654 reports
NSHC's May 2024 ThreatRecon report identified five SectorA groups active across South Korea, the United States, Japan, Europe, and other regions, with targeting that included government, IT, manufacturing, construction, education, and cryptocurrency-adjac…
Elliptic describes Huione Guarantee as a Chinese-language online marketplace widely used by Southeast Asia scam operators, including pig-butchering groups. Merchants on the platform sell money laundering services, scam investment-site development, victim …
HackersEye describes an intrusion against an Israeli enterprise where an attacker used admin access to a Check Point firewall, moved from the GAIA web interface to SSH, and installed a malicious MeshAgent based ELF implant. The implant disguised itself as…
The excerpt describes a DPRK TraderTraitor social-engineering operation against cryptocurrency-sector employees using fake professional personas and GitHub-based job or skills-test lures. In the shared case, the same LinkedIn persona approached two techni…
APT-Konni related activity against South Korean targets used Korean language CHM and LNK document lures to execute hidden script chains. The CHM example embeds an ActiveX object that writes Base64 content, decodes it with certutil into a VBS file, adds a …
Whitestream questioned whether Lazarus was behind the UwU Lend hack after tracing threat actor deposits through Tornado Cash. The tweet says de-mixed funds flowed to the Japanese exchange Coincheck, described as a favorable cashout point for the North Kor…
Phylum reports a North Korea-linked open-source supply chain campaign that weaponized npm by publishing call-blockflow, a near-copy of the legitimate call-bind package, on 4 July 2024 before it was quickly unpublished. The attacker changed package.json to…
JPCERT/CC's Japanese report describes March 2024 Kimsuky activity against Japanese organizations using spear-phishing emails that impersonated security and diplomatic entities. The attached archive hid an executable with a double extension and long spacin…
JPCERT/CC observed Kimsuky targeting Japanese organizations in March 2024 with emails impersonating security and diplomatic organizations. The lure attachment used filenames with double extensions and long spaces to hide an executable alongside decoy DOCX…
ASEC found a GitHub repository while analyzing malware tied to the Kimsuky group. The repository contained a FlowerPower malware type distributed since 2020, and ASEC said user information leaked through that GitHub location had also been uploaded there. …
360 Advanced Threat Research Institute attributes a multi-platform software supply chain campaign to APT-C-26, also known as Lazarus, using malicious PyPI packages to deliver payloads on Windows, Linux, and macOS. Windows packages decrypt DLL stages, run …
AhnLab tracks HappyDoor as a Kimsuky backdoor first collected in 2021 and still active in 2024, with recent samples hard-coding version 4.2 and dates from late 2023 to early 2024. The malware is delivered through spear-phishing attachments that unpack a J…
A Korean-language analysis describes a Konni-linked malware lure impersonating South Korea's National Tax Service with a VAT correction notice delivered as an HWP-named Windows LNK. The oversized shortcut runs obfuscated PowerShell, searches for a matchin…
SlowMist’s mid-year blockchain security and AML review reports 223 blockchain security incidents in the first half of 2024 with estimated losses of $1.43 billion, a major increase over the same period in 2023. The excerpt identifies Ethereum as the ecosys…
NSHC's May 2024 monthly threat-actor report says 25 tracked groups were active between April 21 and May 20, with SectorA activity ranking highest at 32 percent. The SectorA section records activity by SectorA01, SectorA02, SectorA04, SectorA05, and Sector…