627 reports
Genians reported a macOS-focused APT37 campaign targeting South Korean people involved in North Korean human-rights and DPRK-related work. The attackers first conducted phishing and reconnaissance to steal email credentials and learn the victim's browser …
Hauri reported that Lazarus weaponized open-source tools including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording as part of job-themed attacks. Since June 2022, the group allegedly approached engineers on LinkedIn while impers…
AhnLab and South Korea’s NCSC Joint Analysis and Consultation Council reported malware from a government-supported hacking group that masqueraded as a security update installer. The payload was packaged with Inno Setup and used an install_script.iss scrip…
AhnLab reports that websites built by a Korean web-development company were compromised and abused to distribute malware and transmit data stolen through web shells. The attack affected sites serving manufacturing, trade, electrical, electronics, educatio…
Bitdefender documented early fragments of a larger macOS and cross-platform toolkit: Python backdoors named shared.dat and sh.py plus a macOS Swift binary called xcc. shared.dat uses ROT13-obfuscated paths and a GITHUB_REQ/GITHUB_RES packet format to coll…
REKT reports that Atomic Wallet users lost more than $100 million after addresses on 13 chains were drained beginning on June 2, 2023, with both desktop and mobile users affected. The article says stolen assets were moved through a three-step process in w…
AhnLab describes a May 2023 Kimsuky campaign that increasingly used CHM help files rather than ordinary document lures, with themes tailored to Korean targets such as tax filings, financial transactions, cryptocurrency records, contracts, certificates, an…
AhnLab reports that Kimsuky-linked malware was distributed as a compressed archive containing a readme file and a .NET executable disguised as a Korean HWP document by using a document icon and padded filename spacing. When run, the dropper decodes an emb…
AhnLab reports that Lazarus exploited zero-day vulnerabilities in Korean finance and enterprise security products VestCert and TCO!Stream, expanding beyond previously abused INISAFE CrossWeb EX and MagicLine4NX software. In the VestCert case, users with v…
The source analyzes a Kimsuky-attributed malicious Word document named “document.doc (copy).doc” that used macro execution to run VBScript through wscript.exe. The lure content referenced South Korean politics and North Korea policy topics, suggesting tar…
South Korea’s National Intelligence Service warned that North Korea had created a phishing site that cloned the Naver portal in real time to target South Korean users. The fake domain, www.naverportal.com, reproduced Naver’s main page, live news, advertis…
Ronin Network lost 173,600 ETH and 25.5 million USDC, about $624 million, after attackers used compromised validator access to forge withdrawals from the Ronin Bridge. The exploit depended on Ronin's five of nine validator approval model: four Sky Mavis v…
This would mark the first major crypto theft publicly attributed to Lazarus Group since the $100 million exploit of Horizon Bridge in June 2022. Elliptic has attributed this incident to North Korea’s Lazarus Group, which is believed to have stolen over $2…
NSHC’s March 2023 ThreatRecon report says SectorA activity was the most prominent cluster during the collection window, with five SectorA groups active across Ukraine, South Korea, the United States, Singapore, and Pakistan. The DPRK-relevant sections des…
Elliptic describes how sanctioned North Korea-linked actors, including Lazarus Group and facilitators sanctioned for supporting it, move stolen cryptocurrency through multiple intermediary wallets to obscure exposure. The report highlights Lazarus launder…