654 reports
LevelBlue warns that North Korean cyber actors use fake job ads, fabricated professional identities and cloned websites to gain access to companies and steal data. The article links the activity to state backed groups such as Lazarus Group and describes a…
Unit 42 describes DPRK IT worker operations that use fraudulent remote employment to earn revenue, evade sanctions and create security risk for employers. The workers use stolen, synthetic or forged identities, fake documents, job platforms, VPNs, remote …
A Korean malware write-up analyzes a Windows LNK sample attributed to Kimsuky and assessed as likely designed to steal login information. The evidence includes file hashes for the shortcut, obfuscated command-line content embedded in the LNK, and Windows …
Group-IB identified a macOS technique attributed with moderate confidence to Lazarus in which malicious code is hidden inside custom extended attributes rather than in visible application files. The RustyAttr trojans were built with Tauri, used JavaScript…
Jamf Threat Labs found macOS malware samples it assesses as tied to DPRK activity, including Go, Py2App Python and Flutter variants that initially appeared clean on VirusTotal. The Flutter sample was a signed minesweeper style app, "New Updates in Crypto …
CertiK analyzes a November 2024 DeltaPrime exploit that stole about $4.8 million across Arbitrum and Avalanche. The attacker combined two arbitrary-input flaws: one let borrowed WBTC move through the swap adapter to an attacker-controlled contract while r…
BlueHat 2024: Session 17: MSTIC - A Threat Intelligence Year in Review Presented by Rachel Giacobozzi from Microsoft Abstract: The Microsoft Threat Intelligence Center (MSTIC) discovers, tracks and disrupts the world's most sophisticated threats, from sta…
AhnLab’s October 2024 APT trend summary reports Andariel activity against U.S. private companies after the July 2024 U.S. Department of Justice indictment, with the attacks assessed as financially motivated. The Andariel section cites fake Tableau certifi…
The YouTube excerpt frames BlueNoroff Hidden Risk as a CTI training case for infrastructure discovery rather than a standalone incident report. It teaches analysts to pivot from IP addresses in Shodan, connect data points across results, and expand from S…
The source analyzes a Konni-linked Windows LNK malware sample using an HWP-themed lure named for engineering business-development meeting materials. The report records MD5, SHA-1, and SHA-256 hashes and describes an execution chain involving embedded Powe…
The malware is designed to bypass traditional detection methods and this shift towards simpler phishing tactics contrasts with BlueNoroff’s previous campaign which involved prolonged social engineering and “grooming” on social media. The attackers use ema…
Rewterz describes Kimsuky, also called Black Banshee, as a North Korean APT active since at least 2012 and focused on espionage against organizations and individuals in South Korea, Japan, the United States, and other countries. The source lists phishing,…
ESET says North Korea-aligned groups continued advancing regime priorities through attacks on financial and technology targets, especially where cryptocurrency businesses blur the two sectors. The DPRK section notes frequent abuse of cloud services such a…
SentinelLabs links the Hidden Risk campaign to DPRK BlueNoroff activity targeting cryptocurrency businesses on macOS. The campaign uses phishing emails with fake cryptocurrency news and a malicious application disguised as a PDF, including lures such as "…
APT37 is presented as a North Korea linked actor also tracked as Reaper, ScarCruft, Ricochet Chollima, Geumseong121, InkySquid, Crooked Pisces, Moldy Pisces, and TA-RedAnt. The excerpt describes targeting centered on South Korea but extending across gover…