654 reports
South Korea announced coordinated sanctions with the United States against two organizations and four individuals tied to North Korean IT worker activity and illicit financing. The targets are described as supporting overseas deployment of North Korean IT…
The source analyzes a Kimsuky-attributed malware case disguised as a cryptocurrency trading lecture PDF lure. The lure is delivered through a shortcut-style infection chain rather than a benign PDF-only document, and antivirus detections identify the arti…
NSHC ThreatRecon reported December 2023 activity from five SectorA groups, with SectorA activity making up the largest share of the month's tracked hacking cases. SectorA01 posed as recruiters and targeted software developers with a fake interview process…
CertiK analyzes the March 2024 Munchables attack on Blast after on-chain investigator ZachXBT identified North Korean hackers as the primary perpetrators. The attacker withdrew 17,413.96 ETH from the staking proxy and left roughly $97 million in project a…
Munchables lost about 17,400 ETH, roughly $63 million, after a hired developer using the alias Werewolves0943 drained project funds from inside the Ethereum GameFi project. The attacker later returned the keys and funds after negotiations involving Muncha…
Genians reporting identifies an APT37 campaign observed after the Lunar New Year holiday, alongside Korea-focused state-backed groups such as Lazarus, Kimsuky, and Konni. The activity targets North Korea human-rights groups, journalists covering North Kor…
QiAnXin reports Konni activity delivering AutoIt malware to likely South Korean cryptocurrency-sector targets using lures themed around virtual-asset regulation and legal documents. The ZIP package contains a normal decoy document and a document-disguised…
Japanese authorities warn that North Korean IT workers are suspected of impersonating Japanese nationals to obtain work through online contracting platforms used by Japanese companies. The advisory says these workers often falsify identity documents, use …
The malware in question is a dropper that creates the Endoor backdoor, which was also used in the attack covered in the previous post, “TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group)”. Nikidoor is a backdoor use…
NSHC ThreatRecon reported January 2024 activity from five SectorA groups, the DPRK-relevant cluster it tracks separately from other actor sets. SectorA01 used PE malware disguised as PuTTY against targets in countries including South Korea, the United Sta…
The analysis reconstructs a Kimsuky PowerShell backdoor and its control scenario after a sample and controller interface were shared publicly. The backdoor initiates socket-based communication to a configured address, uses RC4 encryption, and derives a un…
Kimsuky TrollAgent analysis focuses on malware traits that can be converted into YARA detections, including mutex creation and rundll32-based DLL loading. The source says the observed mutex value matches values used by earlier Kimsuky malware, strengtheni…
Hauri reports that Kimsuky has been distributing malicious Windows shortcut files since December 2023 against security-related targets and cryptocurrency investors, with a focus on information theft. The LNK execution chain runs PowerShell, uses Dropbox r…
Symantec reports that Springtail, also known as Kimsuky, distributed dropper malware disguised as an application from a known Korean public entity. The source says the operation abused a valid certificate and installed the Endoor backdoor after compromise…