654 reports
Elliptic describes how Lazarus Group uses cross-chain bridges and asset swaps to obscure stolen cryptocurrency flows. The DPRK-relevant example shows North Korean state-sponsored hackers moving funds from Ethereum to Binance Smart Chain through bridge act…
SECUi observed a domestic APT case delivered through a ZIP archive named like a Korean military studies review package. The archive contained a normal HWP decoy and a malicious WinRAR self-extracting EXE disguised as an HWP-related review file, which disp…
Securonix tracks DEV#POPPER as an ongoing social engineering campaign likely tied to North Korean threat actors and aimed at software developers. Attackers pose as interviewers, send GitHub-hosted coding tasks, and rely on the target running a malicious N…
AhnLab reported CHM malware distribution against South Korean users, connecting the lure family to prior Kimsuky activity that used LNK, DOC, OneNote, and press-release themes. The CHM file runs embedded script content, creates files under the user profil…
NSHC's 2023 SectorA review describes North Korea state backed groups conducting both intelligence collection tied to Korean political and diplomatic issues and financially motivated intrusions worldwide. SectorA05 was the most active subgroup, followed by…
Phylum linked new npm publications on 23 April 2024 to a previously reported North Korea-attributed campaign against open-source package ecosystems. The packages react-dom-production-script and hardhat-daemon used a preinstall hook to run deference.js as …
NSHC's February 2024 ThreatRecon report records two North Korea-linked SectorA clusters, SectorA01 and SectorA05, among broader monthly threat actor activity. SectorA01 activity was observed in Vietnam, Germany, and the United States using PE malware disg…
Avast analyzed GuptiMiner, a long-running malware operation that hijacked the eScan antivirus update mechanism through a man-in-the-middle attack to deliver backdoors and XMRig. The infection chain used DNS requests to attacker-controlled DNS servers, DLL…
360 Advanced Threat Research attributed a RokRat delivery campaign to APT-C-28, also known as ScarCruft, APT37, Reaper, or Group123. The attackers used a malicious LNK file disguised as a North Korean human-rights expert debate lure to download and run Ro…
South Korean police and partner agencies attributed broad defense-industry intrusions to North Korea-linked groups including Lazarus, Andariel, and Kimsuky. The actors compromised defense contractors and weaker partner companies, stole server account cred…
AhnLab analyzed oversized LNK files used to distribute the RokRAT backdoor against South Korean users, especially people connected to North Korea-related topics. The shortcuts used certificate and document-themed filenames, executed PowerShell through CMD…
A misconfigured North Korean cloud server exposed daily animation work files moving between outside production contacts and animators likely connected to Pyongyang's April 26 Animation Studio, also known as SEK Studio. The files contained Chinese editing …
NSHC's February 2024 ThreatRecon report identifies two SectorA clusters, SectorA01 and SectorA05, in a broader monthly review of 26 threat actor groups. SectorA01 activity was observed in Vietnam, Germany, and the United States using PE malware disguised …
The report analyzes a Kimsuky phishing-mail tool called MailSending that is intended to automate phishing messages against South Korean users. It provides hashes including SHA-256 bb9c0396a61fa16d8c482a4a17e520fae908aa826e54243da6473494fa5f2305 and frames…
Greg Lesnewich, senior threat researcher at Proofpoint, sits down to discuss "From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering." Since 2023, TA427 has directly solicited foreign policy experts for their opinions on nuclear disa…