627 reports
Rekt reports that OKX's DEX aggregator lost about $2.7 million after a proxy-admin private key compromise allowed a trusted contract to be upgraded and used against users who had approved it. According to SlowMist's analysis quoted in the article, the att…
Checkmarx describes two North Korea-linked supply-chain tradecraft paths observed in 2023: malicious npm/PyPI-style package-manager poisoning and developer-focused Contagious Interview lures hosted through GitHub. In the npm case, crypto-themed packages u…
Nisos identified online personas probably used by DPRK IT workers to obtain remote employment at U.S. companies while posing as non North Korean teleworkers. The personas advertised web, mobile, programming, crypto, and blockchain skills, appeared on empl…
Cisco Talos describes Operation Blacksmith, a Lazarus/Andariel-linked campaign that opportunistically targeted manufacturing, agriculture, and physical security organizations by exploiting vulnerable infrastructure such as Log4j. The campaign deployed thr…
ASEC reports a Konni phishing campaign that delivered a malicious executable disguised as material about a personal data leak. When run, the malware drops obfuscated JSE scripts, a PowerShell script, and a legitimate decoy document under ProgramData, then…
NSHC's October 2023 Korean ThreatRecon report covers 35 threat actor groups, but the DPRK-relevant portion is the SectorA activity set. It reports SectorA01 operations in Singapore, India, Poland, and the United Kingdom using recruiter impersonation on so…
QiAnXin analyzes downloader samples tied to an npm package supply-chain poisoning incident that it assesses as likely Lazarus based on code overlap with historical Lazarus samples and the group's prior use of supply-chain attacks. The loader decrypts embe…
AhnLab analyzes Kimsuky’s continued use of spear-phishing and LNK shortcut malware to gain initial access against defense, diplomatic, media, government, and academic targets. The report focuses on Amadey and RftRAT variants distributed in 2023 alongside …
AhnLab's October 2023 APT trend report summarizes public reporting on state-aligned groups and includes DPRK-linked Andariel, Kimsuky, and Lazarus sections among other actors. In the available excerpt, the Andariel section says AhnLab observed the group u…
AhnLab's October 2023 Kimsuky trend report says Kimsuky activity decreased slightly from September but still included BabyShark, RandomQuery, and FlowerPower-related activity. ASEC found one phishing domain and classified it as BabyShark because it used B…
SlowMist attributes a Telegram phishing operation targeting cryptocurrency and DeFi project teams to Lazarus-linked North Korean hackers active since 2022. The attackers impersonate reputable investment institutions with fake Telegram accounts, build trus…
ASEC observed Konni phishing emails delivering a malicious EXE disguised as personal data leak material to individual users. Execution drops obfuscated JSE scripts, a PowerShell script, and a legitimate decoy DOC into ProgramData; Operator.jse creates a s…
Kaspersky analyzed a new macOS loader likely linked to BlueNoroff's RustBucket campaign against cryptocurrency and financial targets. The ZIP archive contained a fake PDF theme, "Crypto-assets and their risks for financial stability," and a signed Swift a…
Seoul Metropolitan Police, working with the FBI, investigated Andariel attacks that stole defense-technology data from South Korean defense companies and generated ransomware proceeds. Investigators said the activity involved a Google account tied to infr…
CBS NoCutNews reported that South Korea's Supreme Court had internally attributed a judiciary network compromise to Lazarus malware months before publicly saying the actor could not be confirmed. An April confidential report from the National Court Admini…