IOC Radar
SHA256MediumSignal 29/100

e1bf1b29e6fa3525d7f32f429290a88d6ea2890e61c06574b8ff6372aa5d0667

Location
Korea, Democratic People's Republic ofKorea, Democratic People's Republic of
First Seen
Jun 9, 2026
Last Seen
Jun 10, 2026
Jun 9
First Seen
7d ago
Jun 10
Last Seen
6d ago
1
Reports
source reports
29%
Confidence
medium
Found in 1 report. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
29%
Signal Score
29 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

20 techniques

Feed Intelligence Summary

1 report29% confidence
1
Source reports
29%
Confidence score
Category tags
brute forcecredential stuffingcredential theftcryptocurrencycryptocurrency theftdeveloper targetingeducationfile-hashfinance and insurancegithub repositoriesidentity & access exploitationindicatorinvisible ferretkorea, democratic people's republic ofnorth americaoverlord frameworkresearchedsender ipt1005t1027t1041t1056.002t1059.001t1059.005t1059.006t1070.004t1071.001t1071.004t1082t1140t1176t1204.001t1539t1547.001t1552.001t1555.003t1555.004t1566.002threat actortor nodeunited statesunk_deaddropvisual studio codevsix extensions

Activity Timeline

1 total obs
Jun 10Jun 10

Threat Activity Heatmap

· Peak: 2026-06-10
Less
More
Mon
Wed
Fri
Jun
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
24h
0
Dormant
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreLow Risk
29
SIGNAL
Signal Score
29%
Confidence
1
Reports
First seenJun 9, 2026
Last seenJun 10, 2026

VirusTotal

Not checked

WHOIS

description
Since at least 2022, North Korea-aligned threat actors have made a concerted effort not only to target cryptocurrency and decentralized finance organizations, but specifically to target developers using fake recruiter personas, malicious npm/PyPI packages (TraderTraitor / Jade Sleet), and trojanized cryptocurrency trading applications (AppleJeus / Citrine Sleet). These often masquerade as technical assessments or coding challenges and use techniques such as ClickFix or abusing Visual Studio Code’s features to execute malware. Approaches often occur over LinkedIn, Slack, Telegram, or in a multi-platform manner, with a consistent aim of targeting developer assets such as API tokens, cryptocurrency wallets, and credentials.

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 7 days ago · Last seen 6 days ago
Appeared in 1 threat report