627 reports
AhnLab ASEC reported that the North Korea-linked Kimsuky group was observed exploiting Chrome Remote Desktop alongside its AppleSeed malware and other remote-control tooling. Recent activity used script-type WSF or JS malware, often disguised as document …
The RustBucket campaign highlights that the threat actor, whom previous researchers have confidently attributed to DPRK’s BlueNoroff APT, has invested considerable resources in multi-stage malware aimed specifically at macOS users and is evolving its atte…
The source analyzes a Kimsuky-attributed malicious Windows shortcut file named scarcurft.lnk that uses hidden PowerShell execution instead of Office macros. The LNK searches for a matching shortcut, extracts an embedded Korean-language PDF lure and a BAT …
The CodeEngn presentation reviews North Korean hacking groups and malware evolution across recent campaigns. It summarizes 2020-2022 statistics showing that North Korean actors used vulnerability exploitation and watering-hole techniques but relied most h…
SlowMist’s mid-year blockchain security report includes a Lazarus Group-focused anti-money-laundering section that selects the Harmony Hack and Atomic Wallet Hack for MistTrack fund-flow analysis. The broader report records 185 blockchain security inciden…
NSHC ThreatRecon’s May 2023 monthly report says SectorA activity accounted for the largest share of observed threat-actor operations during the collection period, with SectorA01, SectorA02, SectorA04, SectorA05, and SectorA06 active. The SectorA section r…
AhnLab reports that malware assessed as Kimsuky activity was distributed as batch files disguised as document viewers, likely via email, with decoy Google Drive/Docs documents about military and Korean unification topics. The BAT file used WMIC to check i…
Wezard4u analyzed a Kimsuky-themed malicious Word document disguised as a Korean divorce-related form. The Korean post says the document uses an AutoOpen VBA macro to write and execute a VBScript under the user’s Microsoft Templates directory, which downl…
Proofpoint’s SLEUTHCON talk examines TA444, a North Korean cybercriminal group tied to cryptocurrency theft operations that generated more than $1 billion for the regime in 2022. The source emphasizes the group’s changing initial-access tradecraft in 2022…
NCSC's malware analysis describes Smooth Operator as macOS malware distributed through the 3CX supply-chain compromise in signed and notarized 3CX Desktop App packages. A malicious libffmpeg.dylib component downloaded and ran a second-stage payload on Int…
Elastic reports an active DPRK/REF9135 campaign using a newly observed RUSTBUCKET macOS variant against a cryptocurrency payment services provider. The malware family, previously attributed to BlueNorOff, had added built-in persistence and reduced signatu…
SentinelOne reviewed JokerSpy activity involving macOS-focused spyware, cross-platform Python backdoors, and a suspected Java-based QRLog infection vector tied to a trojanized QR code generator. QRLog wrote and executed payloads after contacting hxxps://w…
The Operation GoldGoblin analysis describes a Lazarus campaign that abused security software and media websites for initial access into South Korean targets. Attackers inserted malicious scripts into news-article pages to create watering-hole sites and us…
Kaspersky describes Andariel, a Lazarus subgroup, exploiting Log4j to download follow-on malware and rapidly deploy the DTrack backdoor during intrusions. The investigation reproduced human-operated command execution marked by typos and locale discovery, …
South Korea's National Cyber Security Center warned that a North Korean hacking organization was exploiting a buffer overflow vulnerability in Dream Security's MagicLine4NX authentication software. The advisory says exploitation continued against PCs that…