197 reports
ESRC reports that the Kimsuky/Thallium group continued using Windows Script File (.wsf) delivery in a Blue Estimate campaign with COVID-19-themed lure content. The script drops a decoy HWP document and a Base64-encoded patch.dll under ProgramData\Software…
AhnLab reports a maritime-themed malicious HWP that belongs to a broader set of recent HWP lure categories and changes its EPS pattern by leaving the EPS code unencoded, likely to vary detection. When the shellcode executes, it creates security.vbs under …
The available excerpt is an outline for a Korean TTP report about building an attack chain that uses spear phishing to collect information. It frames the activity across MITRE ATT&CK stages including initial access, execution, persistence, privilege escal…
The supplied excerpt does not contain recoverable DPRK, Lazarus, Kimsuky, Andariel, APT37, or APT38 threat reporting. Instead, it is a 2026 comparison of virtual data room providers, describing evaluation criteria, review sources, pricing, compliance, zer…
ThreatConnect identified an additional malware sample likely associated with Kimsuky, a DPRK-based group, because its behavior matched earlier AutoUpdate-linked activity. The sample shared a string deobfuscation routine and specific URL-parameter behavior…
ClearSky describes CryptoCore, also called Crypto-gang, Dangerous Password or Leery Turtle, as a persistent threat actor targeting cryptocurrency exchanges since at least 2018. The report says the group focused mainly on exchanges in the United States and…
AhnLab ASEC reported HWP malware distributed around South Korea’s academic conference season, including an online conference support-themed lure document. The document exploited the EPS vulnerability CVE-2017-8291 and used Windows utilities such as forfil…
ClearSky profiles CryptoCore, a financially motivated group targeting cryptocurrency exchanges and related supply-chain entities, mainly in the United States and Japan, since at least 2018. The group’s objective is access to exchange wallets and password …
IssueMakersLab reported that North Korea's Lazarus Group registered a malicious HWP document in a Korean Academy of Medical Sciences website notice. The lure was described as a notice about temporary permission for online academic conferences, and the pos…
The recovered excerpt does not preserve the Hidden Cobra article body and instead shows a ReversingLabs blog index with multiple unrelated security headlines. The only concrete CTI item visible is a headline about 56 npm packages using binding.gyp to stea…
ESRC found multiple malicious files impersonating South Korea's Blue House security email and attributed them to Kimsuky's Blue Estimate campaign. The attack used a Windows Script File, bmail-security-check.wsf, containing Base64-encoded components that d…
ThreatConnect highlighted a suspected Kimsuky AutoUpdate malware sample connected to behavior described in ESTsecurity’s Operation Blue Estimate reporting. The source says the earlier file C315DE8AC15B51163A3BC075063A58AA was identified as a downloader, a…
A critical bug in three newly deployed Bancor Network smart contracts caused direct-swap users to grant infinite ERC-20 approvals to a vulnerable contract, allowing approved tokens to be withdrawn from their wallets. Bancor and suspected white hats began …
CYFIRMA reported that North Korea-sponsored Lazarus operators were planning a large COVID-19 themed phishing campaign against more than five million individuals and businesses. The planned lures impersonated government agencies, departments, and trade ass…
ESET described Operation In(ter)ception, targeted attacks against aerospace and military companies in Europe and the Middle East observed from September to December 2019. The attackers used fake LinkedIn recruiter personas and bogus job offers to deliver …