211 reports
The attacker drained tokens in the affected smart contracts. After the initial analysis of the attack transactions, we suspect it’s due to the compromised private key of the developer. The privileged function transferOwnership is invoked to transfer the o…
The bZx post-mortem describes a phishing-driven compromise in which a developer’s private keys were stolen, giving the attacker access to bZx deployments on BSC and Polygon while leaving the Ethereum deployment unaffected. The attacker changed proxy targe…
KISA's Operation Bookcodes presentation describes a campaign that began in April 2019 against South Korean maritime, media, and security software targets. The attackers used malicious HWP documents and phishing links to install remote control malware, the…
S2W's Operation Newton presentation describes Kimsuky activity against scientific and engineering researchers using the AppleSeed backdoor. The transcript says the attackers began with spear phishing to steal mail credentials, then used leaked account dat…
NSHC ThreatRecon reports a long-running campaign targeting finance and investment-sector organizations in multiple countries with malicious Word documents disguised as investment, NDA, and company-related files. The documents used remote template injectio…
Telsy analyzes a Kimsuky spear-phishing campaign that delivered a new AppleSeed backdoor variant. The activity is attributed to the North Korean-linked group also tracked as Velvet Chollima, Black Banshee, and Thallium, which commonly uses malicious email…
IBM X-Force identifies ITG03 as a DPRK state-sponsored threat group with significant overlap with the publicly reported Lazarus Group, active since at least 2009. The group has supported North Korean objectives through espionage, sabotage, and asymmetric …
AhnLab describes malicious Word documents that used external template links as an upstream stage before downloading macro-enabled documents and a PE backdoor. The observed chain began with a Word file containing a malicious XML external relationship to kr…
Somansa's report reviews document-based malware attacks by North Korean hacking groups against South Korean targets. It describes Lazarus, Kimsuky, ScarCruft, and Andariel as groups conducting spear-phishing and APT operations against major companies, the…
SBS reported that Daewoo Shipbuilding & Marine Engineering, a South Korean defense contractor that builds naval submarines and Aegis destroyers, had suffered a third hacking incident. A government source said the internal network was compromised in Octobe…
AhnLab reports continued distribution of malicious Word documents containing North Korea-related lure content and macros similar to previously observed samples. Filenames referenced topics such as Chinese military strategy, broadcast questionnaires, polic…
PolyPlay said attackers stole funds after sending a fake exchange listing email tied to a long-standing LinkedIn persona with many executive connections. The archived thread names a hacker wallet, 0x0040c81b7de0953e5b9fc056700479cace1b7500, and says the p…
ASEC found a malicious HWP document disguised as a COVID-19 relief fund personal-information consent form, apparently edited from a legitimate original document. The file used a malicious EPS object containing encoded PostScript and shellcode, reusing mal…
ESRC reported a Thallium campaign targeting North Korea-focused experts with spear-phishing emails disguised as Naver News coverage of condolences for former South Korean president Roh Tae-woo. The sender was spoofed as Naver News using a lookalike naverc…
Our private report gave details about the various droppers along with decoder scripts, as well as analysis of the DStealer backdoor and the large infrastructure we observed associated with the campaign. Last year, we described a campaign attributed to Clo…