627 reports
Jamf Threat Labs attributed a new macOS later-stage malware sample, tracked as ObjCShellz, to BlueNoroff activity overlapping the RustBucket campaign. The Mach-O universal binary named ProcessRequest contacted swissborg[.]blog, a domain resembling cryptoc…
South Korea’s National Intelligence Service warned that North Korean hackers continued exploiting vulnerabilities in MagicLine4NX, a certificate-authentication program used by public, financial, and other Korean websites. The notice says the Reconnaissanc…
The source describes a LinkedIn job scam aimed at Web3 developers in which the attacker sent an archive of a repository rather than a simple executable. Analysis of the project found an obfuscated next.setup.js file that would run after dependency install…
Phylum found a crypto-themed npm supply-chain campaign after its detector flagged the puma-com package on October 30, 2023, then connected four more packages to the same activity. The Windows-only preinstall script writes and runs batch and PowerShell fil…
The DailySecu AIS presentation introduces Deep Binary Profiler, an AI-assisted malware profiling approach that compares assembly-code functions to identify reuse across known threats. Its North Korea examples include the 2013 3.20 attack, Sony Pictures, I…
Kaspersky's presentation on AI use by attackers and defenders places Lazarus among the most significant APT actors observed in 2022 and identifies governments as the top APT targets. It uses Kimsuky Operation GoldDragon and Lazarus Operation DreamJob as c…
Uppsala Security analyzed the October 2023 Fantom Foundation hot-wallet theft after reports that about $550,000 in cryptocurrency was drained through a vulnerability in the official Fantom wallet. The stolen assets included ETH, stablecoins, and multiple …
The INSS issue brief describes North Korea adapting cyber operations after a decline from the record cryptocurrency theft volumes seen in 2022. The source says global cryptocurrency attacks increased through the second quarter of 2023, estimates that Nort…
AhnLab identified malicious HWP documents embedded with OLE objects and aimed at people in sectors including national defense, unification, education, and the press. One document type triggered external URLs through oversized embedded OLE objects, while a…
NSHC ThreatRecon reported four SectorA activity clusters in August 2023, with operations observed in South Korea, Russia, the United States, Hong Kong, Singapore, the Philippines, and the United Kingdom. SectorA01 used the JumpCloud software-management in…
AhnLab tracks Kimsuky activity over a 17-month period under the name Operation Covert Stalker, focusing on phishing and malware operations against people and organizations connected to North Korea, politics, diplomacy, defense, and security. The report de…
The Korean analysis describes a Kimsuky-linked CHM malware lure targeting people who work on North Korea issues, using a document titled as a DailyNK representative's discussion of North Korean human rights group activity. The lure arrived in a password-p…
Elastic Security Labs attributes REF7001 to DPRK activity with Lazarus Group overlaps and describes an intrusion against blockchain engineers at a cryptocurrency exchange platform. The operators posed as members of a blockchain engineering community on Di…
S2W reports that the Kimsuky APT group used a FastViewer variant merged with FastSpy and disguised as a legitimate mobile application. The analysis links the activity to prior FastViewer and FastSpy research from 2022 and says the newer variant appears to…
Genians links Kimsuky's Storm operation to BabyShark-family tooling used in South Korean espionage activity from June through September 2023. The campaign impersonated officials from South Korea's Ministry of Foreign Affairs and Ministry of Unification, s…