654 reports
The FBI warns that DPRK cyber actors are running tailored social engineering campaigns against DeFi, cryptocurrency, ETF-related, and similar financial technology businesses to deploy malware and steal cryptocurrency. The actors conduct pre-operational re…
Cisco Talos identified MoonPeak as a new RAT family derived from the open-source XenoRAT codebase and attributed its development to North Korean state-sponsored group UAT-5394. The campaign shows UAT-5394 moving from cloud-service reliance toward actor-co…
Contagio Dump provides a sample collection for North Korea-linked Citrine Sleet and Lazarus FUDMODULE bring-your-own-vulnerable-driver rootkit activity spanning 2022 to 2024. The excerpt references Microsoft's reporting on Citrine Sleet exploiting a Chrom…
Sands Lab analyzed a Konni-linked campaign that used South Korea value-added tax filing themes to lure users into opening a malicious LNK file disguised as a HWP document. The LNK extracted an obfuscated PowerShell script, dropped a decoy document and Byi…
A Korean malware analysis describes a second Kimsuky-linked MSC sample using the same aerospace lecture request theme but a different hash, including SHA-256 83457462d1885acce9f4e46ad4053d050d3b0c7f3935b61f378e52f0eed5a68b. The MSC runs cmd.exe with a min…
Microsoft identified North Korean exploitation of Chromium zero-day CVE-2024-7971 on August 19, 2024, targeting the cryptocurrency sector for financial gain. The company attributes the activity to a North Korean actor with high confidence and to Citrine S…
A Korean malware analysis attributes an MSC sample to Kimsuky activity targeting aerospace-related personnel with a lecture request lure impersonating a KAIST aerospace professor's speaking engagement. The MSC launches cmd.exe in a minimized window, downl…
Phylum reports a renewed August 2024 wave of North Korea-aligned npm activity aimed at developers, with packages including temp-etherscan-api, ethersscan-api, telegram-con, qq-console, helmet-validate, and sass-notification. The qq-console and related pac…
NSHC's July 2024 monthly threat actor report includes SectorA activity that aligns with North Korea-focused tracking. SectorA01 used recruiter-themed archives with job tests or source code review tests to lure victims in France, Pakistan, Malaysia, Taiwan…
KR-CERT warns that DrSoft NetClient5 versions before 5.7.0 contain arbitrary command execution and arbitrary file creation vulnerabilities. NetClient5 is described as an integrated security management solution for asset management, so vulnerable deploymen…
Hauri describes the BabyShark campaign as active since 2018 and continuing through recent activity. The excerpt says earlier BabyShark activity used HWP files with OLE objects along with BAT and VBS files, but newer activity shifted techniques to evade se…
A Korean malware analysis describes a WerFault.lnk sample assessed by the author as likely tied to a North Korean APT, while the exact cluster remains uncertain among Lazarus, Kimsuky, Konni, or another DPRK-linked group. The LNK copies the legitimate Win…
NSHC ThreatRecon’s June 2024 monthly intelligence highlights four SectorA groups with activity across South Korea and several other regions, using phishing and social engineering against political, diplomatic, military, and financially relevant targets. S…
MITRE identifies Moonstone Sleet as a North Korean-linked threat actor conducting both financially motivated operations and espionage, with earlier overlap with Lazarus Group before its tradecraft diverged in 2023. The group uses fake companies, personas,…
ZeroShadow describes DPRK IT-worker infiltration against crypto and DeFi organizations, using fake identities to obtain developer roles, collect salaries, and create insider access. The DeltaPrime case identified three DPRK-associated developers who had w…