654 reports
DeltaPrime published an exploit-aftermath thread describing its investigation and planned reimbursement response after a cryptocurrency incident. The archived text states that the team aimed to exhaust leads on the attack vector, learn from the compromise…
The North Korean APT group Sparkling Pisces (aka Kimsuky, THALLIUM, Velvet Chollima) is known for its sophisticated cyberespionage operations and advanced spear phishing attacks. The threat actor delivered the PowerShell keylogger, which an earlier report…
Kimsuky is linked in the excerpt to a malicious LNK file disguised as a subsidy-application inquiry document, with SHA-256 24a0124e2e38407f2062dc2bfb0bd474413a10d80ef8e1913ecfa699d962229f. The LNK invokes mshta.exe and obfuscated script content to run Pow…
North Korean actors distributed PondRAT through malicious Python packages uploaded to PyPI, targeting developers and the software supply chain. The packages posed as legitimate libraries but triggered malware installation on developer systems after use. P…
Mandiant describes UNC5267, a DPRK IT worker operation in which North Korean personnel use stolen or fabricated identities to obtain remote jobs, especially in Western technology companies. Facilitators help the workers launder money or cryptocurrency, re…
BingX reported abnormal network access on September 19 after attackers drained about $44.7 million from hot wallets across Ethereum, BNB Chain, Polygon, and other networks. Public tracking by Tayvano, PeckShield, Cyvers, SlowMist, and others identified mu…
Kimsuky is linked in the excerpt to a malicious LNK file disguised as an Upbit cryptocurrency-exchange document, with SHA-256 41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229. The shortcut uses mshta.exe to launch obfuscated JavaScript and…
UNC2970, a North Korean-linked cluster associated in the excerpt with Lazarus Group, TEMP.Hermit, and Diamond Sleet, used job-themed phishing to target senior employees in the energy and aerospace sectors. Victims were sent tailored recruiter lures and ma…
Black Cell demonstrates an infrastructure-hunting workflow that pivots from a tweet linking domains to Kimsuky/APT43 into Validin passive DNS data. Starting with wetax-pay[.]online, the hunt follows historical resolutions to 154.90.63[.]101 and identifies…
NSHC's June 2024 threat actor report includes four SectorA clusters active across Australia, Argentina, Turkey, Israel, the Philippines, France, the United States, South Korea, Germany, China, and other countries. SectorA01 used recruiter and hiring-test …
KnowBe4 describes a North Korean fake IT worker case in which a remote employee persona passed interviews and background checks using stolen U.S. identity details and an AI-enhanced profile photo. After receiving a company Mac, the actor attempted to inst…
AhnLab reports a Kimsuky-linked spearphishing case that used lecture-request lures with HWP documents and MSC files to download additional malicious components. The source says the malware stores attacker-controlled scripts on the victim PC for repeated e…
Unit 42 links a poisoned PyPI package campaign to Gleaming Pisces, also known as Citrine Sleet, with medium confidence based on code similarities and prior attribution. Malicious packages such as real-ids, coloredtxt, beautifultext, and minisound executed…
Elastic analyzes DPRK social engineering that uses Python coding challenges as initial-access lures against secured networks. The example ZIP, presented as a Capital One interview task, contains a PasswordManager application with Pyperclip modules that hi…
Mandiant tracked a suspected North Korea-nexus group, UNC2970, using recruiter personas and tailored job descriptions to target senior employees in U.S. critical infrastructure, energy, and aerospace organizations. The lure arrived through email and Whats…