627 reports
NSHC ThreatRecon reported that SectorA activity was the largest share of the threat actor group activity it tracked from 21 June to 20 July 2023. The SectorA section describes five clusters: VNC-disguised malware with downloader functions, CHM insurance-t…
SonarSource disclosed CVE-2023-42793, an unauthenticated remote code execution vulnerability in JetBrains TeamCity 2023.05.3 and earlier. Exposed on-premises CI/CD servers could let attackers steal source code, service secrets, and private keys, take over…
Mixin – a cross-chain peer-to-peer network for crypto transfers – has become the latest casualty of crypto thieves. Elliptic has previously discussed this laundering typology in its inaugural “State of Cross-chain Crime” report, which covers the growing c…
Introduction In recent developments within the realm of cybersecurity, an alarming revelation has come to light—an intricate and multi-staged attack campaign executed by the Kimsuky Advanced Persistent Threat (APT) group. This campaign is marked by its ex…
Kimsuky used a Windows shortcut disguised as a Korean Ministry of Unification policy meeting HWP document to run heavily obfuscated PowerShell from the LNK file. The script carved embedded executable and VBScript data from the shortcut into the user temp …
Konni APT targeted South Korean unification and North Korean human-rights communities with spear-phishing emails that impersonated government or civic-event material. Genians documents lures tied to the NCNKHR founding meeting and Ministry of Unification …
Sangfor attributes a university-focused campaign to ScarCruft/APT37 after observing the group’s familiar oversized LNK delivery, cloud-storage staging, and RokRAT payload. The lure was a ZIP file posing as Korea National Intelligence Society conference ma…
REKT reported that Mixin Network lost about $200 million after an attack the project blamed on a third-party cloud database, leaving only 50 percent of user assets guaranteed at the time of its livestream. The source says the transactions looked like simp…
Mixin Network disclosed that attackers compromised the database of its cloud service provider on September 23, 2023, causing losses initially estimated at about $200 million on the mainnet. The team suspended deposits and withdrawals, contacted Google and…
Kaspersky researchers have revisited an Andariel campaign from 2022, expanding on the commands the attackers used to deploy DTrack and the accompanying post-exploitation tools and malware. Korean-speaking activity Kaspersky researchers observed a Lazarus …
A January 2023 GOLDBACKDOOR dropper sample was delivered to a journalist through KakaoTalk in a ZIP attachment framed around sensitive North Korea-related political material. The lure used a filename ending in .pdf.pif and displayed an embedded Korean-lan…
Kimsuky is reported as using a CHM lure titled around North Korea's nuclear threat and South Korea's response, presented as if it were written by a North Korea strategy researcher. The CHM contains an ActiveX shortcut object that runs cmd commands to writ…
Lazarus exploited CVE-2022-47966, a pre-authentication RCE flaw in Zoho ManageEngine products, to compromise vulnerable ServiceDesk Plus instances and deploy QuiteRAT against UK internet service providers as well as internet backbone suppliers and healthc…
HHS frames North Korean cyber activity as a healthcare and public-health-sector risk because DPRK operators use cybercrime to fund state priorities while also pursuing espionage and geopolitical objectives. The North Korea section identifies the Reconnais…
ASEC analyzed a Korean campaign distributing a malicious LNK file disguised as a National Tax Service income-tax clarification package. The ZIP was delivered from a file.gdrive001.com URL and briefly contained a large LNK plus a benign HWP decoy; the LNK …