627 reports
QRLog is a Java RAT found in February 2023 inside an otherwise functional Java QR-code generator, where malicious code in QRCodeWriter.java wrote and executed QRLog.java from a temporary directory. The malware decoded embedded base64 content, checked whet…
ASEC observed malicious HTML and LNK files impersonating a public organization and using honorarium themed HWP documents as lures for people in Korean reunification and national security fields. Running the LNK opens a legitimate HWP file while dropping o…
We organized analyses related to APT groups disclosed by security companies and institutions including AhnLab during the previous month; however, the content of some APT groups may not have been included. In this report, we cover nation-led threat groups …
AhnLab's September 2023 Kimsuky trend report says the group's activity shifted strongly toward RandomQuery while FlowerPower was not observed and AppleSeed/BabyShark activity remained comparatively low. The report counted 11 RandomQuery, 4 AppleSeed, and …
BlueNorOff is described as using ProcessRequest, a macOS malware sample aimed at cryptocurrency related targets such as exchanges, venture capital firms, and banks. The sample is temporarily signed and operates as a simple Objective-C remote shell that ca…
The source profiles "Bravemaster619" as a likely North Korean IT worker operating from China and seeking freelance software work under an online persona. The author ties the account to prior New Yorker reporting, Korean-language activity on HiNative, dele…
Recorded Future News reports that hackers stole more than $100 million from the Poloniex cryptocurrency platform, with blockchain-security estimates ranging from roughly $114 million to $130 million. Poloniex said it was investigating, would reimburse aff…
The source says Lazarus modified open source tools including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF or Subliminal Recording to deliver malware to engineers. Operators posed as recruiters on LinkedIn and targeted engineers at specific compan…
Poloniex publicly acknowledged the hack incident and said it would fully reimburse affected users. The exchange stated that it had identified and frozen part of the assets tied to the hacker addresses, restored systems, and preserved evidence for follow u…
REKT reported that Poloniex hot wallets were drained of about $126 million across Ethereum, TRON, and Bitcoin, with Justin Sun promising reimbursement and a 5 percent whitehat bounty. The article does not attribute the theft, but places it in the context …
ASEC reports that Andariel, described as linked to or subordinate to Lazarus, abused a Korean asset management program and poorly managed MS-SQL servers to deploy TigerRat, NukeSped variants, Black RAT, Lilith RAT, and a Go downloader. The observed target…
ASEC reports a campaign distributing malicious LNK files through emails that impersonate secure mail and public institutions, mainly aimed at people working on unification and security issues. The lure archives contain normal HWP documents about Ministry …
South Korea's NIS said North Korean hackers kept exploiting vulnerable MagicLine4NX authentication software after earlier public warnings and March patches. The agency said nearly 50 organizations had been compromised by malware tied to North Korea's Reco…
The Kimsuky group’s hacking activities included sending phishing emails and hacking emails with malware attachments to certain individuals or organizations involved in the field of North Korea, politics, diplomacy, and security with the purpose of stealin…
NSHC's September 2023 ThreatRecon report records SectorA as the most active tracked cluster family, with five SectorA groups observed across Korea, the United States, China, Romania, Poland, Malaysia, the Netherlands, Qatar, and Hong Kong. SectorA02 used …