627 reports
Kimsuky employs a range of tactics, techniques, and procedures (TTPs) such as spear-phishing campaigns, social engineering, and custom malware to compromise its targets and exfiltrate sensitive data. Strengthen security awareness training for employees, e…
BBC’s Lazarus Heist episode “Hushpuppi” links a social media influencer to laundering cash for the hackers and funding a luxury lifestyle. The excerpt provides a concise episode description rather than a technical report, and it does not include indicator…
BBC’s Lazarus Heist episode “Big Boss” follows the hackers’ turn to the dark web and highlights a figure called “Big Boss” as important to the ATM heist. The available source is a short BBC Sounds listing, so it supports only the episode’s focus and not s…
BBC’s Lazarus Heist episode “Jackpotting” says millions of dollars were stolen from ATMs at the same time in 28 countries. The excerpt frames this as part of the Lazarus Heist series, but it does not provide malware names, ATM tooling, infrastructure, or …
NSHC’s February 2023 Korean ThreatRecon report says SectorA activity was the largest share of observed threat-actor operations during the period and highlights five SectorA clusters. The SectorA examples include activity in Sweden using company-evaluation…
Kaspersky’s H2 2022 industrial APT roundup includes several DPRK-relevant items affecting industrial and critical-infrastructure defenders. It summarizes Microsoft reporting on DEV-0530/H0lyGh0st ransomware, a North Korea-based actor linked to PLUTONIUM/A…
ASEC observed Kimsuky hiding malware with Windows Alternate Data Streams (ADS). The infection begins with VBScript embedded in an HTML file and functions as an infostealer that collects directory and recent-file information before decoding a payload to C:…
The virtual-asset hacking presentation reviews techniques and losses associated with major cryptocurrency incidents, including Liquid, Axie Infinity/Ronin Bridge, Harmony, and Qubit. It cites 2022 crypto-crime figures showing illicit virtual-asset transac…
At the end of 2017, the group also carried out an attack campaign targeting North Korean human rights organization officials and journalists from North Korean media outlets to induce the installation of malicious APKs through KakaoTalk, the most popular m…
ASEC reports a Kimsuky campaign that impersonated a professor and emailed a password-protected Word document disguised as a biography/profile form. When macros were enabled, the document used PowerShell to contact C2, download additional scripts, and run …
The Breadcrumbs page labels a Ronin Bridge Exploiter wallet as Lazarus Group North Korea infrastructure tied to the Axie Infinity hack. The visible graph also shows related Lazarus labelled addresses and an Euler Finance exploit connection, but the excerp…
Zscaler ThreatLabz describes APT37, also known as ScarCruft or Temp.Reaper, using a threat-actor-controlled GitHub repository to stage malicious payloads and maintain encoded configuration material. The repository’s commit history exposed deleted files an…
According to blockchain analytics firm Elliptic’s analysis, the Lazarus Group has been active in the cryptocurrency space since at least 2017, targeting both cryptocurrency exchanges and DeFi bridges. The Ronin Bridge exploiter was previously identified b…
AhnLab warns that DreamSecurity MagicLine4NX versions 1.0.0.1 through 1.0.0.26 contain a remotely exploitable code-execution vulnerability in a certificate-authentication component that commonly remains resident via MagicLine4NXServices.exe. AhnLab observ…
AhnLab ASEC described how defenders can use EDR telemetry to track CHM malware activity associated with recently disclosed APT-style attacks. The analyzed CHM file runs script through the signed Windows help binary hh.exe, a MITRE ATT&CK T1218.001 system-…