627 reports
Use extended detection and response (XDR) and antimalware Implement software to detect and automatically block attacks and provide insights to the security operations software. Explore other Microsoft Digital Defense Report chapters The power of partnersh…
S2W's Virus Bulletin paper attributes Cumulus, also called RambleOn, to Scarcruft/APT37 and frames it as an Android extension of the group's ROKRAT tooling. The malware has targeted individual Android users since at least 2019, building on earlier Scarcru…
Volexity's Virus Bulletin paper profiles SharpTongue, a North Korean threat actor often grouped under Kimsuky, through years of observed spear phishing, malware, C2 infrastructure, and incident response cases. SharpTongue targets people with access to Nor…
The 3CX compromise is presented as a chained supply-chain attack in which a trojanized Trading Technologies X_TRADER installer first infected a 3CX employee’s personal machine. Mandiant attributed the activity to a suspected North Korean actor tracked as …
The biggest rise of cross-chain crime is apparent in the field of crypto thefts, scams and Ponzi schemes and illicit laundering perpetrated by North Korea’s Lazarus Group. Our latest figures suggest that it is fast becoming the preferred money laundering …
ESET's Virus Bulletin paper details Lazarus campaigns and backdoors observed in 2022 and 2023, tying activity to a North Korea-aligned threat actor through toolset similarities, shared infrastructure, telemetry, and related clustering. The excerpt describ…
The research traces how APT37-linked Android ROKRAT appears to have evolved into RambleOn, a more capable Android spyware family observed from 2019 through 2023. Early ROKRAT Android samples were described as backdoor or dropper tools, while RambleOn adde…
South Korea's National Intelligence Service warned that North Korean hacking groups were repeatedly targeting domestic shipbuilders in August and September 2023. The agency said the attackers tried to compromise IT maintenance vendors for indirect access …
AhnLab analyzes Lazarus malware families Volgmer and Scout, describing Volgmer as a backdoor used from 2014 through about 2021 and Scout as a downloader observed from around 2022. The report links Scout to attacks that exploited vulnerabilities in Korean …
This technical analysis report delves into the intricate details of the Konni APT Group's most recent attack, dissecting their attack chain and conducting an in-depth analysis of the malware involved. Among these, the Konni APT Group has emerged as a nota…
The name for Operation DreamJob was coined in a blogpost by ClearSky from August 2020, describing a Lazarus campaign targeting defense and aerospace companies, with the objective of cyberespionage. Lazarus operators obtained initial access to the company’…
InQuest describes DPRK-linked threat actors as part of a broader shift toward evasive, multilayered file-borne intrusion chains in a post-macros threat landscape. The excerpt identifies APT38 as a DPRK-directed group pursuing high-yield financial theft op…
An investigation at a Russian industrial enterprise found a previously unseen modular backdoor, MataDoor, running with filenames chosen to mimic legitimate software and, in some cases, valid Sectigo signatures and Themida packing. The suspected initial ac…
This unfortunate event marks the second significant cryptocurrency breach in Hong Kong this month, underscoring the persistent challenges faced in safeguarding digital assets, despite regulatory efforts. The address Exploiter 2 received more than 23.5 mil…
Jamf summarizes Lazarus tradecraft against macOS, including Operation Dream Job cryptocurrency job lures and supply chain intrusions. In the Coinbase-themed chain, LinkedIn spearphishing led victims to a malicious PDF and a signed FinderFontsUpdater app t…