197 reports
JPCERT/CC analyzes BLINDINGCAN, a Lazarus/Hidden Cobra malware family loaded through a DLL after network intrusion. The malware stores encrypted configuration in the sample, a nearby file, or a registry value under HKLM\SOFTWARE\Microsoft\Windows\CurrentV…
ThreatConnect believes that Kimsuky will continue to target journalism and civil society organizations, particularly those focusing on North Korean issues. Researching both the attacker’s infrastructure and tooling, we believe the nexus of the attack to b…
T1566.003 – Phishing: Spearphishing via Service The Lazarus Group gained initial access on the target organization by sending a phishing document to a systems administrator via their personal LinkedIn account. To demonstrate this, we downloaded and execut…
NICKEL ACADEMY is Sophos reporting on North Korean Reconnaissance General Bureau cyber operations that are not assigned to a narrower subgroup. The profile says the activity has operated since at least 2009, with South Korean government and commercial org…
Our findings show that APT group uses separate infrastructure for hosting phishing and C2 servers, which have links to DPRK based Lazarus APT group and CryptoCore APT group involved in compromising multiple cryptocurrency exchanges. The APT group uses spe…
Intel 471 evaluates public claims that DPRK threat actors, including Lazarus-linked operators, have relationships with elite Russian-speaking cybercriminal ecosystems such as TrickBot, TA505, and Dridex. The source argues that DPRK actors are likely activ…
Intezer surveys the rise of Linux-targeting APT campaigns and identifies North Korea as one of the major nation-state origins, alongside China, Russia, and the United States, in documented Linux espionage tooling from the prior decade. The source does not…
Vitali Kremez's x33fcon presentation examines a possible link between TrickBot's Anchor activity and North Korea's Lazarus ecosystem, framing it as convergence between high-end crimeware and state-backed operations. The source highlights TrickBot, QakBot …
Hackers compromised Slovakian cryptocurrency exchange Eterbase and stole about $5.4 million from six internet-connected hot wallets holding Bitcoin, Ethereum, XRP, Tezos, Algorand, and TRON. Eterbase tracked the stolen funds toward other cryptocurrency ex…
Unibright said a recovery key for one of its company HD wallets was exposed, enabling unauthorized access to token lock contracts tied to that wallet. The attacker called transfer functions on the lock contracts and moved 1.93 million locked UBT, along wi…
Eterbase said its investigation into the September 2020 hack was continuing with support from Uppsala Security, Coinfirm, and legal representatives who filed a criminal complaint with Slovakia’s National Criminal Agency. The notice published wallet addres…
The source analyzes attacker malware tradecraft through a MITRE ATT&CK-oriented lens, focusing on how malware is used after execution to retrieve additional scripts from command-and-control infrastructure, inject DLLs into privileged processes, and collec…
We identified a first-of-its-kind possible collaboration between crimeware organization TrickBot and North Korean advanced persistent threat (APT) group Lazarus. The research is evidence of "Anchor Project" tools being used to deploy malware possibly asso…
We’ll describe how, from signaturing the cryptographic routines used in TrackDrop, we were able to map out an extensive range of tools that it has delivered to Lazarus’ targets. In this talk, we will take attendees on our journey analysing the Dtrack remo…
North Korea-linked RGB-D3 malware was distributed with a lure themed around a General Dynamics Mission Systems job description. The archived evidence is limited, but the theme points to defense-sector social engineering against users interested in a major…