627 reports
ESTsecurity reported that Geumseong121, a North Korea backed APT also tracked as APT37, Group123, RedEyes, and ScarCruft, used domestic political and social issues as lures in large LNK files. One attack impersonated an activist document about Kim Jong Un…
NSHC's July 2023 ThreatRecon report describes SectorA activity across five clusters, with operations observed in Korea, China, Japan, Australia, the United States, Singapore, Vietnam, India, and several European countries. SectorA01 used malware disguised…
Lazarus Group exploited CVE-2022-47966 in Zoho ManageEngine products to target internet backbone infrastructure and healthcare entities in Europe and the United States. After initial access, the actors deployed QuiteRAT, a Qt-based successor to MagicRAT t…
Knownsec 404 reported Konni activity against the cryptocurrency industry using a WinRAR CVE-2023-38831 lure named around Qbao Network wallet screenshots. The crafted RAR caused WinRAR to execute an embedded file disguised as an HTML document when the vict…
Nearly $900,000 in crypto assets was reportedly drained from a hot wallet belonging to Mark Cuban after the wallet showed suspicious activity following months of inactivity. Etherscan activity cited in the article showed USDC, USDT, stETH, and other asset…
21.co tracked 295 wallets identified by the FBI and OFAC as belonging to Lazarus Group, also described as APT38 and DPRK TraderTraitor-affiliated actors. The dashboard estimates that those wallets held about 1.60k BTC, 10.81k ETH, and 64.49k BNB, worth ro…
Cyberstanc links the SuperBear sample to suspected North Korean Kimsuky activity targeting APAC civil society groups and activists through a phishing email from a trusted organizational source. The infection chain begins with a malicious LNK file, followe…
The elite North Korean hacking group Lazarus appears to have recently ramped up its operations, conducting a confirmed four attacks against crypto entities since June 3rd. They are also likely to operate using centralized internal information technology s…
The attack mainly involves crypto assets such as BTC, ETH, XRP, BCH, SOL, etc., and the specific values are still being liquidated. Suspension of deposit and withdrawal services of all crypto assets and emergency shutdown of the hot wallet server.
Konni used a Korean National Tax Service themed ZIP lure that presented HWP decoy documents while hiding a malicious shortcut and script chain. The LNK ran PowerShell that searched for the shortcut, extracted XOR encoded data from it, wrote and launched p…
SuperBear RAT was used against civil society targets and arrived through an AutoIT-based loader that hollowed explorer.exe, decrypted an embedded payload, and injected the PE into memory. The RAT created the mutex BEARLDR-EURJ-RHRHR, contacted hironchk[.]…
Chainalysis reported that DPRK-linked hacking groups increased their use of Russia-based exchanges for laundering stolen cryptocurrency, including a $21.9 million transfer from the Harmony Protocol theft to a Russian exchange known for illicit flows. The …
AhnLab ASEC observed malicious LNK files distributed to South Korean users under a National Tax Service tax-explanation theme. The suspected email-delivered ZIP downloaded from file.gdrive001.com contained a large dummy-padded LNK that ran PowerShell, ope…
Knownsec 404 reported that Konni used the WinRAR CVE-2023-38831 vulnerability in a lure archive aimed at the digital currency industry, a target set the source describes as unusual for Konni compared with Lazarus. The captured archive referenced Qbao Netw…
REKT reported that CoinEx lost about $54.3 million after hot wallets were drained across thirteen chains, with initial suspicious outflows flagged by Cyvers. The source says funds were rapidly moved from ETH, TRON, MATIC and other wallets, swapped back in…