654 reports
NSHC's July 2024 threat-actor report identifies four SectorA groups in North Korea-linked activity. SectorA01 posed as hiring managers and used compressed files named as hiring tests or source-code review tests to induce malicious script execution across …
NSHC's August 2024 threat-actor intelligence report summarizes activity from 29 tracked hacking groups, with SectorA clusters representing multiple North Korea-linked operations. The North Korea section describes SectorA02 activity in South Korea involvin…
DPRK-linked CL-STA-0240 Contagious Interview operators are posing as recruiters on job platforms and social media to push fake video-call applications to technology job seekers. Unit 42 observed newer Qt-based BeaverTail builds for macOS and Windows, incl…
The crypto community is facing a new kind of threat—North Korean devs are infiltrating crypto companies to steal millions and funnel funds back to the regime in order to bypass sanctions. In this episode, Sam Kessler, CoinDesk’s deputy managing editor for…
Scan-and-exploit and stolen credentials remain top IAVs in ransomware attacks, accounting for nearly 72% of known IAVs. Law enforcement targeting of ransomware groups caused disruption and fragmentation, prompting new threat actor behaviors. Hacktivists c…
Carnegie assesses cooperation among China, Russia, Iran, and North Korea as a strategic risk for the United States, while warning that the four states are not yet a coherent bloc. The North Korea-relevant section says Iran and North Korea have shared defe…
A Kimsuky-linked LNK file named 20241003_20134.docx.lnk is analyzed as a Windows shortcut lure that abuses mshta.exe to launch obfuscated JavaScript and PowerShell. The script connects to 206.206.127.152 on port 9002, stages a ZIP under C:\ProgramData, ex…
IGLOO reviews North Korea-linked intrusion clusters including Kimsuky, Lazarus, and Konni, explaining how vendors map overlapping malware, tactics, and naming schemes into actor clusters such as APT37, APT38, Chollima-branded groups, and Microsoft weather…
Virus Bulletin slides describe practical methods for tracking APT malware and infrastructure, with a Lazarus campaign using BeaverTail as the DPRK-relevant example. The deck points to AV and specialized signatures for finding related Lazarus samples, then…
North Korea-linked Vedalia, also tracked as APT37, ScarCruft, and Reaper, is reported to have deployed the previously undocumented VeilShell backdoor in activity targeting Southeast Asian countries. The infection chain begins with spear-phishing emails ca…
U.S. prosecutors filed a civil forfeiture complaint for Bitcoin and BTC.b held at Cryptocurrency Bridge-1 and tied the funds to alleged computer-fraud, wire-fraud, and money-laundering offenses. The filing says the FBI was investigating virtual-currency h…
U.S. prosecutors filed a civil forfeiture complaint seeking about 1.69 million USDT tied to alleged wire-fraud, money-laundering, and computer-intrusion offenses. The filing says the funds were seized from five Tether wallet addresses controlled by member…
Genians analyzes Kimsuky BlueShark activity, describing the group's continued use of varied malware delivery formats including LNK, ISO, MSC, and HWP files in South Korea-focused APT operations. The report links BlueShark to the broader BabyShark family, …
NTT Security Holdings attributes recent DarkPlum activity to a DPRK-linked cyber espionage group also known publicly as Kimsuky and APT43. The group targets government, military, academic, and think-tank organizations across South Korea, Japan, Europe, an…
Elastic describes KANDYKORN as a macOS backdoor found during an intrusion targeting engineers at a major cryptocurrency exchange platform. The malware uses a feature-rich, multi-stage loader and a custom network protocol to support post-compromise activit…