627 reports
The UN Panel of Experts reported that cyber activity attributed to DPRK Reconnaissance General Bureau actors continued during 2022. The panel said DPRK actors stole more cryptocurrency value in 2022 than in any previous year and used increasingly sophisti…
The article describes a GoldDragon-cluster Kimsuky campaign in early 2022 against defense, political, and North Korea-related individuals. The infection chain used spear-phishing and multiple delivery formats, including Word documents, HTA files, and CHM …
NSHC's January 2023 monthly threat-actor report summarizes activity collected by the ThreatRecon team from December 21, 2022 to January 20, 2023. It observed 19 threat groups, with SectorA activity making up the largest share and targeting government and …
AhnLab reported CHM malware attributed to RedEyes, also known as APT37 or ScarCruft, distributed to South Korean users through lures impersonating a domestic financial company's secure email. When opened, the CHM file displayed a fake help window while an…
AhnLab analyzed a Lazarus intrusion that abused a vulnerability in certificate-related software widely used by South Korean public institutions and universities. The victim had previously been compromised by Lazarus in May 2022 and was reinfected through …
The GitHub project describes a proof-of-concept program modeled on APT38/North Korea-backed social-engineering tactics against security researchers. The source says attackers trick researchers into collaborating through a malicious Microsoft Visual Studio…
The INSS study examines the characteristics of North Korean cyber threats and policy responses under the Kim Jong Un era. It links DPRK cyber operations to nuclear and missile development, cryptocurrency theft, sanctions evasion, information sharing chall…
Symantec attributes intrusions against an Asian materials research organization to a previously unknown group it tracks as Clasiopa, while noting there is no firm evidence of the group’s origin or sponsor. The activity used a distinct toolset including th…
Wallets attributed in the article to North Korean hackers moved 1,944.72 ETH, worth about $3.2 million, from the 2018 Gate.io theft after more than 4.5 years of dormancy. ZachXBT reported that the attackers sent about $3.1 million to one Ethereum address,…
ASEC analyzed a Magniber relaunch mechanism in MSI-distributed samples aimed at Chrome and Edge users through typosquatting. The ransomware injects payloads into user processes and randomly chooses between immediate encryption and persistence setup. For p…
ESET identified WinorDLL64 as a Wslink payload and assessed with low confidence that it is connected to Lazarus based on South Korean victim telemetry, timing, development-environment overlap, and behavior/code similarities with GhostSecret and Bankshot-r…
ZDNet Korea reported on litigation stemming from the 2016 South Korean defense network hacking incident. The Seoul High Court rejected the Ministry of National Defense's claim that Hauri's poor private-key management caused the breach through leaked signi…
This podcast episode focuses on North Korean-aligned cyber actors, particularly TA444, and how DPRK operations extend beyond espionage into cryptocurrency-focused revenue generation. The source highlights DPRK isolation as context for its cyber approach a…
IBM Security X-Force analyzes how attackers with elevated Windows privileges can use kernel post-exploitation to blind Event Tracing for Windows sensors. The report links this tradecraft to an ESET-documented Lazarus payload used against entities in Belgi…
The Substack overview profiles Lazarus as a North Korean state-linked threat group also tracked as Hidden Cobra or Zinc, with subgroups such as Andariel and BlueNoroff and reported overlaps with APT37 and Kimsuky. It summarizes major operations including …