627 reports
ASEC reports coin exchange and investment-themed malware distributed as SFX executables disguised with Word/PDF icons and as a macro-enabled Word document. The SFX samples opened decoy documents while using mshta.exe to run scripts from partner24.kr paths…
Steadefi lost about $1.14 million after the protocol’s deployer address was compromised, giving the attacker control over vault contracts on Arbitrum and Avalanche. The attacker transferred ownership to their own address and used owner-only functions to a…
Steadefi lost more than $1.14 million on August 7, 2023 after the wallet that deployed and owned its vaults was compromised. The attacker took ownership of the vaults, granted broad borrowing access, exhausted lending capacity on Arbitrum and Avalanche, a…
Though some adversaries focus on stealing cryptocurrency or non-fungible tokens (NFTs), opportunistic big game hunting (BGH) ransomware and data theft campaigns remain the primary eCrime threat to financial institutions. Whether the adversary is leveragin…
The source analyzes a Konni-attributed ZIP-delivered LNK malware lure using Korean tax and explanatory-material document names. The malicious LNK was unusually large and contained an obfuscated PowerShell command that ran hidden, decoded hex-encoded scrip…
CoinsPaid attributed suspicion for its July 22, 2023 theft of USD 37.3 million to Lazarus based on tactics and laundering patterns resembling the Atomic Wallet heist. The company said the attackers spent about six months probing CoinsPaid with social engi…
SentinelLabs identified North Korea-related compromise of NPO Mashinostroyeniya, a sanctioned Russian missile and military spacecraft engineering organization with sensitive missile technology. The investigation found two activity clusters: a Lazarus Grou…
ReversingLabs identified the VMConnect PyPI supply-chain campaign, in which 24 malicious packages impersonated popular Python modules such as vConnector, eth-tester, and databases while publishing linked GitHub projects that omitted the malicious code. Th…
The source analyzes a Kimsuky-attributed malicious Word document using a Korean cryptocurrency-themed lure about Wemix cloud-storage precautions. When macros are enabled, the document changes hidden white text to black, copies %windir%\system32\wscript.ex…
Checkmarx reported a Lazarus/Jade Sleet/TraderTraitor campaign targeting blockchain, cryptocurrency, and online gambling organizations through malicious npm package dependencies. The attackers used fake developer and recruiter personas on platforms such a…
ASEC described weekly changes in CHM malware distributed with lures impersonating South Korean financial companies and insurers. Earlier variants launched hh.exe, decompiled embedded HTML, created a .jse script, and used wscript plus PowerShell to downloa…
ESRC reported an active phishing campaign aimed at South Korean defense and security personnel. The lure email posed as a security alert about repeated authentication requests, used image-loading code to confirm whether recipients viewed the message, and …
Hauri warns that phishing emails impersonating financial institutions were distributing CHM malware using finance-themed attachments such as product contracts, automatic insurance-payment notices, card-limit changes, and tax invoices. After extraction, th…
SentinelOne described threat-hunting methods for illicit brand impersonation, using VirusTotal NetIoc rules and repeated infrastructure traits such as favicons, outgoing links, trackers, hostnames, and URL patterns. The DPRK-relevant portion notes that AP…
Halcyon identified Cloudzy as a command-and-control provider whose RDP VPS services appear to support ransomware operators and multiple state-sponsored APT groups. The DPRK-relevant evidence is limited to Halcyon’s assessment that threat actors tied to No…