654 reports
Rain said a security incident affected the Bahrain-based cryptocurrency exchange after ZachXBT reported suspicious April 29 outflows totaling about $14.1 million. Funds from BitGo multisignature wallets were sent through an address that swapped tokens for…
KrCERT warned that SIR Soft released security updates for GnuBoard after SQL injection and file upload vulnerabilities were linked to suspicious PHP web shells such as auto_n.php. Administrators running affected or unsupported GnuBoard 4.x installations s…
Researchers found a live Kimsuky-linked phishing and malware-delivery site targeting users in the United States and South Korea. The site hosted a PowerShell script under an xrat path that downloaded an encrypted xeno.bin file, decrypted it, dynamically l…
Lazarus Group is described targeting full-stack Web3 and blockchain developers, especially people advertising job availability and exposed contact details on GitHub. The campaign uses social engineering lures such as job offers or collaboration requests t…
South Korean police, intelligence, and prosecutors investigated a breach of the court computer network in which 1,014GB of data reportedly left the environment between 2021 and 2023. Investigators recovered 5,171 leaked personal rehabilitation-case files …
Genians reported a Kimsuky APT campaign that used Facebook personas posing as officials connected to North Korean human-rights work to approach South Korean security and North Korea-focused targets. After Messenger conversations, the operators shared mali…
QiAnXin tied a suspected Lazarus/APT-Q-1 campaign against blockchain developers to the Contagious Interview activity pattern previously reported by Unit 42. Attackers created fake employer, developer, or startup-founder personas on LinkedIn, Upwork, Brain…
Kaspersky's Q1 2024 APT roundup includes a Kimsuky operation that abused legitimate software used only in South Korea as the initial infection vector. The legitimate program connected to an attacker server and retrieved first-stage malware that installed …
The U.S. District Court ordered forfeiture of 279 virtual currency accounts tied to North Korea-linked exchange hacks and laundering activity. The opinion describes funds stolen from exchanges in 2018 and 2019, including about $48.5 million from one excha…
Proofpoint's LABScon talk examines North Korean macOS malware used in cryptocurrency theft and espionage operations. The source says DPRK-linked operators have invested heavily in Apple's desktop environment and uses Mach-O samples to show how related clu…
ASEC reported a CHM malware campaign against Korean users that resembles earlier Kimsuky-linked LNK, DOC, OneNote, and CHM activity. Opening the CHM displays a help file while a hidden script creates %USERPROFILE%\Links\Link.ini, reaches bootservice.php?q…
ASEC observed oversized LNK files targeting South Korean users connected to North Korea-related, military, unification, and education topics. The shortcuts execute PowerShell through CMD, drop a decoy document, and write viewer.dat, search.dat, and find.b…
The report analyzes a Konni-linked LNK malware sample disguised as a tax-evasion evidence HWP attachment. When opened, the shortcut launches PowerShell, uses obfuscated script content, and is associated with the SHA-256 hash 2189aa5be8a01bc29a314c3c3803c2…
NSA, FBI, and the U.S. State Department warned that DPRK cyber actors abuse weak DMARC policies to make spearphishing emails appear to come from legitimate journalists, academics, or East Asia experts. The campaigns support intelligence collection on geop…
ZachXBT traces roughly $200 million stolen across 25 cryptocurrency hacks from August 2020 to October 2023 to Lazarus Group, also described as Bluenoroff or APT38, a North Korea-linked financially motivated threat group. The investigation follows thefts a…