSecurity
@cyb3rops Thanks to him for this work. But I'm afraid there is not a full list of addresses, only those who had the "set email-to" parameter, there are also admin emails that are not in this list😶
Group-IB has identified a novel technique not yet included in the #MITRE ATT&CK framework: Code Smuggling using Extended Attributes. We've discovered a new #macOS#trojan, #RustyAttr, developed using the Tauri, originally signed with a leaked certificate (later revoked). #Lazarus
#Lazarus is using "FCCCall," to mimic legit video conferencing as part of attack chains. A new Python script suite, and expanded outreach beyond LinkedIn and Telegram have been identified. Tools #BeaverTail and #InvisibleFerret are in active dev with updates from July-Aug 2024.
The #Lazarus Group shows no signs of easing with their campaign targeting #jobseekers extending to the present day. Group-IB researchers found new updates to their tools and tactic - new suite of Python scripts - #CivetQ, a #Windows and #Python version of #BeaverTail
Group-IB researchers noticed a Windows version of #BeaverTail, which was attributed to #Lazarus. We also discovered that the #javascript version of BeaverTail is now being distributed through trojanised games built with ReactJS and distributed as an NPM-based package.
We continue to see the activity of the Gigabud, which, without slowing down, already has 70+ commands. The #Gigabud mimics legitimate apps, including government and financial institution apps, and abuses screen capturing and #keylogger techniques to #access credentials and more.
Thanks to #ESET for an in-depth overview of activity in the first half of 2024. In our research, we found that impersonations of Ethiopian, South African, Peruvian and Mexican applications are related to #Gigabud.
Check out ESET’s post for more details: https://t.co/50YJdE9qkC
Group-IB TI uncovered a landing page used for distribution of BMANAGER modular #trojan, created by threat actor #Boolka. This page was a test run for a malware delivery platform based on the #BeEF framework. The analysis reveals the complexity of the #malware ecosystem.👇
Discover the latest on #Boolka, a #cyberthreat actor responsible for spreading #malware and stealing data through #webattacks. Learn about Boolka's methods and how we're fighting back. #InfoSec#CyberSecurity
Read More : https://t.co/V7wV7HnkmR
@ValidinLLC@500mk500 Yeah, I see additionally that this certificate with the CN email.instant-patch[.]online has 3 hosts - 104.168.203[.]161, 104.168.157[.]45 and 104.168.203[.]159. Interesting that there is another certificate, but different ports
The #Lazarus group is still active and creates #fake profiles on LinkedIn and Telegram to attract developers to make calls through malicious sites.
Today @MichalKoczwara highlighted the fake NGC Ventures LinkedIn profile. But let's jump deeper to 104.168.157[.]45.
Some fraudulent messages and profiles have been uncovered, but #Lazarus will continue to create new profiles and attempt to compromise new victims.
Examples of revealed scams:
https://t.co/R9ADyKDevY (Fenbushi)
https://t.co/BKjSEcPlDV (Waterdrip)
Rising #Trojan Activity in #APAC: Keep an eye out for #GoldFactory and #Gigabud! These mobile Trojans are increasingly active in the region, posing a significant threat to mobile security.
Following Group-IB's #GoldFactory report, it is clear that situation of mobile threats in #APAC persists. Though the report shared mainly on the "Gold-prefixed" trojans, the prevalence of #Gigabud in the region is not to be overlooked. There are increased sightings of Gigabud, especially in #Vietnam since late 2023 till present.
Often high-profile news about new leaks doesn't bring any reinforcement. You need to approach it with some criticality and check what they have written. Unfortunately, news agencies often don't check data, but that's what we are there for - to filter out and leave only important.
🕵️♀️ Exposing the #DarkWeb deception. Since October 2022, the #ThreatActor known as "resetmyname" has been falsely advertising "unique customer databases" from numerous #banks on various Dark Web platforms. Regularly announcing "new bank customer databases" from many countries around the world, this activity has garnered significant media attention over time. @GroupIB's thorough analysis of all data samples that "resetmyname" has ever published or provided reveals that, in fact, TA has been selling data all this time from the publicly available database of the #BidenCash cardshop, which the cardshop itself published for promotional purposes back in June 2022.
Detailed reports about "resetmyname" and "BidenCash" are available for Group-IB customers.