654 reports
The report analyzes a Kimsuky-attributed text file containing PowerShell code that downloaded and executed additional scripts from Dropbox-hosted URLs. The script created msupdate.ps1 under the user's AppData path, registered a hidden scheduled task disgu…
SecAI analyzed a Kimsuky MSC lure that opened a forged document prompt, then released a PE file and encrypted configuration data for follow-on execution. The embedded code downloaded a decoy document and malicious components into user directories, created…
Lazarus is reported to have targeted at least two employees at an unidentified nuclear-related business in January 2024 through Operation Dream Job, also tracked as NukeSped. The campaign used fake skills tests and trojanized remote-access tools such as V…
This APT group was detected targeting the Russian diplomatic sector in January 2022, employing a spear phishing theme for New Year's Eve festivities as bait. The North Korean hacker group distributes Konni RAT via phishing messages or emails. KONNI has be…
AhnLab reports that Andariel continued attacks against South Korean enterprise software in late 2024, primarily installing SmallTiger through compromised or vulnerable management solutions. The cases include long-running exploitation of asset management s…
CryptoSlate reported that Hyperliquid lost more than $1 billion in total value locked after security concerns around North Korea-linked activity on the platform. Talor Monahan identified a surge of transactions from addresses tied to North Korean hackers,…
The FBI, DC3, and Japan's National Police Agency attributed the May 2024 theft of 4,502.9 BTC from DMM Bitcoin to North Korean TraderTraitor activity, also tracked as Jade Sleet, UNC4899, and Slow Pisces. The intrusion began when an actor posing as a recr…
AhnLab ASEC analyzed Andariel attacks against South Korean enterprise software, including asset-management and document-centralization solutions, that deployed the SmallTiger malware. In asset-management cases, attackers appear to have abused control or u…
Lazarus is described as a North Korea-linked threat actor active since at least 2009, with activity spanning South Korea, the United States, Japan, and other countries. The excerpt says the group has targeted financial institutions, government agencies, m…
Kimsuky, also known as Black Banshee, is described as a North Korean state-sponsored APT active since at least 2012 and focused on cyber espionage against targets including South Korea, Japan, and the United States. The excerpt identifies phishing, malwar…
A Korean-language analysis attributes a malicious Windows CHM help file named confirmation.chm to Kimsuky and describes it as disguised as a financial transaction confirmation document. The file executes openCI.vbs from C:\Users\Public\Libraries, shows a …
Spur released a list of roughly 2,400 Astrill VPN IP addresses active as of December 19, 2024 because DPRK-linked remote worker personas have used the service to hide their locations. The post says intelligence and threat-analysis teams have observed Nort…
Kaspersky attributes a DeathNote, also known as Operation DreamJob, attack against at least two employees at the same nuclear-related organization to Lazarus. The delivery used IT skills-assessment archives tied to aerospace and defense job lures, includi…
Chainalysis reports that North Korea-affiliated hackers stole about $1.34 billion across 47 cryptocurrency hacks in 2024, representing 61% of the total stolen value and a major increase from the revised 2023 figure of $660.50 million. The DPRK-linked acti…
SecAI analyzed a Kimsuky ISO lure that masqueraded as RapportSetup and executed a malicious LNK and BAT script while also launching IBM Trusteer-branded legitimate software as cover. The BAT script checked for Avast and Kaspersky processes, then used curl…