654 reports
Microsoft assesses Onyx Sleet as a North Korean threat actor conducting cyber espionage against military, defense, technology, engineering, and energy targets, with primary activity in India, South Korea, and the United States. The actor historically used…
ASEC reports malicious LNK files being distributed against domestic financial companies through emails containing a URL that downloads a ZIP named as a financial-authority project information request. The archive contains a decoy PDF about virtual-currenc…
The joint CISA advisory attributes ongoing espionage to Andariel, also tracked as Onyx Sleet, DarkSeoul, Silent Chollima, Stonefly, and Clasiopa, under North Korea's RGB 3rd Bureau. The group targets defense, aerospace, nuclear, engineering, medical, and …
Mandiant assesses APT45 as a long-running North Korean cyber operator active since at least 2009 and supporting DPRK priorities. The group began with espionage against government and defense targets, later expanded into financial-sector activity, and is s…
A Konni-themed intrusion used a ZIP lure impersonating a Bithumb cryptocurrency-exchange information update request tied to financial-authority project reporting. The archive contained a decoy PDF and a large Windows shortcut disguised as an Excel file, w…
Stacklok reports that the npm package next-react-notify, published on 22 July 2024, copied the popular call-bind package and added a preinstall script that executed and deleted a downloader. On Windows systems, the script wrote execu.bat and yui.ps1, fetc…
If this phishing site is indeed the work of Kimsuky and linked to North Korea, targeting institutions that share state information might be a more accessible approach than directly hacking national institutions. Hacker Targeting Educational Institutions, …
KnowBe4 describes a North Korean fake IT worker case in which a newly hired software engineer received a company Mac and immediately attempted to load malware. The company's EDR alerted the SOC, which contained the device after the user gave evasive expla…
North Korean state sponsored hackers used a fake Microtalk video calling service to deliver an updated BeaverTail infostealer to macOS users. The lure appears designed around job interview preparation, persuading victims to download software even though t…
Kimsuky is attributed in the excerpt to a credential-phishing page that impersonated Korea University’s knowledge-based portal. The phishing URL hxxp://osihi(.)store/korea/Intro(.)kpd(.)html reused university-themed navigation, sending many menu items to …
The Coinmonks investigation attributes suspicious developer, recruiter, company, and GitHub activity to Lazarus Group with moderate confidence, linking it to Contagious Interview and Wagemole style campaigns. The source describes fake GitHub identities, h…
QuillAudits analyzes the July 2024 WazirX theft, where attackers stole more than $235 million by turning a Safe multisig wallet upgrade path against the exchange. The attackers deployed a phishing contract eight days before the theft, collected the requir…
Liminal says the WazirX incident affected a single imported Gnosis SAFE smart contract wallet rather than Liminal-hosted wallet infrastructure. Its investigation attributes the attack path to three compromised WazirX signer devices that injected malicious…
CYFIRMA's Q2 2024 APT roundup says North Korean operators intensified espionage and financially motivated activity during the quarter. The DPRK section names Kimsuky, also tracked as Springtail, targeting South Korea with the Gomir backdoor, ReconShark ac…
WazirX lost about $235 million after attackers took control of its Safe multisig wallet and drained funds to a main attack address. The source says the operators prepared with small test transactions, likely compromised two private keys, and phished two a…