654 reports
The analysis covers a Windows LNK sample whose TTPs are assessed by the author as consistent with Kimsuky or another DPRK-based actor. The shortcut uses mshta.exe and JavaScript arguments to reach 64.49.14.181, retrieve a Base64-encoded ZIP, write it as C…
The report describes a North Korea-linked Kimsuky phishing site apparently aimed at Yonsei University users. The observed infrastructure used a lookalike drive-themed URL under drive-yonsei-ac-kr.bit-albania.com and attempted to mimic a Chrome or Google s…
Pyongyang Papers links DPRK IT worker Sin Chong Min to a network of IT workers conducting activity associated with Microsoft’s Moonstone Sleet cluster. The article describes North Korean workers using fake or stolen identities, laptop farms, and remote so…
CoinDesk reports a cryptocurrency theft against DeltaPrime in which more than $6 million in tokens were drained after an apparent private-key leak. Security researchers described suspicious transactions and an attacker gaining control of an admin proxy be…
DeltaPrime Blue on Arbitrum lost $5.98 million after a compromised admin address was used to upgrade proxy contracts to a malicious implementation. The attacker inflated deposit balances across pools, made 57 withdrawals, and moved USDC, WBTC and WETH int…
The source analyzes a Kimsuky MSC attack sample and explains how malicious Microsoft Management Console files can be abused for code execution and defense evasion. It references the GrimResource technique while noting that this sample uses a different att…
DPRK cryptocurrency theft is described as a major threat to blockchain adoption because stolen and laundered virtual assets help the regime evade sanctions and fund its weapons programs. The excerpt cites a March 2024 UN DPRK Sanctions Committee Panel of …
ENKI analyzes RokRAT activity that uses malicious LNK files as an initial execution mechanism, a technique increasingly observed after Microsoft restricted Office macros and began phasing out VBScript. The source says attackers commonly deliver archives c…
A leaked North Korean email client is shown as a Windows application made up of MailClient.exe, DLLs, and a configuration file, with hashes provided for the main executable and dskinliteud.dll. String analysis indicates use of the Chilkat library and refe…
The source documents a malicious MSC downloader using a decoy theme related to North Korean suicide drones. The report identifies the sample as Downloader.S.MSC.146707 and lists command-and-control style URLs on petssecondchance.larcity.dev that retrieve …
A Kimsuky-attributed Windows MSC file is presented as a Twitch and LootLabs event lure and uses a Microsoft Word icon to make the console file appear legitimate. The embedded task launches PowerShell with a hidden window and downloads a remote script from…
Lazarus is described as targeting Python developers through the VMConnect campaign by posing as recruiters and sending victims to fake GitHub coding-test projects. The lure commonly impersonates major U.S. banks such as Capital One and uses LinkedIn job o…
The UK OFSI advisory says UK firms are almost certainly being targeted by DPRK IT workers posing as freelance third-country technology workers to generate revenue for the North Korean regime. The workers are assessed as using online freelance platforms, f…
The Contagio post preserves Lazarus-linked BEAVERTAIL and INVISIBLE_FERRET sample information tied to the Contagious Interview and Wagemole activity described by Unit 42. The lure set targets job seekers and software developers with fake employer intervie…
Jamf observed DPRK-aligned social engineering against cryptocurrency and developer targets shortly after an FBI warning about North Korean targeting of the crypto sector. In the case described, a LinkedIn recruiter persona sent a zipped Visual Studio codi…