296 reports
Elliptic traced the June 2022 Horizon Bridge theft, in which more than $100 million in cryptoassets was converted to 85,837 ETH and routed through Tornado Cash. The firm assessed Lazarus Group involvement as plausible but not proven, citing the bridge-the…
AhnLab observed AppleSeed malware being distributed in files disguised as purchase orders and approval documents, with the backdoor identified as a tool mainly used by the Kimsuky group. The JSE lure drops both an AppleSeed DLL and a decoy purchase-order …
JPCERT/CC attributes YamaBot use to the Lazarus attack group and describes recently observed Windows variants alongside earlier Linux samples. YamaBot is written in Go and communicates with C2 servers over HTTP, sending Base64-encoded User-Agent data and …
Prelude describes an APT38 spear-phishing chain against pharmaceutical companies in 2020 that used ISO containers to bypass Mark-of-the-Web propagation. The tradecraft packages a decoy job-offer PDF with an application inside an ISO built using PackMyPayl…
ESRC reported a North Korea-linked phishing campaign impersonating South Korea’s National Assembly Research Service and targeting professors in defense, diplomacy, security, and politics. The operators first sent consultation-request emails that performed…
Coincub ranks North Korea as the top country for crypto crime, estimating nearly $1.6 billion from at least 15 cases between 2017 and 2022 and later noting Chainalysis data attributing more than 30 hacks to DPRK actors. The North Korea-focused section lin…
NSHC ThreatRecon’s May 2022 monthly report observed 36 threat actor groups, with SectorA activity accounting for the largest share of observed operations. The SectorA section describes five groups active across Romania, Japan, the Netherlands, Spain, Sout…
CertiK analyzes the June 23, 2022 Harmony Horizon Bridge exploit, estimating losses of about $97 million from multiple attack transactions across the bridge between Harmony and Ethereum. The attacker obtained control sufficient to make the MultiSigWallet …
The Harmony Bridge incident drained about $100 million after two addresses in a 2-of-5 multisig were compromised, allowing the attacker to move assets from the ETH, ERC20, BUSD and BSC bridge components. The source lists the compromised signer addresses, …
Cyble analyzed Quantum Software, also called Quantum Builder, a criminal LNK, HTA, and ISO builder advertised with extension spoofing, icon customization, payload URLs, DLL support, UAC-bypass options, and claimed DogWalk exploitation. The observed LNK sa…
SECUINSIDE analyzed malicious HWP documents that abused embedded OLE objects rather than patched HWP vulnerabilities to trigger execution through user clicks. The campaign used spear-phishing emails aimed at people connected to North Korea-related topics,…
ESRC reported a North Korea-linked phishing attack disguised as material for a June 15 Inter-Korean Joint Declaration unification policy forum. The lure impersonated a professor and presented a cloud attachment for a supposed HWP document, then redirected…
Prelude’s TTP Tuesday entry builds a defensive emulation chain for APT38 TraderTraitor tradecraft described by CISA, focusing on fake cryptocurrency trading or price-prediction applications used for initial access. The simulated CryptoSpy application is a…
AhnLab observed an active wave of malicious Hangul Word Processor documents targeting defense, North Korea-related, and broadcasting personnel. The documents abused HWP's OLE object-linking feature to drop and run BAT scripts after user clicks, then launc…
360 attributed multiple first-half 2022 BabyShark component attacks to the Kimsuky organization and linked the malware family to espionage against nuclear security, Korean Peninsula security and cryptocurrency-related targets. The described chain uses mal…