654 reports
North Korea-linked hackers carried out more individual cryptocurrency hacks in 2023 than in any prior year Chainalysis tracked, even as total stolen funds fell from 2022 levels. The source estimates $428.8 million stolen from DeFi platforms, $330.9 millio…
Concentric attributed its January 2024 breach to a targeted social engineering attack in which a fake recruiter persuaded a team member to install malware during a supposed skills assessment. The compromise exposed the deployer wallet, allowing the attack…
Concentric.fi lost about $1.85 million after a targeted social engineering attack compromised an admin wallet and let the attacker transfer contract ownership to 0x3F06. CertiK says the attacker upgraded Concentric liquidity-pool contracts with a maliciou…
AhnLab identified new Lazarus DLL side-loading variants that use the legitimate Microsoft wmiapsrv.exe module to load malicious wbemcomn.dll and netutils.dll files. The malicious DLLs act as backdoors, and wbemcomn.dll includes a target-verification routi…
NSHC's November 2023 ThreatRecon report identifies SectorA02, SectorA04, SectorA05, SectorA06, and SectorA07 as the DPRK-relevant activity clusters for the month. SectorA02 used LNK files disguised as North Korean international security and military docum…
SentinelLabs and NK News tracked ScarCruft activity against media organizations and high-profile experts on North Korean affairs, assessing the campaigns with high confidence based on malware, delivery methods, and infrastructure. The observed phishing em…
NSHC's October 2023 ThreatRecon report says SectorA activity included four North Korea-linked clusters: SectorA01, SectorA02, SectorA05, and SectorA07. SectorA01 used recruiter impersonation on social platforms to lure targets into running malware disguis…
The Foresiet overview profiles Lazarus Group, also known as Hidden Cobra, as a North Korean APT active since at least 2009. It says recent activity has included attacks on banks and cryptocurrency exchanges in the United States, South Korea, Japan, and ot…
360 researchers attributed a campaign with high confidence to APT-C-26, also described as Lazarus, in which attackers weaponized the open source SumatraPDF Reader. The attackers built trust with targets over Telegram, sent a modified PDF reader and a craf…
CertiK attributed the Hector Network exploit to centralization risk around a privileged moderator role in the project's redemption process. The affected contracts let a moderator call AddEligibleWallet to designate addresses that could later claim assets …
The source analyzes a Konni-linked CHM file named PaymentConfirmation.chm that masquerades as a Korean patent fee payment receipt. Its embedded emlmanager.vbs launches a hidden batch file, creates or checks a SafeBrowsing scheduled task, and uses addition…
AhnLab documented a Lazarus DLL side-loading variant that abuses the legitimate Microsoft wmiapsrv.exe binary to load malicious wbemcomn.dll and netutils.dll files from the same directory. The wbemcomn.dll backdoor includes a host validation routine that …
The video reviews the 2017 WannaCry ransomware outbreak, which infected roughly 250,000 systems across 150 countries. It explains the role of the Shadow Brokers leak and the EternalBlue SMB vulnerability tracked as MS17-010 and CVE-2017-0144. The detectio…
Genian observed an APT37-style spearphishing campaign that impersonated a real January 2024 unification strategy webinar on North Korea policy. The malicious email added a lookalike registration link that led victims to Dropbox, where a ZIP file delivered…