627 reports
Plainbit traces the CISA-listed North Korea ransomware address 16sYqXancDDiijcuruZecCkdBDwDf4vSEC, which QLUE flagged as Ransomware/North Korea and high risk. The address received and sent 0.06 BTC in July 2019, and its funds were combined with other inpu…
Somansa reports a Kimsuky spear-phishing case that impersonated a UN North Korea sanctions panel report and targeted recipients with a malicious HWP document. The lure copied the format of legitimate South Korean institutional documents and presented a fa…
Google TAG describes ARCHIPELAGO, a subset of APT43 activity it has tracked since 2012, as targeting people with expertise in North Korea policy, sanctions, human rights, and non-proliferation across government, military, think tank, academic, and researc…
This follow-up analysis explains how the 3CX SmoothOperator malware abused Authenticode without stealing Microsoft certificates. The trojanized ffmpeg.dll extracted malicious data from d3dcompiler_47.dll, whose certificate remained valid because the attac…
ThreatRecon observed SectorA phishing activity against South Korean targets increase sharply in 2022, with SectorA05 responsible for most observed cases and SectorA02 also active. The campaigns targeted researchers, government personnel, education, NGOs, …
AhnLab describes the 3CX DesktopApp supply-chain compromise reported by CrowdStrike as activity by a North Korea-based actor and shows that Korean victims installed affected Windows versions before public disclosure, including logs from a domestic univers…
Plainbit analyzes the CISA-listed North Korea ransomware address bc1q3wzxvu8yhs8h7mlkmf7277wyklkah9k4sm9anu, which QLUE marked as Ransomware/North Korea and high risk. The wallet received 2.54 BTC from Gemini on 2022-03-30 and sent funds onward within hou…
Plainbit traces the CISA-listed North Korea ransomware address bc1q8xyt4jxhw7mgqpwd6qfdjyxgvjeuz57jxrvgk9, which QLUE flagged as Ransomware and North Korea with a high-risk score. The address received and sent 0.51256 BTC in two transactions during May-Ju…
Plainbit summarizes a February 2023 CISA joint advisory on North Korea-linked ransomware and reviews 43 cryptocurrency addresses published as related indicators. The source says the advisory covers TTPs, IOCs, and cryptocurrency use by North Korean cyber …
This malware analysis video walks through the trojanized 3CX desktop app supply chain attack by reversing the malicious ffmpeg.dll in Binary Ninja. The analysis starts from public reporting, unpacks the MSI, compares the signed components, and follows DLL…
Kaspersky investigated whether the 3CX supply-chain compromise led only to an infostealer or also to follow-on implants, and found Gopuram backdoor deployments tied to infected 3CXDesktopApp processes. The report says Gopuram infections rose in March 2023…
CrowdStrike and SentinelOne observed a 3CXDesktopApp software supply-chain compromise in which an actor believed to be affiliated with Lazarus inserted malicious code into official Windows and macOS builds. On Windows, the signed 3CX MSI installed 3CXDesk…
HivePro’s advisory attributes the SmoothOperator 3CX supply-chain campaign to LABYRINTH CHOLLIMA, listing aliases including HIDDEN COBRA, ZINC, Nickel Academy, and Lazarus Group, and describes worldwide targeting across automotive, food and beverage, hosp…
Piyolog summarizes the March 2023 3CX supply-chain compromise in which tampered Windows and macOS 3CX client installers were distributed and could infect users with malware capable of stealing browser-stored information. The source notes that 3CX products…
In 2021, North Korea reportedly stole 400 million dollars from crypto exchanges.[10] Arguably one of the largest cyber-attacks that has been attributed to North Korea’s Lazarus Group is the WannaCry ransomware attack In 2017.[11] The ransomware hit over 2…