BlockBeats News, March 9th, Security research firm Ctrl-Alt-Intel disclosed that a group of hackers suspected to be related to North Korea launched attacks against a staking platform, exchange software providers, and cryptocurrency exchanges. The attackers exploited the React2Shell vulnerability (CVE-2025-55182) and compromised AWS access credentials to infiltrate the cloud environment, enumerate resources such as S3, EC2, RDS, EKS, ECR, and extract keys and credentials from Secrets Manager, Terraform files, Kubernetes configurations, and Docker containers.
Researchers stated that the attackers downloaded 5 Docker images and stole source code, including ChainUp client-related software components. The attack infrastructure involved a South Korean server 64.176.226[.]36 and the domain name itemnania[.]com. The report noted that the activity aligns with North Korean-related attack patterns, but the attribution confidence is moderate, and the source of the AWS credentials is unclear.
