654 reports
South Korea's judiciary said an external intrusion attempt first detected in February 2023 led to a deeper investigation with outside security specialists from December 2023. The review found that an attacker suspected of links to North Korea had likely u…
South Korea's National Intelligence Service warned that North Korean hackers targeted domestic semiconductor equipment companies from late 2023 into early 2024. The attackers focused on internet-exposed business servers used for document and data manageme…
The analysis examines a Kimsuky-linked malicious Word document that uses social engineering to make the victim enable macros and then executes PowerShell from a temporary file. The macro writes and runs code from C:\Windows\Temp\bobo.txt, which downloads …
A 2022 APT37 sample linked by the author to ROKRAT operations used a malicious Hangul Word Processor document with an embedded OLE object to target a human rights NGO. The lure impersonated South Korea’s Central Election Commission and referenced recruitm…
The article examines the $2.7 million Hector Network redemption exploit and argues that the loss was suspicious because the vulnerable privileged-wallet design had been flagged before the incident. It describes how the moderator-controlled AddEligibleWall…
TRM assesses that North Korean cryptocurrency theft remains a major threat after DPRK-linked hackers stole more than USD 700 million in crypto the previous year. The excerpt highlights expected 2024 laundering trends: faster automation, diversified bridge…
Vipyr Security analyzed malicious PyPI uploads by the user real-ids that placed payloads in os.py files inside typosquatted Python packages. The campaign targeted Linux systems, downloaded an x86_64 ELF remote access tool from domains such as arcashop[.]o…
Hunt tracked a suspected North Korean phishing campaign that targeted blockchain and angel investing communities through Telegram. The actor posed as an investment firm representative, built trust with entrepreneurs, arranged a meeting, then used a fake r…
Avast attributed exploitation of CVE-2024-21338, a then unknown zero-day in the Windows appid.sys AppLocker driver, to Lazarus activity aimed at gaining kernel read and write capability. That access let Lazarus run an updated data-only FudModule rootkit w…
Group-IB identified Lazarus as one of the prominent APT groups that launched new tactics in 2023, citing the group’s first-ever double supply chain attack. The Lazarus activity exploited a vulnerability in Trading Technologies’ X_TRADER software to gain a…
Hauri analyzed a Kimsuky spear-phishing operation that built 16 mail servers and used 24 impersonation accounts to contact more than 400 people. The targets included figures in politics, international relations, universities, policy institutions, and othe…
JPCERT/CC found Lazarus-linked malicious PyPI packages that imitated legitimate Python crypto libraries, including typosquatted names around pycrypto. The packages carried an XOR-encoded DLL in test.py that could be decoded and launched through __init__.p…
SOMESING says 730 million SSX tokens were stolen from 18 foundation wallets on January 27, 2024, with most sent to HTX and smaller amounts to Gate and a wallet believed to be controlled by the attackers. The project traced the movement with Uppsala Securi…
It has been confirmed that the ‘Kimsuky’ group, one of the hacking groups in North Korea, carried out an attack targeting the SOMESINg Project. The malicious code deployed on the PC, which fell victim to the hacking attack via a phishing email impersonati…
The article describes a Lazarus supply chain intrusion against maritime research organizations tied to defense and submarine development material. According to the source, Lazarus first compromised a website maintenance vendor, used stolen SSH keys to acc…