654 reports
Kimsuky abused the Microsoft Office Equation Editor vulnerability CVE-2017-11882 to deliver keylogger malware against Korean targets. The report describes mshta execution of a malicious error.php page, PowerShell retrieval of follow-on payloads from comma…
U.S. Treasury assesses that NFT platforms are exposed to fraud, theft, money laundering, and sanctions-evasion risks, with far less evidence to date of terrorist or proliferation-financing misuse. The assessment says criminals can exploit weak cybersecuri…
Microsoft identifies Moonstone Sleet, formerly Storm-1789, as a distinct North Korean state-aligned actor pursuing financial and espionage objectives. The actor shifted from Diamond Sleet overlaps to its own infrastructure and uses fake companies, job or …
Hauri reports a phishing campaign impersonating Naver login pages to steal credentials from Korean users through email distribution. The phishing site checked submitted credentials against naver.com to verify whether the victim had entered valid account i…
The report describes a Kimsuky phishing site at hogmasil.lol that impersonated Google and Kakao login flows to harvest credentials. The source ties the activity to the North Korean Kimsuky threat cluster, notes possible phishing-mail delivery components, …
The report analyzes Kimsuky use of the Linux.Gomir backdoor after Symantec reporting and focuses on Golang reverse engineering, persistence, debugging, and command-and-control behavior. It describes installation as a systemd service under syslogd, cron-ba…
AhnLab ASEC reports attacks on South Korean defense, automotive-parts, and semiconductor organizations using the SmallTiger malware family. The activity shows overlap with Kimsuky tradecraft but also includes enterprise software-update abuse and DurianBea…
ESRC reports continued phishing emails impersonating South Korea’s National Intelligence Service and using a police-report theme to solicit replies from recipients. The attached PDF was assessed as non-malicious at the time of analysis, but the campaign i…
Gen Digital profiles Lazarus Group, also known as Hidden Cobra, as a North Korea-linked actor that has shifted from espionage and sabotage toward financially motivated operations against banks, cryptocurrency targets, and technology workers. The source sa…
AhnLab ASEC describes APT attacks that rely on cloud services such as Google Drive, OneDrive, and Dropbox to host malicious scripts, decoy documents, and RAT payloads. The infection chain uses lure files such as LNK shortcuts and cloud-hosted components t…
The GitHub repository is a small DPRK research collection for malware analysis tools associated with North Korea linked groups. The captured repository listing names folders for Kimsuky/APT43 with DropBox related material and Lazarus/APT38 with Comebacker…
The report describes Konni malware disguised as a token circulation and lockup schedule document. The lure uses a large LNK file with hashes including SHA-256 77d05cc623f860ca2e6d47cdafc517aa0612de88291de7f2a3d95c5d04f1658a, likely padded with dummy data …
NSHC’s 2023 SectorA review says the North Korea linked cluster was most active through SectorA05, SectorA02, and SectorA01, with the heaviest targeting against financial industry workers and systems, followed by research and government institutions. South…
CLOUD#REVERSER uses phishing-delivered ZIP archives and an executable disguised as an Excel file to install a multi-stage VBScript and PowerShell infection chain. The malware persists through scheduled tasks that mimic Google update jobs, repeatedly execu…
The podcast episode discusses Alejandro Caceres responding after North Korean operators allegedly hacked him and U.S. authorities did not intervene. For CTI purposes, the source provides contextual reporting on retaliation against North Korean internet in…