654 reports
Kimsuky is linked to a PowerShell script named system_first.ps1 that the excerpt says is launched from an earlier pay.bat infection chain. The script requests Dropbox API access with embedded OAuth refresh-token parameters, collects the first local IP add…
Kimsuky, also known as Black Banshee, is described as a North Korean APT conducting espionage against organizations and individuals in South Korea, Japan, the United States, and other countries. The advisory highlights phishing, malware deployment, supply…
AhnLab's November 2024 domestic APT trend report summarizes attacks observed against Korean targets and identifies spear phishing as the dominant intrusion type for the month. The source highlights LNK-based delivery in which malicious PowerShell commands…
A Kimsuky-linked BAT sample named pay.bat uses a hidden PowerShell launch with execution-policy bypass to decode and run an embedded Base64 command. The decoded script writes chrome.ps1 under the user's AppData directory, downloads and executes additional…
This case study treats Lazarus Group as a North Korean state-sponsored actor whose operations combine social engineering, malware deployment, evasion, espionage, financial theft, and destructive disruption. It links the group's major activity classes to s…
Kimsuky is reported to have used Russian-looking sender addresses in credential-theft phishing after earlier waves relied mainly on Korean and Japanese email providers. The activity abused VK Mail.ru alias domains including mail.ru, internet.ru, bk.ru, in…
A U.S. civil forfeiture complaint seeks seizure of approximately 2,210.8222 SOL cryptocurrency tied to an investigation involving alleged computer fraud, wire fraud, money laundering, and related conspiracies. The excerpt frames the funds as property pote…
A fake remote job interview led the victim to clone and run a Node.js project containing obfuscated malicious JavaScript. The code collected host details and targeted sensitive data from Solana wallet configuration, Exodus, browser credential stores, Chro…
Japanese exchange DMM Bitcoin said it will shut down and transfer accounts and assets to SBI VC Trade in March 2025 after a May 2024 hack drained 4,502.9 BTC, worth about $305 million at the time. DMM had restricted withdrawals and spot purchase orders af…
Genians links a multi-year email phishing campaign to Kimsuky, targeting North Korea researchers and related organizations in South Korea with account-theft lures rather than malware attachments. The activity impersonated familiar public-sector, portal, c…
Kimsuky, also known as Black Banshee, is described as a North Korean state-sponsored APT active since at least 2012 and focused on espionage against targets in South Korea, Japan, the United States, and other countries. The advisory lists phishing, malwar…
S2W profiles Scarcruft, also tracked as APT37, Red Eyes, Reaper, and Group123, as a North Korea-backed actor that has targeted defectors, NGOs, media, and government institutions since 2016. The excerpt focuses on the ROKRAT malware family, a RAT used acr…
A U.S. appeals court ruled that the Treasury Department exceeded its authority when it sanctioned Tornado Cash under IEEPA. OFAC had blacklisted the cryptocurrency mixer after concluding it helped launder cybercrime proceeds, including more than $455 mill…
Kaspersky’s Q3 2024 APT roundup highlights several espionage campaigns, including the P8 framework used against Vietnamese financial and real estate victims, secure USB-drive compromise activity, and multiple Chinese-speaking clusters. P8 is described as …
Kimsuky is linked to a Windows LNK payload disguised as a Korean capital gains tax base report and payment calculation PDF. The shortcut launches PowerShell, decodes embedded script content, downloads a decoy PDF and additional Dropbox-hosted scripts, and…