627 reports
The source analyzes a Kimsuky-attributed CHM malware sample named via.chm that was described as built to target journalists. The CHM content abuses an ActiveX shortcut object and JavaScript to run hidden commands, write mini.dat, decode it into mini.vbs w…
ASEC observed malware disguised as cryptocurrency exchange and investment material, with User-Agent artifacts leading it to assess Kimsuky involvement. The campaign used SFX executables with Word/PDF icons to open decoy asset-management or coin-exchange d…
Genians reported a Konni APT campaign that impersonated South Korea's National Tax Service postal notification service to deliver a ZIP file requesting explanatory materials. The attack used an LNK file disguised with an HWP-related filename and overlappe…
Indicators of Potential North Korean Cyber Operations The remote-access Trojan (RAT) Manuscrypt is among the most notable malware that North Korean actors—including Lazarus Group and APT38—use to target companies. This product provides an overview of the …
Based on the source and likely targets, these types of attacks are on par with past attacks stemming from typical North Korean groups such as APT37 as South Korea has historically been a primary target of the group, especially its government officials. re…
Hauri analyzed malware disguised as a KISA-Security-Upgrade executable that unpacked embedded archives and dropped additional malicious files. The initial executable posed as a Korean security-upgrade file to induce user execution, wrote data under a temp…
ReversingLabs found additional malicious npm packages linked to the JumpCloud supply chain incident and cryptocurrency-sector targeting, including btc-api-node and packages impersonating or resembling legitimate crypto-related modules. The packages commun…
AhnLab ASEC detailed a CHM malware wave impersonating Korean financial institutions and insurance companies, timed around regular payment-statement schedules to increase the chance of execution. The CHM ran through hh.exe, decompiled content into C:\Users…
AhnLab ASEC reported CHM malware distributed in RAR archives that impersonated Korean financial institutions and insurance companies with themes such as credit-card limits, insurance-fee withdrawal results, and banking contracts. When opened, the CHM deco…
We recently obtained JackalControl C2 communications from a campaign targeting government entities in Iran, active until early April 2023. The most remarkable findings Early in June, we issued an early warning of a long-standing campaign that we track und…
Alphapo, a Curacao-based cryptocurrency payment gateway used by gambling platforms, lost at least $110 million from hot wallets on Ethereum and Tron on 22 July 2023. Merkle Science says the attacker stole about $101 million from Ethereum wallets, swapped …
REKT reported that AlphaPo, a crypto payments processor used by gambling platforms, lost about $60 million across Ethereum, Tron and Bitcoin after its hot wallet began draining over a weekend. The source says ZachXBT and MistTrack linked the on-chain move…
CoinsPaid said a July 22, 2023 intrusion stole USD 37.3 million and publicly suspected Lazarus Group involvement, comparing the incident to prior attacks on Axie Infinity, Horizon Bridge, Atomic Wallet, Alphapo, and Sony. The company stated that customer …
SOCRadar profiles Kimsuky, also tracked as APT43, as a North Korean cyber-espionage group focused on sensitive information from South Korea, the United States, and Europe. The source describes spearphishing emails with malicious attachments or links, Hang…