654 reports
APT37, also known as ScarCruft, was observed exploiting CVE-2024-38178 in JScript9.dll against a specific organization in South Korea in June 2024. The intrusion abused a hacked domestic advertising-agency server to insert malicious code into ad_toast.htm…
ThreatBook reports that Lazarus is still running cryptocurrency theft operations through fake job offers and project opportunities on LinkedIn, X, Facebook, GitHub, Stack Overflow, and related recruiter channels. Victims are pushed toward malicious crypto…
AhnLab reports that Kimsuky has used LNK-based spear-phishing to install PowerShell malware and maintain execution through scheduled VBS scripts. The activity downloads additional payloads, commonly including RDP Wrapper, to enable remote control of compr…
ZachXBT alleges that Chinese OTC trader Yicong Wang helped Lazarus Group convert tens of millions of dollars in stolen cryptocurrency to cash through bank transfers and off-platform P2P trades since 2022. The thread links Wang to Tron and Ethereum wallets…
Kaspersky linked a Manuscrypt infection on a Russian user's PC to Lazarus activity delivered through detankzone[.]com, a fake DeFi NFT MOBA tank-game site. Visiting the site triggered hidden JavaScript that exploited a Google Chrome zero-day to gain remot…
Allegations around the Cosmos Liquid Staking Module centered on claims that developers later linked to North Korea contributed heavily to LSM code before leaving the project in December 2022. The excerpt says the FBI warned Zaki Manian about DPRK links in…
Tapioca DAO lost about $4.4 million after a social-engineering-linked compromise of contract ownership on Arbitrum enabled theft of TAP and USDO-related funds. The attacker abused the TAP vesting contract's Emergency Rescue function to withdraw roughly 30…
This breach occurred during a routine multi-signature emissions adjustment process, which takes place periodically to adapt to market conditions and utilization rates. The malicious actors exploited this normalcy, using the process to collect multiple com…
Logpresso describes a CTI report focused on attribution methodology for North Korean cyber operations and defensive coverage for attacks that occur during weekends or early-morning hours. The source says the report examines how North Korean attacker infor…
Rekt reports that Radiant Capital lost more than $53 million after an attacker gained control of at least three signers in the protocol's 3-of-11 multisig setup. The attacker transferred ownership of lending pool contracts to malicious contracts, upgraded…
Pyongyang Papers alleges that Guinea Information Technology Development Corporation and N’deye & Tou Dista Corporation contracted at least 70 North Korean IT workers, extending a sanctions evasion model that sends overseas developers to earn revenue for P…
eSentire responded to a September 2024 incident in which a developer downloaded a malicious NFT marketplace project from GitHub and installed BeaverTail masquerading as an NPM package through Visual Studio Code. The package launched a JavaScript file from…
A suspected Kimsuky LNK sample named 241007.lnk uses a Korean tourism and travel-study lure aimed at Russian-speaking users. The shortcut executes PowerShell, searches for a matching large .lnk file, extracts embedded data into a PDF decoy, and writes a w…
Secureworks describes DPRK-linked IT worker schemes in which North Korean nationals use stolen or falsified identities to obtain jobs at Western companies, including organizations in the United States, the United Kingdom, and Australia. Recent cases escal…
S2W analyzes CVE-2024-38178, a JScript9.dll type-confusion flaw patched by Microsoft in August 2024 and exploited in June against specific South Korean organizations. The activity is attributed in the source to APT37, also tracked as ScarCruft, and abused…