211 reports
ClearSky assesses with medium-high confidence that the CryptoCore campaign targeting cryptocurrency exchanges is linked to North Korea’s Lazarus group. The activity, also tracked as CryptoMimic or Dangerous Password, targeted exchanges in Israel, the Unit…
BBC’s S1.6 Cyber slaves episode page describes North Korean hackers living a double life overseas and references a “hacker hotel.” The excerpt provides operational context rather than malware or IOC detail, highlighting how overseas personnel and controll…
Macnica Networks and TeamT5’s 2020 Japan APT landscape report is a broad espionage study of attacks against Japanese organizations, but its DPRK-relevant material includes a dedicated “CloudDragon (Kimsuky)” section under new TTPs and RATs. The excerpt fr…
ThreatBook reports a Konni APT campaign using North Korea-related geopolitical lures against Russian-facing organizations. The spear-phishing documents used Russian-language themes such as sanctions’ impact on the DPRK situation and proposals for resolvin…
FinNexus said its ERC-20 contract was hacked after control of the FNX smart contract moved to an unknown wallet on Ethereum and Binance Smart Chain. The new owner minted 323 million FNX on Ethereum and 60 million FNX on BSC, then sold tokens for Ethereum …
BBC’s S1.5 Cyber warriors episode page focuses on North Korean surveillance, state control, executions, and how hackers are trained. The excerpt is not a technical intrusion report, but it provides context for the human pipeline and state environment behi…
ESRC warns that Thallium used malicious documents themed around North Korean denuclearization and a constitutional academic forum as spear-phishing lures ahead of the U.S.–South Korea summit. The source says the lures targeted people working on diplomacy,…
QiAnXin RedDrip analyzes activity suspected to involve Lazarus using Korean-language lures tied to Daewoo Shipbuilding, resident registration forms, and related East Asian themes. The samples used VBA macros to display decoy content, extract an HTA/JavaSc…
BBC’s S1.4 Billion dollar hack page describes the Bangladesh Bank-style Lazarus Heist narrative as a faulty printer, an empty room, and one of the most daring cyber thefts attempted. The surrounding playlist ties this episode to North Korea-linked financi…
TeamT5's CloudDragon presentation distinguishes the group from other DPRK clusters and frames it as part of the public Kimsuky activity set. The transcript describes CloudDragon targeting South Korea, the United States, Japan, Europe, and sectors includin…
The CloudDragon report describes an APT intrusion playbook built around supply-chain compromise, phishing, and mobile targeting. The presentation highlights malware and tooling associated with the activity, including JamBog or AppleSeed, DongMulRAT, GoldD…
ESRC attributes a malicious file masquerading as a 2021 Ministry of Foreign Affairs overseas-mission service survey/news document to the North Korea-backed Thallium group. The JSE-based package dropped a decoy PDF plus encoded files under C:\ProgramData\ …
The source links Unit180/Lazarus targeting of Japan to the VSingle and ValeforBeta malware families and compares them with Torisma and LCPDot from Operation Dream Job. The analysis says both malware samples share exported functions and DllEntryPoint logic…
The source describes Kimsuky activity using a new Android component associated with AppleSeed/AutoUpdate and disguised as a KISA mobile security-check application to target selected South Korean victims. The APK collected Android device information, conta…