183 reports
Microsoft described legal and technical action against Thallium, a North Korea-linked threat group that used a network of domains to support credential theft and malware operations. A U.S. court order enabled Microsoft to take control of 50 domains used b…
Igloo analyzed Korean Hangul word processor document malware collected in 2019, emphasizing attacks against domestic Korean users through spearphishing documents that can appear normal while executing hidden payloads. The technical sections describe PostS…
QiAnXin's RedDrip team analyzed Android malware activity targeting users in South Korea with fake versions of common mobile apps such as KakaoTalk. Delivery used SMS or instant-message short links that led either directly to malicious APKs or to fake app-…
360 Netlab analyzed Dacls, a dual-platform RAT family for Linux and Windows that it assessed as potentially linked to Lazarus Group based on related samples, shared C2 instruction codes, VirusTotal/community references, and infrastructure associated with …
360 Netlab analyzed Dacls, a modular RAT family with both Linux and Windows variants that the researchers assessed as likely linked to Lazarus Group based on related samples, C2 references, and open-source attribution context. The investigation began with…
Merkle Science tracked the movement of funds from the November 27, 2019 Upbit cryptocurrency-exchange breach, in which 342,000 ETH, worth about US$50 million at the time, was transferred from Upbit's hot wallet to a hacker-controlled Ethereum address. The…
ESTsecurity analyzed a Konni-attributed APT case involving a malicious Hangul document themed around a legal dispute involving a Gwangju plastic surgery clinic. The report assesses that the document was likely delivered through spear phishing and used HWP…
AhnLab reported a malicious HWP file tied to the Konni cluster and the Operation MoneyHolic activity set. The lure was presented as a legal response document for a private hospital lawsuit and contained a malicious PostScript object. Shellcode analysis le…
CoinBene suffered a March 2019 cryptocurrency theft involving 107 ERC-20-based assets valued at about 5.8 billion KRW. The stolen funds moved from attacker wallets into Huobi and EtherDelta, after which about 10,817 ETH was consolidated through 0x6bbd2c90…
Cybereason reported targeted campaigns against financial, manufacturing, and retail organizations in the United States and Europe that began with phishing and TrickBot infection before progressing into interactive intrusion activity. The phishing lure use…
SentinelOne traces the evolution of high-end crimeware from GameOver Zeus through Dridex, Dyre, and TrickBot, emphasizing how service models blurred lines between specialized banking malware, ransomware delivery, and APT-style operations. The excerpt desc…
K7 Computing describes a Lazarus-attributed macOS campaign using a Trojanized UnionCryptoTrader cryptocurrency trading application distributed from unioncrypto.vip. The installer abused a post-install shell script to move a LaunchDaemon plist and loader i…
ESTsecurity attributed the Blue Estimate activity to the Kimsuky group after comparing the malware and social-engineering patterns with earlier Kimsuky operations such as Cobra Venom and Fake Capsule. The campaign used political and social themes as lures…
Kaspersky’s 2019 APT review highlights several major developments across the threat landscape, including supply-chain compromise, public leaks of alleged Iranian activity, legacy tool disclosures, and expanding mobile implant use. The excerpt describes Op…
The analysis examines a Windows executable disguised as a Korean HWP quotation document for a Vietnam Nokjiwon and Sangchunjae event. When run, the dropper writes a decoy HWP file and a DLL named NewAct.dat, then invokes the DLL through regsvr32.exe and i…