296 reports
AhnLab observed AppleSeed malware being distributed against a maintenance contractor for a specific military unit, using a password-protected Excel file named to resemble an installation schedule for that unit. The source identifies AppleSeed as a backdoo…
Securonix tracked STIFF#BIZON as an ongoing campaign against high-value targets including the Czech Republic and Poland, with some observed artifacts and tradecraft associated with Konni activity linked in the report to North Korea’s APT37. The intrusion …
ESET analyzed CloudMensis, a macOS spyware family discovered in April 2022 that uses public cloud storage services such as pCloud, Yandex Disk, and Dropbox for command exchange and data exfiltration. The malware follows a two-stage flow in which a downloa…
360 attributed a 2022 campaign to Lazarus/APT-C-26 that used fake Alibaba-related components to target specific users, with observed victimology including South Korean software company Hancom Secure. The loader registered persistence through counterfeit c…
Merkle Science analyzes the June 2022 Harmony Horizon bridge exploit, in which roughly $100 million in assets including WETH, SUSHI, AAVE, DAI, USDT, and USDC were stolen from bridge infrastructure. The attacker swapped stolen tokens into ETH, broke more …
Harmony's rolling incident update documents the June 23, 2022 Horizon Bridge hack, in which approximately $100 million was stolen through 11 unauthorized transactions from the Ethereum side of the bridge. The incident response found no evidence of smart-c…
Microsoft attributed H0lyGh0st ransomware activity to DEV-0530, a North Korea-origin threat cluster later tracked as Storm-0530, and observed compromises of small and midsize businesses in multiple countries from at least September 2021. The group encrypt…
Proofpoint observed state-aligned APT activity targeting journalists and media organizations, including a North Korea-aligned TA404 campaign in early 2022 against a US-based media organization. The TA404 activity used job opportunity-themed phishing after…
The translated JPCERT/CC analysis links YamaBot to Lazarus activity and describes the malware as a Go-based tool targeting both Windows and Linux environments. YamaBot communicates with C2 servers through HTTP requests, using a Base64-encoded User-Agent a…
Hauri analyzed a dropper disguised as an ipTIME router firmware update that displayed a fake upgrade window while executing malicious activity in the background. The malware decrypted embedded data, created a mutex named like a Windows update artifact, wr…
HackerNoon explains the Harmony Horizon Bridge incident as a cross-chain bridge attack in which about $100 million in altcoins was siphoned from the bridge and swapped for ETH. The source frames a blockchain bridge as a mint-and-burn mechanism that locks …
The FBI, CISA, and Treasury reported that North Korean state-sponsored actors had used Maui ransomware since at least May 2021 against Healthcare and Public Health sector organizations. The intrusions encrypted servers supporting electronic health records…
Stairwell's Maui ransomware report provides a reverse-engineering analysis of a lesser-known ransomware family first collected in April 2022. Maui appears manually operated: an attacker supplies a target path at execution time, and the malware encrypts se…
Recently, the malware used by Lazarus VSingle has been updated to retrieve C2 servers information from GitHub. VSingle malware that obtains C2 server information from GitHub Some types of malware use DGA, obfuscate destination information, or contain fake…