627 reports
Active North Korean campaign targeting security researchers In January 2021, Threat Analysis Group (TAG) publicly disclosed a campaign from government backed actors in North Korea who used 0-day exploits to target security researchers working on vulnerabi…
Microsoft’s East Asia threat report covers both China and North Korea, but the DPRK-relevant finding in the provided excerpt is that North Korean cyber actors were becoming more sophisticated while pursuing intelligence collection and financially motivate…
The source analyzes a Reaper/ScarCruft CHM malware sample using the Fukushima treated-water discharge topic as a Korean-language lure. The CHM `1.chm` runs `mshta.exe` against `navercorp.ru/dashboard/image/202302/4.html`, shows decoy news-style text about…
Elliptic’s sanctions-compliance case study uses the June 2022 Harmony Horizon Bridge hack to illustrate Lazarus-linked crypto laundering risk. The source says more than $100 million in WBTC, USDT, ETH, and BNB was stolen, converted through Uniswap into 85…
ScarCruft used the Fukushima treated-water discharge controversy as a social-engineering theme against Korean users, distributing a `Fukushima.rar` archive containing a CHM file. When opened, the CHM executed remote code from `navercorp.ru/dashboard/image…
This malware executes additional scripts located at a specific URL through the mshta process. This command performs functions similar to those previously disclosed in Table 1 of the post <RedEyes Group Wiretapping Individuals (APT37)> [3]. The threat acto…
Stake disclosed a hot-wallet breach on 4 September 2023 after unauthorized withdrawals from its Ethereum, Polygon, and Binance Smart Chain wallets. Merkle Science attributes the incident to a private-key leak and says the stolen assets included ETH, stabl…
KISA's presentation on Lazarus large-scale infection campaigns in 2023 analyzes operations involving financial security software exploitation. The material frames the incidents around initial access techniques, malware propagation, intrusion into internal…
REKT reported that Stake lost more than $41 million from hot wallets on Ethereum, BSC and Polygon, with suspicious transfers first flagged by Cyvers. The article says simple transfers began at 12:48 UTC, suggesting compromised private keys, followed by sw…
AhnLab reported renewed distribution of CHM malware believed to be associated with RedEyes/ScarCruft, using public concern over Fukushima contaminated-water discharge as the lure. Unlike earlier variants that launched mshta directly from the CHM help file…
Japan’s Ministry of Foreign Affairs announced additional asset-freezing and transaction-control measures against parties involved in North Korea’s nuclear, weapons-of-mass-destruction, ballistic-missile, and other UN Security Council-prohibited activities…
The source analyzes Konni malware disguised as HWP-themed LNK files targeting Korea National University of North Korean Studies, likely aiming at faculty or students involved in North Korea-focused education and consulting. The malware was delivered insid…
Interlab analyzed a targeted email attack against a journalist covering Asian geopolitics that delivered a malicious LNK file and a decoy DOCX, with loose attribution to Kimsuky based on initial-vector and code similarities. Execution launched an obfuscat…
AhnLab analyzed RedEyes/ScarCruft malware distributed as malicious LNK files, including a REPORT.ZIP archive hosted on a legitimate site and disguised with a decoy Korean public-agency Excel document. When executed, the LNK used PowerShell to extract the …
Genians identified a sophisticated Browser-in-the-Browser phishing operation targeting people involved in North Korea-related work in South Korea. The attackers impersonated Liberty in North Korea's Changemaker support program and copied real Facebook con…