Author: anonymousmedia_tal70o

In 2006, Palm Beach police were investigating the disgraced financier for the alleged sexual exploitation of underage girls. The case was later turned over to federal prosecutors, who in 2008 made a controversial plea deal with Epstein that included a non-prosecution agreement that protected him from more serious charges.

In a statement to the BBC, a justice department official said: “We are not aware of any corroborating evidence that the president contacted law enforcement 20 years ago.”

At the White House briefing on Tuesday, Press Secretary Karoline Leavitt was asked about the reported call and said it “may or may not have happened in 2006. I don’t know the answer.”

“What President Trump has always said is that he kicked Jeffrey Epstein out of his Mar-a-Lago club because Jeffrey Epstein was a creep,” she said. “And that remains true in this call. If it did happen it corroborates exactly what President Trump has said from the beginning.”

The BBC has also contacted Reiter for comment.

Trump and Epstein socialised and appeared in photographs together in the 1990s, but the president and the White House have repeatedly said he was in the dark about Epstein’s crimes before he broke off contact with him in around 2004 – years before he was first arrested.

Trump has said their falling out came after he learned Epstein had been trying to “steal” his employees from Mar-a-Lago.

“When I heard about it, I told him, we don’t want you taking our people,” Trump said in July. “He was fine and then not too long after that he did it again and I said ‘outta here’.”

Reports of the alleged call came after Maxwell – who is serving a 20-year prison sentence for recruiting teenage girls to be sexually abused by Epstein – testified virtually before the US House Oversight Committee on Monday.

During the closed-door deposition, Maxwell refused to answer questions and pleaded the Fifth Amendment, invoking her right to remain silent, Oversight Committee chairman James Comer said.

Maxwell’s lawyer claimed she was “prepared to speak fully and honestly if granted clemency by President Trump”.

Trump has said he has not thought about giving a pardon to Maxwell.

“At a time when silence would have been easier, he chose to speak out against corruption and nepotism that continue to undermine the promise of independence,” Andrease Ethan Mathibela, national chairman of the influential Zimbabwe National Liberation War Veterans Association, said.

The information technology (IT) workers associated with the Democratic People’s Republic of Korea (DPRK) are now applying to remote positions using real LinkedIn accounts of individuals they’re impersonating, marking a new escalation of the fraudulent scheme.

“These profiles often have verified workplace emails and identity badges, which DPRK operatives hope will make their fraudulent applications appear legitimate,” Security Alliance (SEAL) said in a series of posts on X.

The IT worker threat is a long-running operation mounted by North Korea in which operatives from the country pose as remote workers to secure jobs in Western companies and elsewhere under stolen or fabricated identities. The threat is also tracked by the broader cybersecurity community as Jasper Sleet, PurpleDelta, and Wagemole.

The end goal of these efforts is two-pronged: to generate a steady revenue stream to fund the nation’s weapons programs, conduct espionage by stealing sensitive data, and, in some cases, take it further by demanding ransoms to avoid leaking the information.

Last month, cybersecurity company Silent Push described the DPRK remote worker program as a “high-volume revenue engine” for the regime, enabling the threat actors to also gain administrative access to sensitive codebases and establish living-off-the-land persistence within corporate infrastructure.

“Once their salaries are paid, DPRK IT workers transfer cryptocurrency through a variety of different money laundering techniques,” blockchain analysis firm Chainalysis noted in a report published in October 2025.

“One of the ways in which IT workers, as well as their money laundering counterparts, break the link between source and destination of funds on-chain, is through chain-hopping and/or token swapping. They leverage smart contracts such as decentralized exchanges and bridge protocols to complicate the tracing of funds.”

To counter the threat, individuals who suspect their identities are being misappropriated in fraudulent job applications are advised to consider posting a warning on their social media accounts, along with listing their official communication channels and the verification method to contact them (e.g., company email). 

“Always validate that accounts listed by candidates are controlled by the email they provide,” Security Alliance said. “Simple checks like asking them to connect with you on LinkedIn will verify their ownership and control of the account.”

The disclosure comes as the Norwegian Police Security Service (PST) issued an advisory, stating it’s aware of “several cases” over the past year where Norwegian businesses have been impacted by IT worker schemes.

