627 reports
Cointelegraph reported that the alleged July 2023 Alphapo payment-provider hack was re-estimated above $60 million after ZachXBT identified an additional $37 million drained on Tron and Bitcoin. Alphapo serviced e-commerce, gaming, and gambling platforms,…
A Korean analysis describes a Lazarus-attributed ZIP lure aimed at people seeking U.S. Forces Korea employment, disguised as instructions for the Multi National Recruitment System job site. The archive contained decoy PDF material and an LNK file masquera…
Mandiant attributed these intrusions to UNC4899, a Democratic People's Republic of Korea (DPRK)-nexus actor, with a history of targeting companies within the cryptocurrency vertical. We believe the compromise ultimately began as a result of a sophisticate…
ASEC attributed attacks on Windows IIS web servers to Lazarus, reporting that compromised servers were used as malware distribution points for INISAFE CrossWeb EX exploitation. The activity abused vulnerable or poorly managed IIS servers, with malware pro…
Phylum linked a June 2023 npm supply-chain campaign to GitHub’s high-confidence attribution to Jade Sleet, also known as TraderTraitor, a group operating in support of North Korean objectives. The campaign targeted personal accounts of technology-firm emp…
ASEC describes an information-stealing malware campaign delivered through CHM files that impersonated Korean financial firms and insurers around billing dates likely to make recipients trust the lures. The CHM execution chain used hh.exe to open the help …
The source reports a North Korea-attributed phishing site at korean-air.org that impersonated Korean Air with a fake NFT event offering travel benefits to cryptocurrency-wallet users. The lure promised limited free NFT issuance and Japan flight-ticket ben…
The source describes a North Korea-attributed phishing site at coupang.cam that impersonated Coupang with a fake NFT giveaway tied to the brand's NYSE listing. The page reused Coupang-style content and legitimate-looking navigation or social links, but it…
The IOCs are linked to a wide variety of activity we attribute to DPRK, overall centric to the supply chain targeting approach seen in previous campaigns. While the following is not a strong indicator of attribution alone, it’s noteworthy that specific pa…
ASEC describes CHM malware distributed in RAR archives while impersonating Korean financial firms and insurers with decoy help-window content about card limits, insurance withdrawals, and bank contracts. When opened, the CHM script decompiled files to C:\…
The source reports a North Korea-attributed phishing site at starbucks-nft.marketing that impersonated Starbucks Korea rewards content to lure users into a fake NFT airdrop. The page contrasted with the legitimate Starbucks site by offering a 'Starbucks G…
The DangerousPassword/CryptoMimic activity described by JPCERT/CC targeted cryptocurrency-exchange developers across Windows, macOS, and Linux systems with tampered Python and Node.js components. The Python path inserted malicious code into pyqrcode's bui…
The GitHub repository is a curated research notebook on Lazarus, Bluenoroff and other DPRK-linked activity affecting Web3, exchanges, bridges and crypto users. The excerpt points readers to maintained spreadsheets, DPRK cyber background material, GitHub s…
We assess with high confidence that this campaign is associated with a group operating in support of North Korean objectives, known as Jade Sleet by Microsoft Threat Intelligence and TraderTraitor by the U.S. Many of these targeted accounts are connected …
JumpCloud said a state-sponsored APT breached part of its internal infrastructure after a spear-phishing attack and later showed unusual activity in the commands framework for a small set of customers. The company rotated credentials, rebuilt infrastructu…