Konni(코니) 만든 북한 시장 물가 분석 문서 위장 해서 공격 하는 악성코드-주요도시 시장가격 조사 2023.xlsx(2023.12.29)

The source analyzes a Konni-attributed Excel lure named as a 2023 North Korean market price survey, aimed at people working on North Korea-related topics. Opening the spreadsheet exposes an ActiveX control warning; enabling content triggers contact with a…

Orbit Bridge

REKT reported that Orbit Chain's Ethereum bridge lost about $81.5 million on 31 December 2023 after what appeared to be a compromised multisig or possible transaction replay issue. The withdrawals included DAI, WBTC, ETH, USDC, and USDT, and the attacker …

100DaysofYARA - SpectralBlur

Greg Lesnewich documents SpectralBlur, a macOS Mach-O backdoor tied to TA444, also tracked as Sapphire Sleet, BLUENOROFF, and STARDUST CHOLLIMA. Censys and VirusTotal monitoring of pxaltonet.org led to a .macshare sample whose retained function names expo…

북한 해킹 조직의 스피어피싱 메일 공격 실태

Hauri attributes a 2023 spear phishing campaign to the North Korean Kimsuky organization, using at least 16 mail servers and 24 impersonation accounts to reach more than 400 people in Korean and overseas institutions. Targets included research institutes,…

Orbit Chain team has developed a system for investigation support

Orbit Chain said it built an investigation support and cause analysis system with the Korean National Police Agency and KISA after the Orbit Bridge incident. The statement says the system is intended to support a more proactive investigation and that Orbi…

The initial loss of @Orbit_Chain is ~$81.5M

PeckShield estimated the initial Orbit Chain loss at roughly $81.5 million. The reported stolen assets were $30 million in USDT, $10 million in USDC, $10 million in DAI, 230.879 WBTC, and 9,500 ETH. PeckShield also said the exploiter initially received 10…

Orbit Bridge Hack looking v methodical

An analyst post characterized the Orbit Bridge theft as methodical and warned that 2024 could bring more cryptocurrency losses linked to DPRK activity. The source is a short social media observation, not a technical postmortem, and it does not provide tra…

The Mac Malware of 2023

This malware came to my attention when a researched named Austin pinged me about a possible new ransomware specimen that was targeting macOS. Internally dubbed “Turtle”, this ransomware also targets macOS, though yet again in its current state it does not…

100DaysofYARA - In Memory Detection

Greg Lesnewich demonstrates memory based YARA detection for HazyLoad, a loader tied in the rule references to North Korean TeamCity exploitation and Lazarus related RAT reporting. Hatching Triage memory snapshots exposed proxy tool strings after the paylo…