654 reports
Kaspersky ICS CERT's Q2 2024 industrial-threat roundup describes several North Korea-linked operations against South Korean and industrial targets. AhnLab reported Andariel attacks on education, manufacturing, and construction organizations using a keylog…
Kandji analyzed a macOS application named OSX-PDF-Viewer after VirusTotal detections labeled it as DPRK-attributed malware and researchers noted overlap with RustBucket artifacts. The app is an ad hoc-signed Swift PDF viewer based on an old open-source pr…
Securonix describes SHROUDED#SLEEP, an ongoing campaign likely attributed to North Korea's APT37, delivering the VeilShell PowerShell backdoor against Southeast Asian targets with Cambodia as a primary focus. The infection chain begins with phishing lures…
Kimsuky used weak or misconfigured DMARC policies to support spear phishing against think tank, media and academic targets, according to the Barracuda writeup and the FBI/NSA advisory it cites. The campaign spoofed credible domains such as universities or…
CoinDesk found that more than a dozen crypto companies, including Cosmos Hub, Injective, ZeroLend, Fantom, Sushi and Yearn Finance, had unknowingly hired DPRK IT workers using fake identities, reference checks and GitHub work histories. The workers target…
Symantec observed North Korea-linked Stonefly, also known as Andariel, APT45, Silent Chollima, and Onyx Sleet, conducting intrusions against three U.S. private-sector organizations in August 2024 after a U.S. indictment named an alleged group member. The …
This campaign employed novel techniques, such as disguising malware as installation files for South Korea’s electronic document security programs to steal from the GPKI folder, used by government administrative and public institutions in South Korea, and …
While the scale of the IT Workers is in itself an issue, 2024 has shown that IT Workers are increasingly engaged in, or adjacent to, malicious activities that extend beyond illegal employment, including: cryptocurrency heists, malware campaigns, and extor…
Elastic Security Labs' 2024 Global Threat Report uses telemetry from more than a billion data points to describe broad abuse of off-the-shelf security tools, cloud misconfiguration, credential access, and AI-adjacent social-engineering and malware-develop…
Germany's security advisory warns that North Korean intelligence services use undercover remote IT workers to earn foreign currency for the regime. The activity targets companies worldwide through freelancer or remote-work arrangements and can expose empl…
The source analyzes a Kimsuky PowerShell malware sample associated with North Korean activity. The archive preserves technical evidence rather than a narrative article, including SHA-256 hash 751698edee5ec4c46fddaa995f120984dfd551e1f68fc2d0fea7bfe1a8868c8…
PolySwarm summarizes Unit 42 reporting on Labyrinth Chollima using poisoned Python packages on PyPI to deliver PondRAT to developer systems. The campaign targets software development supply chains by running an encoded next stage during package installati…
Truflation's clearinghouse describes a September 2024 hack response centered on wallet tracing, blacklisting and a public bounty. The team said no user funds were compromised, but it tracked attacker-controlled wallets and reported that 1.37 million DAI w…
ZDF and Spiegel reporting says North Korea-linked Kimsuky targeted the German defense company Diehl Defence in an espionage operation. The archived evidence describes fake job offers carrying spyware, credential-theft attempts, and a spoofed Diehl Defence…
The source analyzes XML malware attributed to Kimsuky that uses PowerShell to download and execute an external script with a hidden window. The XML content contains hex-encoded PE data that is reconstructed into a binary, saved as xBqz.mp3, renamed as an …