654 reports
SecAI reported a 2024 Kimsuky campaign that used phishing websites to steal email credentials before sending follow-up phishing messages from more trusted accounts. The activity targeted South Korean diplomatic, construction, university, and security-them…
NSHC's September 2024 activity roundup identified six SectorA groups, the report's North Korea-linked cluster set, operating across East Asia, North America, Europe, the Middle East, and other regions. SectorA01 and SectorA04 used recruiter-themed lures, …
Kimsuky, also known as Black Banshee, is described as a North Korean APT that conducts espionage against organizations and individuals in South Korea, Japan, the United States, and other countries. The advisory summarizes recurring tradecraft including ph…
The report analyzes attacks in Japan attributed to DarkPlum, also referred to as APT43 or Kimsuky, involving a variant of AsyncRAT. It explains differences from the public AsyncRAT codebase, including C2 communication, plugin delivery, and observed plugin…
The report analyzes Kimsuky malware that impersonates Zoom Meeting software. The sample uses an MSC-style execution approach and includes command-line behavior that downloads content into a temporary path, making the lure, file format, and command artifac…
The report examines a Kimsuky phishing site imitating Dongduk Women's University login pages. The source indicates the fake site visually copied the university experience and focused on credential capture for faculty, staff, or students, making it useful …
Lazarus, also known as Hidden Cobra, is described as a North Korean APT active since at least 2009 with espionage and financially motivated operations against South Korea, the United States, Japan, and other countries. The advisory highlights spear phishi…
APT37, also known as ScarCruft or RedEyes, is described as a North Korean espionage group active since at least 2012, with primary targeting in South Korea and operations also reported in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and t…
Researchers linked RustyAttr activity to Lazarus with moderate confidence based on tactical and infrastructure overlap with campaigns such as RustBucket. The malware targets macOS by hiding payload retrieval logic in extended file attributes and using Tau…
The victim in the incident eSentire responded to appears to be a software developer, which aligns with the TTPs of previously reported on campaigns by North Korean threat actors where software developers were targeted. It’s also worth noting that a total …
Lazarus is presented as the largest financial theft threat in the blockchain ecosystem, with recurring attack vectors continuing to compromise major crypto companies. The talk focuses on practical defenses for crypto users and organizations facing Lazarus…
This is the second instance where we have observed connections between the Contagious Interview malware campaign and North Korean IT worker activities, also known as the Wagemole campaign. Since our previous report on the two job-related campaigns, some r…
360's report attributes an activity cluster to APT-C-55, also known as Kimsuky, and describes the use of GitHub as a payload delivery platform. The campaign involved lure files and code with similarities to prior Kimsuky malware, raw GitHub-hosted payload…
North Korean threat actors are described as testing or deploying macOS malware embedded in Flutter applications, including a Minesweeper-themed lure named "New Updates in Crypto Exchange (2024-08-28)." The malware uses Dart payloads, compromised Apple dev…
The video tracks Lazarus or TA444 infrastructure connected to Group-IB's reporting on stealthy Lazarus tactics and North Korean linked activity dating back to December 2023. It compares Group-IB's indicators with the author's August 2024 findings and desc…