627 reports
NSHC’s 2022 SectorA activity summary reports seven North Korea-linked SectorA subgroups conducting both intelligence collection against South Korea-related political, diplomatic, government, research, and defector communities and financially motivated act…
The Korean analysis attributes a malicious Word document named “Interview.doc” to Lazarus activity suspected of targeting the European Union and lists hashes for the sample. The lure content presents a GDPR-themed document with cryptocurrency interview qu…
South Korea’s National Police Agency attributed the 2021 Seoul National University Hospital breach to a North Korean hacking organization after investigating the compromise and data exposure. Investigators said the attackers controlled seven domestic and …
Lazarus Operation DreamJob activity used a fake HSBC job-offer lure to deliver a native 64-bit Linux ELF downloader, expanding the campaign beyond earlier Windows and macOS targeting. The infection chain starts with a ZIP containing a deceptive file name …
Outpost24’s KrakenLabs explains a threat-actor naming convention that clusters adversaries by observed capabilities, infrastructure, victims, and TTPs rather than relying solely on another vendor’s attribution labels. The methodology uses adjective-plus-p…
ESET’s Q4 2022–Q1 2023 APT activity report says North Korea-aligned groups ScarCruft, Andariel, and Kimsuky continued targeting South Korean and South Korea-related entities with established toolsets. The Lazarus section highlights a fake Boeing-themed jo…
BBC’s Lazarus Heist episode “Big spenders” examines North Korea-linked hacking in the context of whether the country’s nuclear weapons programme can be stopped. The excerpt highlights a hacker interview-style hook—“Are you a hacker? Yes, I am.”—and places…
The Korean analysis describes a Kimsuky-attributed campaign using a RAR archive themed as a South Korean National Tax Service notice for VAT-exempt business status reporting. Inside the archive, a very large LNK file masquerading as an HWP tax-audit notic…
SentinelLabs observed ongoing Kimsuky campaigns using a new BabyShark-related reconnaissance component named ReconShark against carefully selected individuals and organizations. The activity used tailored spear-phishing emails with OneDrive links to passw…
Chainalysis attributes the Qubit/QBridge theft to North Korea-linked hackers and describes it as South Korea’s largest cryptocurrency theft of 2022, with roughly $80 million drained from the BNB-chain DeFi lending protocol. The attackers exploited QBridge…
The IFANS report assesses North Korea’s cyber capability as a strategic asymmetric tool used for military, political, intelligence, influence, and revenue-generation objectives. It emphasizes that DPRK operations target governments, critical infrastructur…
The 3CX compromise is presented as a Lazarus-linked double software supply-chain incident: a trojanized X_TRADER application gave UNC4736 access to a 3CX employee system, enabling lateral movement into 3CX Windows and macOS build environments and maliciou…
BBC’s Lazarus Heist episode “Bitcoin bandits” focuses on the Lazarus Group’s shift from smaller cryptocurrency activity into thefts measured in the billions. The source excerpt presents the episode as part of a series on North Korea-linked cybercrime and …
Check Point tracks APT37-linked ROKRAT activity shifting from older HWP exploits and Office macros toward ZIP or ISO archives containing oversized LNK files that launch multi-stage infection chains. The lures focus heavily on South Korean domestic and for…
JPCERT/CC described recent DangerousPassword activity, also known as CryptoMimic or SnatchCrypto, against cryptocurrency exchange businesses, a campaign it has tracked since 2019. The source says attackers continued shortcut-file delivery but also used Li…