627 reports
The Justice Department announced an international takedown of ChipMixer, a darknet cryptocurrency mixer accused of laundering more than $3 billion in bitcoin for ransomware crews, darknet markets, fraud shops and state-sponsored hacking schemes. Court doc…
Kimsuky distributed a malicious Word document masquerading as an application to confirm mutual intent to divorce, using macros to install QuasarRAT. When the user enabled content, the decoy displayed a legitimate-looking divorce form while AutoOpen macro …
Qianxin profiles Lazarus Group, also tracked as APT-Q-1, as a North Korea-linked threat group active since at least 2009 with espionage and financially motivated operations. The profile describes spear-phishing, watering-hole activity, SMB exploitation, l…
A U.S. criminal complaint alleged that Minh Quoc Nguyen operated ChipMixer, an online bitcoin mixer used to conceal proceeds from cybercrime and other illegal activity. The affidavit says ChipMixer had facilitated roughly $3 billion in bitcoin laundering …
A spear-phishing campaign targeted South Korean organizations related to North Korea by impersonating a cyber safety bureau email and attaching a ZIP archive containing a malicious CHM help file. Opening the CHM displayed legitimate-looking legal content …
QiAnXin's 2022 global APT annual report found that government agencies remained the top target of advanced threat activity, followed by defense, finance, energy, technology, and media sectors. Its telemetry for China observed high-risk communications with…
ESRC attributes a Korean phishing campaign to Kimsuky, targeting people connected to North Korea-related organizations with email impersonating the Cyber Safety Bureau. The lure claimed the recipient faced legal or account-abuse issues and attached an arc…
KR-CERT advised organizations and end users to update YettieSoft VestCert and MLSoft TCO!stream after the vendors released fixes for remote code execution vulnerabilities in the financial security products. The advisory warns that attackers could exploit …
Hauri warned that attackers impersonated a national advisory institution to send targeted malicious email to a researcher at a major Korean research organization. The lure requested a paper review and attached a 논문.zip archive containing a CHM file; openi…
AhnLab reports Korean-targeted malware distributed in archives that pair password-protected legitimate documents with files masquerading as password information. One CHM variant is assessed as likely tied to RedEyes/APT37/ScarCruft because it reuses comma…
Mandiant tracks UNC2970 as a suspected North Korean espionage cluster targeting Western media and technology organizations, including security researchers, with job-recruitment themed spear phishing. The group used fake LinkedIn recruiter personas to move…
Mandiant describes how North Korea-linked UNC2970 used Bring Your Own Vulnerable Driver techniques to support intrusion operations and evade endpoint defenses. Investigators recovered Share.DAT, decoded it into the in-memory LIGHTSHIFT dropper, and linked…
NSHC’s January 2023 monthly report says SectorA activity was the most prominent threat-actor category observed, accounting for 31% of the tracked activity during the collection window. The DPRK-relevant SectorA section identifies SectorA01 activity in Swe…
LABYRINTH CHOLLIMA is a DPRK-nexus adversary that CrowdStrike says has been active since at least 2009 and is likely affiliated with Bureau 121 of North Korea's Reconnaissance General Bureau. The profile ties the cluster to multiple community identifiers,…
AhnLab ASEC reported CHM malware assessed as Kimsuky activity, distributed in password-protected archives after the recipient responded to an email posing as a North Korea-related interview request. Running the CHM opened a decoy questionnaire while a Sho…