627 reports
The FBI warned cryptocurrency companies that DPRK TraderTraitor-affiliated actors, also known as Lazarus Group and APT38, had moved approximately 1,580 bitcoin from multiple cryptocurrency heists and might attempt to cash out more than $40 million. The al…
The source analyzes a Kimsuky LNK malware sample disguised as a Korea Internet & Security Agency status-survey spreadsheet, using a hidden PowerShell command chain rather than a real Excel document. The LNK extracts a decoy 현황조사표.xlsx and a batch file fro…
AhnLab ASEC analyzes recent attack activity attributed to Andariel, a Lazarus-linked group focused on South Korean defense, political, shipbuilding, energy, telecom, education, transport, and ICT targets. The report ties 2023 cases to abuse of vulnerable …
Hauri reported a Kimsuky malware family called ReconShark that used Zoom meeting-information lures against organizations and individuals handling North Korea-related information. The malware displayed a decoy Zoom document from attacker infrastructure, co…
A Korean malware analysis attributes an SGI Seoul Guarantee-themed CHM lure, sgic_info.chm, to Kimsuky and describes it as a fake insurance-contract notice likely aimed at a Korean logistics-related target. The CHM uses hh.exe to decompile content under C…
South Korean police attributed a malicious email campaign targeting personnel assigned to South Korea-U.S. joint military exercises to Kimsuky. Investigators said the group had persistently targeted a domestic war-game operations company since April 2022,…
Riding with the Chollimas describes a 2023 investigation into QRLOG, a simple homemade RAT bundled inside a fake QR generator and later attributed by CrowdStrike with high confidence to Labyrinth Chollima. The malware hid base64-encoded code in a variable…
TRM Labs reports that North Korean hackers stole about USD 200 million in cryptocurrency in 2023 and more than USD 2 billion across over 30 attacks during the previous five years. The activity is described as opportunistic across the crypto ecosystem, wit…
AhnLab’s June 2023 Kimsuky trend report says observed Kimsuky activity slightly increased in fully qualified domain names, with more AppleSeed-type activity than in May. The report highlights FlowerPower samples that briefly removed an information-collect…
AhnLab’s June 2023 APT trend report reviews public reporting on multiple nation-state groups and includes several DPRK-relevant sections such as Andariel, Kimsuky, Lazarus, and Red Eyes/APT37. In the available excerpt, the Andariel section notes active ex…
NSHC ThreatRecon’s June 2023 monthly report summarizes activity from 32 threat-actor groups, with SectorA accounting for the largest share of observed activity. The DPRK-relevant SectorA section covers five groups: SectorA01 exploiting Korean web-security…
Supply chain attacks are some of the most damaging cybersecurity incidents, capable of infecting a massive number of unsuspecting users and companies through widely used and trusted software. And although the majority of such attacks impact Windows-based …
Patrick Wardle’s slide deck analyzes the macOS side of the 3CX supply-chain compromise, a nation-state operation in which 3CX’s build environments were compromised after an earlier supply-chain intrusion. The deck focuses on the POOLRAT backdoor used on t…
ASEC describes weekly changes in CHM malware impersonating Korean financial and insurance institutions, where execution begins through hh.exe, decompiled internal HTML, and a generated JSE script launched by wscript. One variant preserved registry-based p…