296 reports
AhnLab reports that Gwisin ransomware was increasingly targeting Korean companies with company-specific deployments rather than broad opportunistic infection. The malware is delivered as an MSI containing a DLL that requires a special execution argument, …
Rekt reported that the Nomad Bridge lost about $190 million after a June upgrade left the Replica contract initialized with a trusted 0x00 root. The flaw let attackers call process() without proving message validity, and copycats could repeat the transact…
Xorhex uses an x86 FALLCHILL sample to demonstrate a YARA technique for resolving a near relative 0xE8 call target during malware hunting. The article explains that the called function address is calculated by adding the signed displacement in the call in…
KR-CERT advised service operators and end users to update INITECH INISAFE CrossWeb EX V3 after a vulnerability was fixed in versions up to 3.3.2.35. The advisory warns that attackers could exploit affected installations but does not include exploitation t…
ESRC reported a North Korea-linked Fake Striker APT campaign targeting South Korean defense and security experts with spear-phishing emails disguised as academic review and event-planning requests from real universities and institutes. The emails directed…
We found links to previously observed cybercrime activities, new, formerly unknown samples used by the attackers during post-exploitation activities, a wealth of recent information about C2 infrastructure and the latest samples distributed to compromise v…
Volexity reported that SharpTongue, a North Korea-linked actor often publicly called Kimsuky, deployed a malicious Chromium-based browser extension named SHARPEXT against targets in the United States, Europe, and South Korea working on North Korea, nuclea…
AhnLab reports increasing Gwisin ransomware incidents against domestic Korean companies, with payloads customized for specific victim organizations rather than broadly distributed. Gwisin is delivered as an MSI installer but requires specific execution pa…
Avertium’s healthcare ransomware overview summarizes U.S. government warnings about Maui ransomware, which the source says is believed to be operated by North Korean state-sponsored threat actors. Maui has affected healthcare providers since at least May …
Coincub summarizes the June 2022 Horizon Bridge theft as a $100 million Web3 attack likely attributable to Lazarus Group, citing Elliptic's analysis and similarities to the earlier Ronin bridge hack. The article says the stolen ETH, USDT, WBTC, and BNB we…
NSHC’s June 2022 intelligence roundup identifies SectorA02, SectorA05, and SectorA06 activity among 34 tracked threat actor groups observed from May 21 to June 20, 2022. The SectorA02 case targeted South Korea with spear-phishing emails impersonating a br…
AhnLab reported continued Kimsuky distribution of malicious Word documents themed around North Korea-related work, including resume, interim-report, advisory-request, and webinar lures. In one flow, the attacker impersonated a domestic organization and on…
Qianxin attributes with medium confidence a set of spear-phishing attacks against South Korean targets to Kimsuky, noting the group's focus on defense, education, energy, government, healthcare, and think tanks. The campaign used HWP lure documents themed…
KISA's first-half 2022 cyber threat trends report includes a DPRK-relevant expert column from ESTsecurity ESRC on recent changes and trends in Kimsuky's malicious payloads. The excerpt identifies the report as a broad cyber threat trends publication, so t…
ESRC reported a North Korea-linked phishing campaign impersonating Summitz coin victim NFT compensation notices to target prior investors, NFT-curious recipients, and Bitcoin holders. The email directed victims to an attached “NFT compensation plan” lure …