627 reports
Jamf Threat Labs identified RustBucket, a macOS malware family suspected to be linked to North Korean state-sponsored activity and likely BlueNoroff, a Lazarus subgroup. The campaign used an unsigned AppleScript dropper named Internal PDF Viewer.app to do…
Symantec found that the North Korean-linked X_TRADER supply-chain attack affected organizations beyond 3CX, including two energy-sector critical infrastructure victims in the United States and Europe and two financial-trading organizations. The campaign b…
AhnLab reported that RedEyes, also known as APT37 or ScarCruft, was distributing RokRAT through malicious LNK files after earlier CHM-themed activity against domestic financial-company security mail. The LNK files contained PowerShell commands that extrac…
Krebs reported that the 3CX compromise was a nested supply-chain incident: a 3CX employee first installed a trojanized X_TRADER package, after which attackers used the employee's credentials to access 3CX and compromise Windows and macOS build environment…
CISA analyzed a 64-bit Windows DLL named infostealer.dll, identified as an ICONICSTEALER variant used in the 3CXDesktopApp supply-chain attack. The DLL was included in a 3CXDesktopApp installer and attempted to read the local 3CXDesktopApp config.json whi…
During our analysis of the samples, we observed that several of them belonged to two different collections created by AlienVaultOTX: APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations and Analysis of Smoke Screen in APT campaign aimed …
Mandiant traced the 3CX internal compromise to an employee's personal computer after the employee installed a trojanized Trading Technologies X_TRADER package downloaded from the vendor's site. The installer carried VEILEDSIGNAL, which gave UNC4736 admini…
Mandiant found that the 3CX Desktop App supply-chain compromise began with an earlier compromised X_TRADER installer from Trading Technologies, making it a cascading software supply-chain attack. The X_TRADER package deployed VEILEDSIGNAL through DLL side…
ESET links a Lazarus Operation DreamJob campaign against Linux users to broader evidence connecting the group with the 3CX supply-chain compromise. The Linux intrusion chain used a ZIP archive containing a fake HSBC job offer lure, where a deceptive Unico…
This actor, also known by Thalium and APT37, has been active since 2012 and has produced several campaigns using various techniques, from watering hole attacks to spear phishing and malware campaigns targeting different platforms, including Android and Ch…
South Korean police attributed a hacking case exploiting financial security-authentication software vulnerabilities to Lazarus, a North Korean Reconnaissance General Bureau-linked group. Investigators said North Korea compromised a well-known domestic fin…
Elliptic’s anniversary article reviews major cryptocurrency hacks and frames DeFi protocols and cross-chain bridges as increasingly attractive targets for high-value theft. The source describes the $611 million Poly Network compromise, the $569 million BS…
Mandiant’s M-Trends 2023 is a broad incident-response report, but its DPRK-relevant finding is that North Korea-nexus actors were targeting cryptocurrency for financial gain to support the regime. The excerpt places that activity alongside other geopoliti…
Microsoft’s threat actor naming reference maps several North Korea-linked groups into its weather-themed taxonomy, including Ruby Sleet, Sapphire Sleet, Pearl Sleet, Opal Sleet, Emerald Sleet, and Diamond Sleet. The table ties Sapphire Sleet to BlueNoroff…
Microsoft announced a shift from its older Elements, Trees, Volcanoes, and DEV naming systems to a weather-themed threat actor taxonomy. The taxonomy is intended to make actor references clearer by grouping names around attribution or motivation and using…