627 reports
NSHC ThreatRecon reports that SectorA groups, especially SectorA05, sharply increased phishing activity in 2022, with South Korea accounting for nearly all observed targeting. The activity focused on research centers, government workers, education, NGOs, …
BBC’s Lazarus Heist episode “False flags” covers the unmasking of the Olympic hackers and references the political “bromance” around “beautiful letters.” The source excerpt is a short BBC Sounds listing rather than a technical analysis, so it does not sup…
The talk tracks Lazarus activity through the DeathNote cluster, starting with cryptocurrency exchange targeting that used malicious documents and trojanized trading applications. The speaker links the cluster to downloaders named dm.dll and dn64.dll, whic…
CertiK analyzed the April 2023 GDAC exchange compromise, assessing it as highly likely a private-key compromise that caused about $13 million in cryptocurrency losses, or 23% of GDAC's holdings. The incident likely began on Ethereum around 18:36 UTC on 8 …
The compromised binary in this case is a software-based Private Automatic Branch Exchange (PABX) Voice over Internet Protocol (VoIP) phone system developed by the company 3CX, and it was compromised through a supply chain attack suspected to have the invo…
A Korean analysis attributes a malicious Word document named like a personal-information/resume form to Kimsuky, describing a VBA macro that runs only after macros are enabled. The macro uses obfuscated string replacement and Shell.Application to launch P…
ThreatBook's 2022 APT activity report includes a DPRK section covering Lazarus, Kimsuky, and Group123 alongside other regional threat actors. Its Lazarus case study focuses on poisoned IDA Pro 7.5 installers aimed at security researchers, where a maliciou…
Interlab tracks UCID902 as a well-resourced cluster targeting human rights groups and activists focused on North Korea, with motivations aligned to North Korea’s Reconnaissance General Bureau and overlap with ESTSecurity’s Kumsong 121 reporting. The campa…
PwC's 2022 threat retrospective is a broad landscape report, but its DPRK-relevant section notes that North Korea-based threat actors intensified financially motivated operations. The excerpt says these actors continued targeting financial services, crypt…
Kaspersky tracks Lazarus Group's DeathNote cluster, also associated with Operation DreamJob or NukeSped, from cryptocurrency-focused attacks into defense-related, automotive, academic, IT, and South Korean targets. Early activity used malicious cryptocurr…
Terraport Finance lost about $3.9 million on April 10, 2023 after its Terraport Liquidity wallet was breached and drained of LUNC, TERRA, and USTC tokens. The source says the root cause was still unknown, but two attack transactions moved roughly 15.1 bil…
Kaspersky's Botconf presentation tracks Lazarus/Hidden Cobra's DeathNote, also known as DreamJob, from older malware clusters into updated multi-stage infection chains. The source highlights newer initial downloaders, trojanized applications and PDF-reade…
360 Threat Intelligence Center reports that APT-C-28/ScarCruft, also known as Konni, conducted targeted attacks against South Korean entities using Korean-language lure documents related to rewards, payments, cryptocurrency, and contacts. The malicious ma…