“The businesses have been tricked into hiring what likely North Korean IT workers in home office positions,” PST said last week. “The salary income North Korean employees receive through such positions probably goes to finance the country’s weapons and nuclear weapons program.”

Running parallel to the IT worker scheme is another social engineering campaign dubbed Contagious Interview that involves using fake hiring flows to lure prospective targets into interviews after approaching them on LinkedIn with job offers. The malicious phase of the attack kicks in when individuals presenting themselves as recruiters and hiring managers instruct targets to complete a skill assessment that eventually leads to them executing malicious code.

In one case of a recruiting impersonation campaign targeting tech workers using a hiring process resembling that of digital asset infrastructure company Fireblocks, the threat actors are said to have asked candidates to clone a GitHub repository and run commands to install an npm package to trigger malware execution.

“The campaign also employed EtherHiding, a novel technique that leverages blockchain smart contracts to host and retrieve command-and-control infrastructure, making the malicious payload more resilient to takedowns,” security researcher Ori Hershko said. “These steps triggered the execution of malicious code hidden within the project. Running the setup process resulted in malware being downloaded and executed on the victim’s system, giving the attackers a foothold in the victim’s machine.”

In recent months, new variants of the Contagious Interview campaign have been observed using malicious Microsoft VS Code task files to execute JavaScript malware disguised as web fonts that ultimately lead to the deployment of BeaverTail and InvisibleFerret, allowing persistent access and theft of cryptocurrency wallets and browser credentials, per reports from Abstract Security and OpenSourceMalware.

Koalemos RAT campaign

Another variant of the intrusion set documented by Panther is suspected to involve the use of malicious npm packages to deploy a modular JavaScript remote access trojan (RAT) framework dubbed Koalemos via a loader. The RAT is designed to enter a beacon loop to retrieve tasks from an external server, execute them, send encrypted responses, and sleep for a random time interval before repeating again.

It supports 12 different commands to conduct filesystem operations, transfer files, run discovery instructions (e.g., whoami), and execute arbitrary code. The names of some of the packages associated with the activity are as follows –

• env-workflow-test
• sra-test-test
• sra-testing-test
• vg-medallia-digital
• vg-ccc-client
• vg-dev-env

“The initial loader performs DNS-based execution gating and engagement date validation before downloading and spawning the RAT module as a detached process,” security researcher Alessandra Rizzo said. “Koalemos performs system fingerprinting, establishes encrypted command-and-control communications, and provides full remote access capabilities.”

Labyrinth Chollima Segments into Specialized Operational Units

The development comes as CrowdStrike revealed that the prolific North Korean hacking crew known as Labyrinth Chollima has evolved into three separate clusters with distinct objectives and tradecraft: the core Labyrinth Chollima group, Golden Chollima (aka AppleJeus, Citrine Sleet, and UNC4736), and Pressure Chollima (aka Jade Sleet, TraderTraitor, and UNC4899).

It’s worth noting that Labyrinth Chollima, along with Andariel and BlueNoroff, are considered to be sub-clusters within the Lazarus Group (aka Diamond Sleet and Hidden Cobra), with BlueNoroff splintering into TraderTraitor and CryptoCore (aka Sapphire Sleet), according to an assessment from DTEX.

Despite the newfound independence, these adversaries continue to share tools and infrastructure, suggesting centralized coordination and resource allocation within the DPRK cyber apparatus. Golden Chollima focuses on consistent, smaller-scale cryptocurrency thefts in economically developed regions, whereas Pressure Chollima pursues high-value heists with advanced implants to single out organizations with significant digital asset holdings.

New North Korea Clusters

On the other hand, Labyrinth Chollima’s operations are motivated by cyber espionage, using tools like the FudModule rootkit to achieve stealth. The latter is also attributed to Operation Dream Job, another job-centred social engineering campaign designed to deliver malware for intelligence gathering.

“Shared infrastructure elements and tool cross-pollination indicate these units maintain close coordination,” CrowdStrike said. “All three adversaries employ remarkably similar tradecraft – including supply chain compromises, HR-themed social engineering campaigns, trojanized legitimate software, and malicious Node.js and Python packages.”