211 reports
LIFARS analyzed FALLCHILL, a Lazarus Group remote access Trojan used since at least 2016. The sample decrypts runtime strings with XOR and a hard-coded RC4 key, resolves DLL and API names dynamically, and builds a victim ID from OS version, MAC address, h…
North Korea is presented as a state cyber threat that evolved from rudimentary DDoS activity against South Korea into global disruptive, espionage, and financially motivated operations. The excerpt ties Pyongyang’s cyber strategy to asymmetric military do…
IGLOO’s first-half 2021 Kimsuky trend report documents repeated Korea-focused phishing and malware operations that used malicious documents, VBA or PowerShell logic, HWP-delivered DLL/VBS stages, and attacker-controlled web infrastructure to collect host …
NSHC’s July 2021 threat actor report describes SectorA activity relevant to DPRK-focused tracking, including SectorA01 operations seen in the United States, Russia, Taiwan, Sweden, and China using LNK malware disguised as aircraft, blockchain, and develop…
Liquid Exchange lost about $90 million after its warm wallets were compromised, with stolen assets spanning Bitcoin, Ethereum, TRON, XRP, and multiple ERC-20 tokens. Uppsala Security traced the Ethereum-side flow through 25 wallets grouped as initial, swa…
Scorechain summarized the August 2021 Liquid exchange hack, where Liquid said its hot wallets were compromised and more than $90 million in BTC, TRX, XRP, ETH, and ERC-20 tokens was stolen. The exchange halted deposits and withdrawals, moved remaining fun…
ASEC analyzed a malicious Word document disguised as an export gold-bar sales contract and noted links to Kimsuky-related APT activity through the same document-protection password, 1qaz2wsx, used in earlier North Korea-themed malicious Word files. When t…
RokRAT is a closed-source malware family believed to be used exclusively by the North Korean APT37 threat actor, which Volexity tracks as InkySquid. This threat actor compromised a news portal to use recently patched browser exploits to deliver a custom m…
A JavaScript file masquerading as a PDF used a Korean Foreign Ministry newsletter lure to display a benign document while decoding and launching hidden payloads. The infection chain embedded Base64 data, extracted a legitimate lure file and a UPX-packed x…
This blog post was authored by Hossein Jazi In late July 2021, we identified an ongoing spear phishing campaign pushing Konni Rat to target Russia. Konni was first observed in the wild in 2014 and has been potentially linked to the North Korean APT group …
Merkle Science analyzed the August 2021 Liquid Global breach, where Liquid reported that warm-wallet compromise enabled an unauthorized party to move about $91.35 million in crypto assets. The report says 69 different assets were misappropriated and sent …
Volexity attributes a strategic web compromise of Daily NK to InkySquid, an activity set broadly corresponding to ScarCruft/APT37. From late March through early June 2021, attackers modified legitimate Daily NK JavaScript to redirect selected visitors to …
London's High Court ordered Binance to identify the actors behind a $2.6 million Fetch.ai account compromise and freeze assets tied to the alleged fraud. Fetch.ai said attackers gained access to its Binance accounts on June 6 and, because they could not w…
ESRC reports a spear-phishing attack against South Korean personnel working on North Korea-related issues that impersonated an official from the Ministry of Unification settlement-support office. The lure email used cyber-safety guidance as pretext and pu…