654 reports
Nexera's post-mortem says an external actor used compromised credentials to take control of Fundrs smart contracts and transfer 47.24 million NXRA tokens from Ethereum staking contracts on 7 August 2024. Nexera paused NXRA and NAI token contracts across m…
Nexera's malware analysis says the 7 August 2024 incident began with a LinkedIn approach offering paid smart contract consulting work, followed by a GitHub skills-test repository that the victim cloned and executed. The code ran a local web server on port…
Donga reports that a South Korean defense-industry subcontractor was hacked and that authorities suspect North Korean involvement. The stolen material reportedly involved technical data and operations or maintenance manuals connected to Baekdu and Geumgan…
AhnLab's July 2024 domestic APT trend report summarizes monitored attacks against South Korean targets and includes indicators such as related domains, URLs, and IP addresses. The report highlights spear phishing as a prominent initial access method, expl…
The Justice Department charged Nashville resident Matthew Isaac Knoot for allegedly helping North Korean IT workers obtain remote jobs at U.S. and U.K. companies under a stolen U.S. identity. Prosecutors say Knoot hosted a laptop farm at his residences, i…
Checkmarx describes a nearly year-long North Korean campaign that publishes malicious npm packages to compromise developers, with a July 2024 surge reported by multiple security firms. The packages are often short lived because the actors unpublish them q…
Resilience says an OPSEC mistake in late July 2024 exposed Kimsuky source code, credentials, traffic logs, and notes showing phishing operations against university staff, researchers, and professors. The campaign used compromised staging hosts, including …
CrowdStrike reports that FAMOUS CHOLLIMA malicious insiders obtained remote IT roles at more than 100 companies, mostly U.S. technology organizations, and affected sectors including aerospace, defense, retail, and technology. After gaining employee level …
A Kimsuky-attributed malware analysis describes a JavaScript or JSE-style sample named Min Hyeji2.jre and provides MD5, SHA-1, and SHA-256 hashes. The reported execution chain uses WScript, hidden PowerShell, and certutil decoding to stage files under Pro…
A joint South Korean cyber security advisory warns that North Korean hacking groups are targeting the construction and machinery sectors to steal technical information. The advisory attributes the activity to Kimsuky and Andariel under the Reconnaissance …
The source analyzes the WazirX crypto exchange exploit in which more than $230 million in customer assets was drained from a multisig account. It argues that governance, branding, and signer-control weaknesses may have contributed to the security failure,…
Datadog found two npm packages, harthat-hash and harthat-api, published on July 7, 2024 by nagasiren978, that used preinstall scripts to run malicious JavaScript on installation. The packages copied legitimate node-config code but added deference.js and p…
The excerpt analyzes a Kimsuky-attributed PowerShell backdoor that repeatedly connects to a server, sleeps between attempts, and continues until the server instructs it to close. The script generates a victim identifier from the host's MAC and IPv4 addres…
Mandiant attributed a long-running global espionage campaign to North Korea's APT45, also known as Andariel, operating under the Reconnaissance General Bureau since 2009. The activity targeted banks, defense firms, hospitals, government agencies, U.S. Air…
On December 11, 2023, Cisco Talos reported the discovery of an activity led by Andariel, a North Korean state-sponsored known to be a subgroup of the notorious Lazarus group, which employed three new DLang-based malware families. This activity consists of…