654 reports
A Korean-language malware analysis attributes a BAT-file spear-phishing sample to Kimsuky and says the lure appears aimed at a Korean broadcast production team working on North Korea-related programming. The script launches 32-bit PowerShell in a hidden w…
Rewterz profiles Kimsuky, also called Black Banshee, as a North Korea-linked APT active since at least 2012 and focused on cyber espionage against targets in South Korea, Japan, the United States, and other countries. The advisory describes recurring phis…
CrowdStrike’s case study links FAMOUS CHOLLIMA to insider-threat activity where trusted employees, contractors, or partners can abuse legitimate access to steal data or harm an organization. The excerpt emphasizes the detection challenge: these operators …
The source explains how Korean-language artifacts can support DPRK malware and phishing attribution when treated as one signal among others, not as standalone proof. It highlights wording and grammar that sound North Korean or unnatural to South Korean sp…
Velvet Chollima, also known as Kimsuky, Thallium, APT43, Emerald Sleet, Springtail, and Black Banshee, is a North Korean threat actor group thought to be an offshoot of Lazarus Group. Stardust Chollima, also known as BlueNoroff, TA444, APT38, BlackAlicant…
The U.S. Justice Department indicted 14 North Korean nationals for alleged sanctions evasion, wire fraud, money laundering, and identity theft tied to a long-running DPRK remote IT worker scheme. Prosecutors say the workers used false, stolen, and borrowe…
This Black Hat Europe session frames mobile malware as a state surveillance channel for Russian, Chinese, and North Korean threat actors. The source does not provide the full technical slide detail, but it states that the presenters compare targeting choi…
This Black Hat Europe presentation surveys mobile surveillance malware attributed to state-sponsored activity from Russia, China, and North Korea, including North Korea-linked families such as Hermit alongside references to Kimsuky and ScarCruft. The evid…
Hunt observed infrastructure returning the distinctive HTTP response "Million OK !!!!" and linked the activity to suspected Kimsuky operations through recurring domains, hosting patterns, and Naver-themed phishing traits. The infrastructure used Naver fav…
Rewterz describes active APT37, ScarCruft, or RedEyes indicators tied to North Korean espionage activity, with recent reporting that the group expanded from CHM malware disguised as a Korean financial-company security email to RokRAT delivery through LNK …
SecAI analyzes a Kimsuky XLS-based attack that uses a macro to decrypt and drop msload.exe under the user's Microsoft Templates directory before launching it with the parameter QCvt5676hZXbg. The malware branches execution based on parameters, copies itse…
NSHC’s October 2024 threat actor roundup says SectorA activity accounted for the largest share of observed operations, with SectorA01, SectorA02, SectorA05, and SectorA07 activity seen across multiple countries. SectorA01 used a malicious GitHub project n…
APT37 is linked to a large malicious LNK file disguised as lecture material for people connected to North Korea issues. The shortcut contains embedded PDF, BAT, and DAT data and uses PowerShell to locate the LNK, extract a PDF, write vivo.dat, oppo.dat, a…
The excerpt describes research into improving similarity analysis for macOS Mach-O malware, where analysts often lack easy pivots comparable to Windows import hashes or Rich Header artifacts. The work led to Mach-O feature extraction in YARA-X, supported …
Radiant Capital reports that a September 2024 Telegram lure impersonated a trusted former contractor and delivered a zipped file that was later shared among developers for review. The ZIP contained INLETDRIFT, a macOS backdoor packaged as a legitimate-loo…