Saphire.zip Apr 2026

Recent activity from the North Korean threat actor known as has also highlighted high-stakes social engineering campaigns targeting the finance and cryptocurrency sectors.

: Once gathered, the data is compressed into a ZIP file and sent to the attacker via SMTP (email), Discord webhooks , or Telegram APIs . saphire.zip

: It searches for specific file extensions based on a predefined list to find sensitive documents. Recent activity from the North Korean threat actor